-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathgen-root-ca-crl.sh
More file actions
executable file
·43 lines (35 loc) · 1.13 KB
/
gen-root-ca-crl.sh
File metadata and controls
executable file
·43 lines (35 loc) · 1.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/bin/bash
BASE=$(realpath "$(dirname "$0")")
cd "${BASE}" || exit 1
CA="${BASE}/CA"
CONFIG="${BASE}/config/root-ca.conf"
CRL="${BASE}/CRL/root-ca.crl.pem"
if [ ! -d "${CA}" ]; then
echo "[ERROR] CA directory not found at ${CA}"
exit 1
fi
if [ ! -d "$(dirname "${CRL}")" ]; then
mkdir "$(dirname "${CRL}")" || exit 1
fi
# Determine CRL validity period
# Prefer value from config (default_crl_days), else fall back to DEFAULT_CRL_DAYS env or 90
CRL_DAYS=""
if grep -Eq '^[[:space:]]*default_crl_days[[:space:]]*=' "${CONFIG}"; then
CRL_DAYS=$(awk -F= '/^[[:space:]]*default_crl_days[[:space:]]*=/ {gsub(/[[:space:]]/,"",$2); print $2; exit}' "${CONFIG}")
fi
if [ -z "${CRL_DAYS}" ]; then
CRL_DAYS="${DEFAULT_CRL_DAYS:-90}"
fi
# Support non-interactive passphrase via environment
PASSIN_ARGS=()
if [ -n "${OPENSSL_PASSIN:-}" ]; then
PASSIN_ARGS=(-passin "${OPENSSL_PASSIN}")
elif [ -n "${CA_PASSPHRASE:-}" ]; then
PASSIN_ARGS=(-passin "pass:${CA_PASSPHRASE}")
fi
openssl ca -config "${CONFIG}" \
-gencrl -crldays "${CRL_DAYS}" -out "${CRL}" \
"${PASSIN_ARGS[@]}"
if [ -f "${CRL}" ]; then
openssl crl -in "${CRL}" -noout -text
fi