|
43 |
: ${DEFAULT_CRL_DAYS:=10} |
43 |
: ${DEFAULT_CRL_DAYS:=10} |
44 |
DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)" |
44 |
DEFAULT_DAYS="$(/usr/sbin/univention-config-registry get ssl/default/days)" |
45 |
: ${DEFAULT_DAYS:=1825} |
45 |
: ${DEFAULT_DAYS:=1825} |
|
|
46 |
DEFAULT_GRACE="$(/usr/sbin/univention-config-registry get ssl/default/grace)" |
47 |
: ${DEFAULT_GRACE:=0} |
46 |
DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)" |
48 |
DEFAULT_MD="$(/usr/sbin/univention-config-registry get ssl/default/hashfunction)" |
47 |
: ${DEFAULT_MD:=sha256} |
49 |
: ${DEFAULT_MD:=sha256} |
48 |
DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)" |
50 |
DEFAULT_BITS="$(/usr/sbin/univention-config-registry get ssl/default/bits)" |
|
133 |
|
135 |
|
134 |
policy = policy_match |
136 |
policy = policy_match |
135 |
|
137 |
|
|
|
138 |
unique_subject = no |
139 |
|
136 |
[ policy_match ] |
140 |
[ policy_match ] |
137 |
|
141 |
|
138 |
countryName = match |
142 |
countryName = match |
|
336 |
if ( X[i] ~ /^CN=/ ) { |
340 |
if ( X[i] ~ /^CN=/ ) { |
337 |
split ( X[i], Y, "=" ); |
341 |
split ( X[i], Y, "=" ); |
338 |
if ( name == Y[2] ) { |
342 |
if ( name == Y[2] ) { |
339 |
seq = $4; |
343 |
if ( $1 == "V" ) { |
|
|
344 |
seq = seq$4" "; |
345 |
} |
340 |
ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; |
346 |
ret = ( $1 != "R" ) ? ( $1 == "V" && $2 >= now ? 0 : 3 ) : 2; |
341 |
} |
347 |
} |
342 |
} |
348 |
} |
|
348 |
renew_cert () { |
354 |
renew_cert () { |
349 |
local fqdn="${1:?Missing argument: common name}" |
355 |
local fqdn="${1:?Missing argument: common name}" |
350 |
local days="${2:-$DEFAULT_DAYS}" |
356 |
local days="${2:-$DEFAULT_DAYS}" |
|
|
357 |
local grace="${3:-$DEFAULT_GRACE}" |
351 |
|
358 |
|
352 |
revoke_cert "$fqdn" || [ $? -eq 2 ] || return $? |
359 |
revoke_cert "$fqdn" "$grace" || [ $? -eq 2 ] || return $? |
353 |
|
360 |
|
354 |
( |
361 |
( |
355 |
cd "$SSLBASE" |
362 |
cd "$SSLBASE" |
|
361 |
|
368 |
|
362 |
revoke_cert () { |
369 |
revoke_cert () { |
363 |
local fqdn="${1:?Missing argument: common name}" |
370 |
local fqdn="${1:?Missing argument: common name}" |
|
|
371 |
local grace="${2:-$DEFAULT_GRACE}" |
364 |
|
372 |
|
365 |
local cn NUM |
373 |
local cn NUM |
366 |
[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn" |
374 |
[ ${#fqdn} -gt 64 ] && cn="${fqdn%%.*}" || cn="$fqdn" |
|
371 |
return 2 |
379 |
return 2 |
372 |
fi |
380 |
fi |
373 |
|
381 |
|
374 |
openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD" |
382 |
if [ "$grace" -eq 0 ]; then |
|
|
383 |
# revoke all certificates of this fqdn |
384 |
for num in "${NUM[@]}"; do |
385 |
local num1=$(sed 's/\s.*$//' <<< "$num") |
386 |
openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num1}.pem" -passin pass:"$PASSWD" |
387 |
done |
388 |
else |
389 |
# remember all certificates of this fqdn for revocation after the grace period |
390 |
pending_file="${SSLBASE}/pending.txt" |
391 |
[ -f "$pending_file" ] || touch "$pending_file" |
392 |
chmod 600 "$pending_file" |
393 |
local pending_certs=$(cat "$pending_file") |
394 |
local temp=$(mktemp) |
395 |
|
396 |
for num in "${NUM[@]}"; do |
397 |
local num=$(sed 's/\s.*$//' <<< "$num") |
398 |
local now=$(date +"%s") |
399 |
local expire="$(($now + ($grace * 3600 * 24)))" |
400 |
echo "$num:$expire" >>"$temp" |
401 |
done |
402 |
|
403 |
for cert in "${pending_certs[@]}"; do |
404 |
local num=$(sed 's/:.*//' <<< "$cert") |
405 |
local expire=$(sed 's/.*://' <<< "$cert") |
406 |
if [[ "$NUM" != *"$num"* ]]; then |
407 |
echo "$num:$expire" >>"$temp" |
408 |
fi |
409 |
done |
410 |
mv "$temp" "$pending_file" |
411 |
chmod 600 "$pending_file" |
412 |
fi |
413 |
|
375 |
gencrl |
414 |
gencrl |
376 |
} |
415 |
} |
377 |
|
416 |
|
|
|
417 |
update_pending_certs () { |
418 |
local pending_file="${SSLBASE}/pending.txt" |
419 |
[ -f "$pending_file" ] || touch "$pending_file" |
420 |
chmod 600 "$pending_file" |
421 |
local pending_certs=$(cat "$pending_file") |
422 |
local temp=$(mktemp) |
378 |
|
423 |
|
|
|
424 |
for cert in "${pending_certs[@]}"; do |
425 |
local num=$(sed 's/:.*//' <<< "$cert") |
426 |
local expire=$(sed 's/.*://' <<< "$cert") |
427 |
local now=$(date +"%s") |
428 |
if [ "$now" -gt "$expire" ]; then |
429 |
openssl ca -config "${SSLBASE}/openssl.cnf" -revoke "${SSLBASE}/${CA}/certs/${num}.pem" -passin pass:"$PASSWD" |
430 |
else |
431 |
echo "$num:$expire" >>"$temp" |
432 |
fi |
433 |
done |
434 |
|
435 |
mv "$temp" "$pending_file" |
436 |
chmod 600 "$pending_file" |
437 |
gencrl |
438 |
} |
439 |
|
440 |
|
379 |
# Parameter 1: Name des Unterverzeichnisses, in dem das neue Zertifikat abgelegt werden soll |
441 |
# Parameter 1: Name des Unterverzeichnisses, in dem das neue Zertifikat abgelegt werden soll |
380 |
# Parameter 2: Name des CN für den das Zertifikat ausgestellt wird. |
442 |
# Parameter 2: Name des CN für den das Zertifikat ausgestellt wird. |
381 |
|
443 |
|