starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-05-18 04:46:54 +02:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Basic implementation for private key rollover (#294)

Browse Source 
* initial commit for PRIVATE_KEY_ROLLOVER

* fix if syntax

* rolloverkey without  timestamps

* update example config: PRIVATE_KEY_ROLLOVER

* rolloverkey creation logic updated

* updated tests. untested.

* added cleanup for rolloverkeys: if disabled, delete privkey.roll.pem
This commit is contained in:
crza
2016-10-17 22:40:03 +02:00
committed by Lukas Schauer
parent d62a5eeb1e
commit a13e410363
3 changed files with 45 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dehydrated
+22 -1
View File
@@ -118,6 +118,7 @@ load_config() {
KEYSIZE="4096"
WELLKNOWN=
PRIVATE_KEY_RENEW="yes"
PRIVATE_KEY_ROLLOVER="no"
KEY_ALGO=rsa
OPENSSL_CNF="$(openssl version -d | cut -d\" -f2)/openssl.cnf"
CONTACT_EMAIL=
@@ -596,6 +597,26 @@ sign_domain() {
prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${CERTDIR}/${domain}/privkey-${timestamp}.pem";;
esac
fi
# move rolloverkey into position (if any)
if [[ -r "${CERTDIR}/${domain}/privkey.pem" && -r "${CERTDIR}/${domain}/privkey.roll.pem" && "${PRIVATE_KEY_RENEW}" = "yes" && "${PRIVATE_KEY_ROLLOVER}" = "yes" ]]; then
echo " + Moving Rolloverkey into position.... "
mv "${CERTDIR}/${domain}/privkey.roll.pem" "${CERTDIR}/${domain}/privkey-tmp.pem"
mv "${CERTDIR}/${domain}/privkey-${timestamp}.pem" "${CERTDIR}/${domain}/privkey.roll.pem"
mv "${CERTDIR}/${domain}/privkey-tmp.pem" "${CERTDIR}/${domain}/privkey-${timestamp}.pem"
fi
# generate a new private rollover key if we need or want one
if [[ ! -r "${CERTDIR}/${domain}/privkey.roll.pem" && "${PRIVATE_KEY_ROLLOVER}" = "yes" && "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
echo " + Generating private rollover key..."
case "${KEY_ALGO}" in
rsa) _openssl genrsa -out "${CERTDIR}/${domain}/privkey.roll.pem" "${KEYSIZE}";;
prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${CERTDIR}/${domain}/privkey.roll.pem";;
esac
fi
# delete rolloverkeys if disabled
if [[ -r "${CERTDIR}/${domain}/privkey.roll.pem" && ! "${PRIVATE_KEY_ROLLOVER}" = "yes" ]]; then
echo " + Removing Rolloverkey (feature disabled)..."
rm -f "${CERTDIR}/${domain}/privkey.roll.pem"
fi
# Generate signing request config and the actual signing request
echo " + Generating signing request..."
@@ -709,7 +730,7 @@ command_sign_domains() {
config_var="$(echo "${cfgline:1}" | cut -d'=' -f1)"
config_value="$(echo "${cfgline:1}" | cut -d'=' -f2-)"
case "${config_var}" in
KEY_ALGO|OCSP_MUST_STAPLE|PRIVATE_KEY_RENEW|KEYSIZE|CHALLENGETYPE|HOOK|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS)
KEY_ALGO|OCSP_MUST_STAPLE|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS)
echo " + ${config_var} = ${config_value}"
declare -- "${config_var}=${config_value}"
;;