|
43 |
: ${DEFAULT_CRL_DAYS:=10} |
43 |
: ${DEFAULT_CRL_DAYS:=10} |
44 |
DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)" |
44 |
DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)" |
45 |
: ${DEFAULT_DAYS:=1825} |
45 |
: ${DEFAULT_DAYS:=1825} |
|
|
46 |
DEFAULT_GRACE="$(/usr/sbin/univention-config-registry get ssl/default/grace)" |
47 |
: ${DEFAULT_GRACE:=0} |
46 |
DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)" |
48 |
DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)" |
47 |
: ${DEFAULT_MD:=sha256} |
49 |
: ${DEFAULT_MD:=sha256} |
48 |
DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)" |
50 |
DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)" |
|
133 |
|
135 |
|
134 |
policy = policy_match |
136 |
policy = policy_match |
135 |
|
137 |
|
|
|
138 |
unique_subject = no |
139 |
|
136 |
[ policy_match ] |
140 |
[ policy_match ] |
137 |
|
141 |
|
138 |
countryName = match |
142 |
countryName = match |
|
336 |
if ( X[i] ~ /^CN=/ ) { |
340 |
if ( X[i] ~ /^CN=/ ) { |
337 |
split ( X[i], Y, "=" ); |
341 |
split ( X[i], Y, "=" ); |
338 |
if ( name == Y[2] ) { |
342 |
if ( name == Y[2] ) { |
339 |
seq = $4; |
343 |
if ( $1 == "V" ) { |
|
|
344 |
seq = seq$4" "; |
345 |
} |
340 |
ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; |
346 |
ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; |
341 |
} |
347 |
} |
342 |
} |
348 |
} |
|
348 |
renew_cert () { |
354 |
renew_cert () { |
349 |
local fqdn="${1:?Missing argument: common name}" |
355 |
local fqdn="${1:?Missing argument: common name}" |
350 |
local days="${2:-$DEFAULT_DAYS}" |
356 |
local days="${2:-$DEFAULT_DAYS}" |
|
|
357 |
local grace="${3:-$DEFAULT_GRACE}" |
351 |
|
358 |
|
352 |
revoke_cert "$fqdn" || [ $? -eq 2 ] || return $? |
359 |
revoke_cert "$fqdn" "$grace" || [ $? -eq 2 ] || return $? |
353 |
|
360 |
|
354 |
( |
361 |
( |
355 |
cd "$SSLBASE" |
362 |
cd "$SSLBASE" |
|
361 |
|
368 |
|
362 |
revoke_cert () { |
369 |
revoke_cert () { |
363 |
local fqdn="${1:?Missing argument: common name}" |
370 |
local fqdn="${1:?Missing argument: common name}" |
|
|
371 |
local grace="${2:-$DEFAULT_GRACE}" |
364 |
|
372 |
|
365 |
local cn NUM |
373 |
local cn NUM |
366 |
[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn" |
374 |
[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn" |
|
371 |
return 2 |
379 |
return 2 |
372 |
fi |
380 |
fi |
373 |
|
381 |
|
374 |
openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD" |
382 |
if [ "$grace" -eq 0 ]; then |
|
|
383 |
# revoke all certificates of this fqdn |
384 |
for num in $NUM; do |
385 |
openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD" |
386 |
done |
387 |
else |
388 |
# remember all certificates of this fqdn for revocation after the grace period |
389 |
pending_file="${SSLBASE}/pending.txt" |
390 |
[ -f "$pending_file" ] || touch "$pending_file" |
391 |
pending_certs="$(cat $pending_file)" |
392 |
>"$pending_file" |
393 |
|
394 |
for num in $NUM; do |
395 |
echo "$num:$grace" >>"$pending_file" |
396 |
done |
397 |
|
398 |
for cert in $pending_certs; do |
399 |
num="$(echo $cert | sed 's/:.*//')" |
400 |
grace="$(echo $cert | sed 's/.*://')" |
401 |
if [[ "$NUM" != *"$num"* ]]; then |
402 |
echo "$num:$grace" >>"$pending_file" |
403 |
fi |
404 |
done |
405 |
fi |
406 |
|
407 |
gencrl |
408 |
} |
409 |
|
410 |
update_pending_certs () { |
411 |
pending_file="${SSLBASE}/pending.txt" |
412 |
[ -f "$pending_file" ] || touch "$pending_file" |
413 |
pending_certs="$(cat $pending_file)" |
414 |
>"$pending_file" |
415 |
|
416 |
for cert in $pending_certs; do |
417 |
num="$(echo $cert | sed 's/:.*//')" |
418 |
grace="$(echo $cert | sed 's/.*://')" |
419 |
grace="$((grace-1))" |
420 |
if [ "$grace" -gt "0" ]; then |
421 |
echo "$num:$grace" >>"$pending_file" |
422 |
else |
423 |
openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD" |
424 |
fi |
425 |
done |
426 |
|
375 |
gencrl |
427 |
gencrl |
376 |
} |
428 |
} |
377 |
|
429 |
|