mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-07-04 12:11:38 +02:00
Basic implementation for private key rollover (#294)
* initial commit for PRIVATE_KEY_ROLLOVER * fix if syntax * rolloverkey without timestamps * update example config: PRIVATE_KEY_ROLLOVER * rolloverkey creation logic updated * updated tests. untested. * added cleanup for rolloverkeys: if disabled, delete privkey.roll.pem
This commit is contained in:
+22
-1
@@ -118,6 +118,7 @@ load_config() {
|
|||||||
KEYSIZE="4096"
|
KEYSIZE="4096"
|
||||||
WELLKNOWN=
|
WELLKNOWN=
|
||||||
PRIVATE_KEY_RENEW="yes"
|
PRIVATE_KEY_RENEW="yes"
|
||||||
|
PRIVATE_KEY_ROLLOVER="no"
|
||||||
KEY_ALGO=rsa
|
KEY_ALGO=rsa
|
||||||
OPENSSL_CNF="$(openssl version -d | cut -d\" -f2)/openssl.cnf"
|
OPENSSL_CNF="$(openssl version -d | cut -d\" -f2)/openssl.cnf"
|
||||||
CONTACT_EMAIL=
|
CONTACT_EMAIL=
|
||||||
@@ -596,6 +597,26 @@ sign_domain() {
|
|||||||
prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${CERTDIR}/${domain}/privkey-${timestamp}.pem";;
|
prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${CERTDIR}/${domain}/privkey-${timestamp}.pem";;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
# move rolloverkey into position (if any)
|
||||||
|
if [[ -r "${CERTDIR}/${domain}/privkey.pem" && -r "${CERTDIR}/${domain}/privkey.roll.pem" && "${PRIVATE_KEY_RENEW}" = "yes" && "${PRIVATE_KEY_ROLLOVER}" = "yes" ]]; then
|
||||||
|
echo " + Moving Rolloverkey into position.... "
|
||||||
|
mv "${CERTDIR}/${domain}/privkey.roll.pem" "${CERTDIR}/${domain}/privkey-tmp.pem"
|
||||||
|
mv "${CERTDIR}/${domain}/privkey-${timestamp}.pem" "${CERTDIR}/${domain}/privkey.roll.pem"
|
||||||
|
mv "${CERTDIR}/${domain}/privkey-tmp.pem" "${CERTDIR}/${domain}/privkey-${timestamp}.pem"
|
||||||
|
fi
|
||||||
|
# generate a new private rollover key if we need or want one
|
||||||
|
if [[ ! -r "${CERTDIR}/${domain}/privkey.roll.pem" && "${PRIVATE_KEY_ROLLOVER}" = "yes" && "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
|
||||||
|
echo " + Generating private rollover key..."
|
||||||
|
case "${KEY_ALGO}" in
|
||||||
|
rsa) _openssl genrsa -out "${CERTDIR}/${domain}/privkey.roll.pem" "${KEYSIZE}";;
|
||||||
|
prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${CERTDIR}/${domain}/privkey.roll.pem";;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
# delete rolloverkeys if disabled
|
||||||
|
if [[ -r "${CERTDIR}/${domain}/privkey.roll.pem" && ! "${PRIVATE_KEY_ROLLOVER}" = "yes" ]]; then
|
||||||
|
echo " + Removing Rolloverkey (feature disabled)..."
|
||||||
|
rm -f "${CERTDIR}/${domain}/privkey.roll.pem"
|
||||||
|
fi
|
||||||
|
|
||||||
# Generate signing request config and the actual signing request
|
# Generate signing request config and the actual signing request
|
||||||
echo " + Generating signing request..."
|
echo " + Generating signing request..."
|
||||||
@@ -709,7 +730,7 @@ command_sign_domains() {
|
|||||||
config_var="$(echo "${cfgline:1}" | cut -d'=' -f1)"
|
config_var="$(echo "${cfgline:1}" | cut -d'=' -f1)"
|
||||||
config_value="$(echo "${cfgline:1}" | cut -d'=' -f2-)"
|
config_value="$(echo "${cfgline:1}" | cut -d'=' -f2-)"
|
||||||
case "${config_var}" in
|
case "${config_var}" in
|
||||||
KEY_ALGO|OCSP_MUST_STAPLE|PRIVATE_KEY_RENEW|KEYSIZE|CHALLENGETYPE|HOOK|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS)
|
KEY_ALGO|OCSP_MUST_STAPLE|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS)
|
||||||
echo " + ${config_var} = ${config_value}"
|
echo " + ${config_var} = ${config_value}"
|
||||||
declare -- "${config_var}=${config_value}"
|
declare -- "${config_var}=${config_value}"
|
||||||
;;
|
;;
|
||||||
|
|||||||
@@ -72,6 +72,9 @@
|
|||||||
# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
|
# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
|
||||||
#PRIVATE_KEY_RENEW="yes"
|
#PRIVATE_KEY_RENEW="yes"
|
||||||
|
|
||||||
|
# Create an extra private key for rollover (default: no)
|
||||||
|
#PRIVATE_KEY_ROLLOVER="no"
|
||||||
|
|
||||||
# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
|
# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
|
||||||
#KEY_ALGO=rsa
|
#KEY_ALGO=rsa
|
||||||
|
|
||||||
|
|||||||
@@ -209,6 +209,26 @@ _CHECK_LOG "Done."
|
|||||||
_CHECK_FILE "certs/${TMP_URL}/${REAL_CERT}-revoked"
|
_CHECK_FILE "certs/${TMP_URL}/${REAL_CERT}-revoked"
|
||||||
_CHECK_ERRORLOG
|
_CHECK_ERRORLOG
|
||||||
|
|
||||||
|
# Enable private key renew
|
||||||
|
echo 'PRIVATE_KEY_RENEW="yes"' >> config
|
||||||
|
echo 'PRIVATE_KEY_ROLLOVER="yes"' >> config
|
||||||
|
|
||||||
|
# Check if Rolloverkey creation works
|
||||||
|
_TEST "Testing Rolloverkeys..."
|
||||||
|
_SUBTEST "First Run: Creating rolloverkey"
|
||||||
|
./dehydrated --cron --domain "${TMP2_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
|
||||||
|
CERT_ROLL_HASH=$(openssl rsa -in certs/${TMP2_URL}/privkey.roll.pem -outform DER -pubout 2>/dev/null | openssl sha256)
|
||||||
|
_CHECK_LOG "Generating private key"
|
||||||
|
_CHECK_LOG "Generating private rollover key"
|
||||||
|
_SUBTEST "Second Run: Force Renew, Use rolloverkey"
|
||||||
|
./dehydrated --cron --force --domain "${TMP2_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
|
||||||
|
CERT_NEW_HASH=$(openssl rsa -in certs/${TMP2_URL}/privkey.pem -outform DER -pubout 2>/dev/null | openssl sha256)
|
||||||
|
_CHECK_LOG "Generating private key"
|
||||||
|
_CHECK_LOG "Moving Rolloverkey into position"
|
||||||
|
_SUBTEST "Verifying Hash Rolloverkey and private key second run"
|
||||||
|
[[ "${CERT_ROLL_HASH}" = "${CERT_NEW_HASH}" ]] && _PASS || _FAIL
|
||||||
|
_CHECK_ERRORLOG
|
||||||
|
|
||||||
# Test cleanup command
|
# Test cleanup command
|
||||||
_TEST "Cleaning up certificates"
|
_TEST "Cleaning up certificates"
|
||||||
./dehydrated --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
|
./dehydrated --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
|
||||||
|
|||||||
Reference in New Issue
Block a user