From: Mark Wooding Date: Wed, 30 Nov 2022 10:32:24 +0000 (+0000) Subject: bin/cycle-root-key: New program to make a new root key. X-Git-Url: https://git.distorted.org.uk/~mdw/ca/commitdiff_plain/a717f5d75b35c41c5155e1246eb74330ad993a13 bin/cycle-root-key: New program to make a new root key. I really should have done this earlier. --- diff --git a/.gitignore b/.gitignore index d514496..325c48a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ ca.cert +ca-*.cert crl private/ state/ diff --git a/bin/cycle-root-key b/bin/cycle-root-key new file mode 100755 index 0000000..b936ac7 --- /dev/null +++ b/bin/cycle-root-key @@ -0,0 +1,62 @@ +#! /usr/bin/tclsh +### -*-tcl-*- +### +### Generate a new root key +### +### (c) 2022 Mark Wooding +### + +###----- Licensing notice --------------------------------------------------- +### +### This program is free software: you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or (at +### your option) any later version. +### +### This program is distributed in the hope that it will be useful, but +### WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +### General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with this program. If not, write to the Free Software +### Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +### USA. + +## Find the common utilities. +source [file join [file dirname $argv0] "../lib/func.tcl"] + +## Open the database +sqlite3 db "$CERTROOT/state/ca.db" +db nullvalue nil +cd "$CERTROOT" + +## Refresh the database's idea of request profiles. +sync-profiles + +## Rename the old CA key so we don't lose it. +set i 0 +while {[file exists private/ca-$i.key]} { set i [expr {$i + 1}] } +file rename private/ca.key private/ca-$i.key +file rename ca.cert ca-$i.cert + +## Make a new key. +generate-root-key + +## Generate new certificates for all of the live requests. +set now [now] +foreach id [db eval { SELECT id FROM request WHERE st = 'active' }] { + issue-cert $id $now +} + +## Update OpenSSL's database of things. +exec openssl ca -config "etc/openssl.conf" -updatedb 2>@1 + +## Generate a CRL. +exec openssl ca -config "etc/openssl.conf" -gencrl | \ + openssl crl -text -out "crl" 2>@1 + +## Call the user hook. +update-hook + +###----- That's all, folks --------------------------------------------------