--- /home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/univention-certificate 2016-09-06 09:19:15.738733229 +0200 +++ /home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/univention-certificate 2016-09-26 17:06:41.765918395 +0200 @@ -50,6 +50,7 @@ echo "Options:" echo " -name " echo " -days " + echo " -grace " # grace period, also in days [ -n "$1" ] && exit 2 || exit 0 } @@ -75,6 +76,7 @@ command= name= days= +grace="0" while [ $# -ge 1 ] do case "$1" in @@ -86,6 +88,7 @@ dump) command="$1" ;; -name|--name) name="${2:?Missing argument to -name}" ; shift ;; -days|--days) days="${2:?Missing argument to -days}" ; shift ;; + -grace|--grace) grace="${2:-0}" ; shift ;; -h|--help|--usage|-\?) usage ;; -*) usage "Unknown option: '$1'" >&2 ;; *) usage "Unknown command: '$1'" >&2 ;; @@ -120,7 +123,7 @@ run_only master exclusive : ${days:?Missing argument -days} echo "Renew certificate: $name" - renew_cert "$name" "$days" + renew_cert "$name" "$days" "$grace" } check () { --- /home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/make-certificates.sh 2016-09-06 09:19:15.738733229 +0200 +++ /home/jhinrich/svn/dev/branches/ucs-4.1/ucs-4.1-3/base/univention-ssl/make-certificates.sh 2016-09-26 13:36:39.418874027 +0200 @@ -43,6 +43,8 @@ : ${DEFAULT_CRL_DAYS:=10} DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)" : ${DEFAULT_DAYS:=1825} +DEFAULT_GRACE="$(/usr/sbin/univention-config-registry get ssl/default/grace)" +: ${DEFAULT_GRACE:=0} DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)" : ${DEFAULT_MD:=sha256} DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)" @@ -133,6 +135,8 @@ policy = policy_match +unique_subject = no + [ policy_match ] countryName = match @@ -336,7 +340,9 @@ if ( X[i] ~ /^CN=/ ) { split ( X[i], Y, "=" ); if ( name == Y[2] ) { - seq = $4; + if ( $1 == "V" ) { + seq = seq$4" "; + } ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; } } @@ -348,8 +354,9 @@ renew_cert () { local fqdn="${1:?Missing argument: common name}" local days="${2:-$DEFAULT_DAYS}" + local grace="${3:-$DEFAULT_GRACE}" - revoke_cert "$fqdn" || [ $? -eq 2 ] || return $? + revoke_cert "$fqdn" "$grace" || [ $? -eq 2 ] || return $? ( cd "$SSLBASE" @@ -361,6 +368,7 @@ revoke_cert () { local fqdn="${1:?Missing argument: common name}" + local grace="${2:-$DEFAULT_GRACE}" local cn NUM [ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn" @@ -371,7 +379,51 @@ return 2 fi - openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD" + if [ "$grace" -eq 0 ]; then + # revoke all certificates of this fqdn + for num in $NUM; do + openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD" + done + else + # remember all certificates of this fqdn for revocation after the grace period + pending_file="${SSLBASE}/pending.txt" + [ -f "$pending_file" ] || touch "$pending_file" + pending_certs="$(cat $pending_file)" + >"$pending_file" + + for num in $NUM; do + echo "$num:$grace" >>"$pending_file" + done + + for cert in $pending_certs; do + num="$(echo $cert | sed 's/:.*//')" + grace="$(echo $cert | sed 's/.*://')" + if [[ "$NUM" != *"$num"* ]]; then + echo "$num:$grace" >>"$pending_file" + fi + done + fi + + gencrl +} + +update_pending_certs () { + pending_file="${SSLBASE}/pending.txt" + [ -f "$pending_file" ] || touch "$pending_file" + pending_certs="$(cat $pending_file)" + >"$pending_file" + + for cert in $pending_certs; do + num="$(echo $cert | sed 's/:.*//')" + grace="$(echo $cert | sed 's/.*://')" + grace="$((grace-1))" + if [ "$grace" -gt "0" ]; then + echo "$num:$grace" >>"$pending_file" + else + openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD" + fi + done + gencrl }