forked from redredgroovy/easy-ca
-
Notifications
You must be signed in to change notification settings - Fork 1
/
renew-cert
executable file
·143 lines (114 loc) · 4.01 KB
/
renew-cert
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/bin/bash
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Christian Göttsche <[email protected]>
set -eu
set -o pipefail
umask 0077
BIN_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# shellcheck disable=SC1090
source "${BIN_DIR}/functions"
# shellcheck disable=SC1090
source "${BIN_DIR}/defaults.conf"
usage() {
echo "Usage: $0 -s SHORT_NAME -t type"
echo "Renew a client/server certificate with SHORT_NAME"
echo " The certificate must be initially created in the current CA environment"
echo
echo "Options:"
echo " -s SHORT_NAME Common Name of the certificate to renew"
echo " -t type The type of certificate to renew"
echo " Possible values: client server"
echo
}
if [ ! -f ca/ca.crt ]; then
echo -e "$ERR Must be run inside a CA directory!"
exit 2
fi
SHORT_NAME=
TYPE=
DIRNAME=
while getopts s:t:h FLAG; do
case $FLAG in
h) echo -e -n "$SUCC " && usage && exit 0
;;
s) SHORT_NAME="${OPTARG}"
;;
t) if [ "${OPTARG}" == "server" ]; then
TYPE="server"
DIRNAME="server"
elif [ "${OPTARG}" == "client" ]; then
TYPE="client"
DIRNAME="clients"
else
echo -e -n "$ERR " && usage && exit 2
fi
;;
*) echo -e -n "$ERR " && usage && exit 2
;;
esac
done
if [ $OPTIND -le $# ]; then
echo -e -n "$ERR " && usage && exit 2
elif [ "$SHORT_NAME" = "" ]; then
echo -e -n "$ERR " && usage && exit 2
elif [ "$TYPE" = "" ]; then
echo -e -n "$ERR " && usage && exit 2
elif [ "$DIRNAME" = "" ]; then
echo -e -n "$ERR " && usage && exit 2
fi
CA_DIR_PATH="certs/$DIRNAME/$SHORT_NAME"
if [ ! -d "$CA_DIR_PATH" ]; then
echo -e "$ERR Configuration for '$SHORT_NAME' does not exist, exiting."
exit 1
fi
SAN=$(openssl x509 -noout -in "$CA_DIR_PATH/$SHORT_NAME.crt" -ext subjectAltName)
SAN=$(grep -vE '^X509v3 Subject Alternative Name:\s*$' <<< "$SAN" | sed -e 's/^[[:space:]]*//')
if [ -z "$SAN" ]; then
echo -e "$ERR Can not retrieve Subject Alternative Name, exiting."
exit 1
fi
export SAN
echo -e "$NOTE Details of $TYPE certificate to renew"
openssl x509 -noout -in "$CA_DIR_PATH/$SHORT_NAME.crt" -text -certopt no_sigdump,no_pubkey
echo
echo -e -n "$INPUT Enter passphase for signing CA key: "
read -r -s PASS
echo
export CA_PASS="${PASS}"
openssl rsa -check \
-in ca/private/ca.key \
-passin env:CA_PASS \
-noout
echo -e "$NOTE Creating backup of old certificate"
cp --backup=numbered "$CA_DIR_PATH/$SHORT_NAME.crt" "$CA_DIR_PATH/$SHORT_NAME.crt.old"
cp --backup=numbered "$CA_DIR_PATH/$SHORT_NAME.csr" "$CA_DIR_PATH/$SHORT_NAME.csr.old"
echo -e "$NOTE Creating the new $TYPE csr"
openssl req -new -nodes \
-batch \
-config "$CA_DIR_PATH/$SHORT_NAME.conf" \
-key "$CA_DIR_PATH/$SHORT_NAME.key" \
-out "$CA_DIR_PATH/$SHORT_NAME.csr"
openssl rsa -noout -check -in "$CA_DIR_PATH/$SHORT_NAME.key"
echo -e "$NOTE Creating the $TYPE certificate"
openssl ca -batch -notext \
-config ca/ca.conf \
-in "$CA_DIR_PATH/$SHORT_NAME.csr" \
-out "$CA_DIR_PATH/$SHORT_NAME.crt" \
-extensions "$TYPE"_ext \
-passin env:CA_PASS
echo -e "$NOTE Verifying certificate/key pair"
key_mod=$(openssl rsa -noout -modulus -in "$CA_DIR_PATH/$SHORT_NAME.key")
cert_mod=$(openssl x509 -noout -modulus -in "$CA_DIR_PATH/$SHORT_NAME.crt")
if [ ! "$key_mod" = "$cert_mod" ];then
echo -e "$ERR Certificate/Key pair invalid:"
echo -e "$ERR <>$cert_mod<>"
echo -e "$ERR <>$key_mod<>"
echo
exit 2
fi
echo -e "$NOTE Verifying trusted chain"
openssl verify -CAfile ca/chain.pem "$CA_DIR_PATH/$SHORT_NAME.crt"
unset CA_PASS
echo -e "$SUCC Renewed $TYPE certificate for '${SHORT_NAME}' created."