projects / vpn-prov.git / blame
| Commit | Line | Data |
|---|---|---|
| ac397a39 JR |
1 | #!/bin/sh |
| 2 | ||
| 3 | # revoke a certificate, regenerate CRL, | |
| 4 | # and verify revocation | |
| 5 | ||
| 6 | CRL="crl.pem" | |
| 7 | RT="revoke-test.pem" | |
| 8 | ||
| 9 | if [ $# -ne 1 ]; then | |
| 10 | echo "usage: revoke-full <cert-name-base>"; | |
| 11 | exit 1 | |
| 12 | fi | |
| 13 | ||
| 14 | if [ "$KEY_DIR" ]; then | |
| 15 | cd "$KEY_DIR" | |
| 16 | rm -f "$RT" | |
| 17 | ||
| 18 | # set defaults | |
| 19 | export KEY_CN="" | |
| 20 | export KEY_OU="" | |
| 21 | export KEY_NAME="" | |
| 22 | ||
| 23 | # revoke key and generate a new CRL | |
| 02449cb1 JR |
24 | if [ -f "$1.crt" ]; then |
| 25 | crtname="$1.crt" | |
| 26 | elif [ -f "$1.pem" ]; then | |
| 27 | crtname="$1.pem" | |
| 28 | else | |
| 29 | echo "That certificate doesn't exist ($1.crt or $1.pem)" | |
| 30 | exit | |
| 31 | fi | |
| 32 | $OPENSSL ca -revoke "$crtname" -config "$KEY_CONFIG" | |
| ac397a39 JR |
33 | |
| 34 | # generate a new CRL -- try to be compatible with | |
| 35 | # intermediate PKIs | |
| 36 | $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" | |
| 37 | if [ -e export-ca.crt ]; then | |
| 38 | cat export-ca.crt "$CRL" >"$RT" | |
| 39 | else | |
| 40 | cat ca.crt "$CRL" >"$RT" | |
| 41 | fi | |
| 42 | ||
| 43 | # verify the revocation | |
| 02449cb1 | 44 | $OPENSSL verify -CAfile "$RT" -crl_check "$crtname" |
| ac397a39 JR |
45 | else |
| 46 | echo 'Please source the vars script first (i.e. "source ./vars")' | |
| 47 | echo 'Make sure you have edited it to reflect your configuration.' | |
| 48 | fi |