easy-rsa/revoke-full

   1 #!/bin/sh
   2
   3 # revoke a certificate, regenerate CRL,
   4 # and verify revocation
   5
   6 CRL="crl.pem"
   7 RT="revoke-test.pem"
   8
   9 if [ $# -ne 1 ]; then
  10     echo "usage: revoke-full <cert-name-base>";
  11     exit 1
  12 fi
  13
  14 if [ "$KEY_DIR" ]; then
  15     cd "$KEY_DIR"
  16     rm -f "$RT"
  17
  18     # set defaults
  19     export KEY_CN=""
  20     export KEY_OU=""
  21     export KEY_NAME=""
  22
  23     # revoke key and generate a new CRL
  24     $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
  25
  26     # generate a new CRL -- try to be compatible with
  27     # intermediate PKIs
  28     $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
  29     if [ -e export-ca.crt ]; then
  30         cat export-ca.crt "$CRL" >"$RT"
  31     else
  32         cat ca.crt "$CRL" >"$RT"
  33     fi
  34
  35     # verify the revocation
  36     $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
  37 else
  38     echo 'Please source the vars script first (i.e. "source ./vars")'
  39     echo 'Make sure you have edited it to reflect your configuration.'
  40 fi