]>
Commit | Line | Data |
---|---|---|
ac397a39 JR |
1 | #!/bin/sh |
2 | ||
3 | # revoke a certificate, regenerate CRL, | |
4 | # and verify revocation | |
5 | ||
6 | CRL="crl.pem" | |
7 | RT="revoke-test.pem" | |
8 | ||
9 | if [ $# -ne 1 ]; then | |
10 | echo "usage: revoke-full <cert-name-base>"; | |
11 | exit 1 | |
12 | fi | |
13 | ||
14 | if [ "$KEY_DIR" ]; then | |
15 | cd "$KEY_DIR" | |
16 | rm -f "$RT" | |
17 | ||
18 | # set defaults | |
19 | export KEY_CN="" | |
20 | export KEY_OU="" | |
21 | export KEY_NAME="" | |
22 | ||
23 | # revoke key and generate a new CRL | |
02449cb1 JR |
24 | if [ -f "$1.crt" ]; then |
25 | crtname="$1.crt" | |
26 | elif [ -f "$1.pem" ]; then | |
27 | crtname="$1.pem" | |
28 | else | |
29 | echo "That certificate doesn't exist ($1.crt or $1.pem)" | |
30 | exit | |
31 | fi | |
32 | $OPENSSL ca -revoke "$crtname" -config "$KEY_CONFIG" | |
ac397a39 JR |
33 | |
34 | # generate a new CRL -- try to be compatible with | |
35 | # intermediate PKIs | |
36 | $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" | |
37 | if [ -e export-ca.crt ]; then | |
38 | cat export-ca.crt "$CRL" >"$RT" | |
39 | else | |
40 | cat ca.crt "$CRL" >"$RT" | |
41 | fi | |
42 | ||
43 | # verify the revocation | |
02449cb1 | 44 | $OPENSSL verify -CAfile "$RT" -crl_check "$crtname" |
ac397a39 JR |
45 | else |
46 | echo 'Please source the vars script first (i.e. "source ./vars")' | |
47 | echo 'Make sure you have edited it to reflect your configuration.' | |
48 | fi |