]> jfr.im git - vpn-prov.git/blob - easy-rsa/revoke-full
d3514e4f56e23596f527b6ae5825f2b3f1435d1b
[vpn-prov.git] / easy-rsa / revoke-full
1 #!/bin/sh
2
3 # revoke a certificate, regenerate CRL,
4 # and verify revocation
5
6 CRL="crl.pem"
7 RT="revoke-test.pem"
8
9 if [ $# -ne 1 ]; then
10 echo "usage: revoke-full <cert-name-base>";
11 exit 1
12 fi
13
14 if [ "$KEY_DIR" ]; then
15 cd "$KEY_DIR"
16 rm -f "$RT"
17
18 # set defaults
19 export KEY_CN=""
20 export KEY_OU=""
21 export KEY_NAME=""
22
23 # revoke key and generate a new CRL
24 if [ -f "$1.crt" ]; then
25 crtname="$1.crt"
26 elif [ -f "$1.pem" ]; then
27 crtname="$1.pem"
28 else
29 echo "That certificate doesn't exist ($1.crt or $1.pem)"
30 exit
31 fi
32 $OPENSSL ca -revoke "$crtname" -config "$KEY_CONFIG"
33
34 # generate a new CRL -- try to be compatible with
35 # intermediate PKIs
36 $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
37 if [ -e export-ca.crt ]; then
38 cat export-ca.crt "$CRL" >"$RT"
39 else
40 cat ca.crt "$CRL" >"$RT"
41 fi
42
43 # verify the revocation
44 $OPENSSL verify -CAfile "$RT" -crl_check "$crtname"
45 else
46 echo 'Please source the vars script first (i.e. "source ./vars")'
47 echo 'Make sure you have edited it to reflect your configuration.'
48 fi