forked from redredgroovy/easy-ca
-
Notifications
You must be signed in to change notification settings - Fork 1
/
revoke-cert
executable file
·132 lines (106 loc) · 3.14 KB
/
revoke-cert
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/bin/bash
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Derek Moore <derek.moore@gmail.com>
# Christian Göttsche <cgzones@googlemail.com>
set -eu
set -o pipefail
umask 0077
BIN_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# shellcheck disable=SC1090
source "${BIN_DIR}/functions"
# shellcheck disable=SC1090
source "${BIN_DIR}/defaults.conf"
usage() {
echo "Usage: $0 -c CERT"
echo "Revokes a certificate issued by this CA"
echo
echo "Options:"
echo " -c CERT Path the the certificate file to be revoked"
echo
}
if [ ! -f ca/ca.crt ]; then
echo -e "$ERR Must be run inside a CA directory!"
exit 2
fi
CERT=
while getopts c:h FLAG; do
case $FLAG in
c) CERT=${OPTARG} ;;
h) echo -e -n "$SUCC " && usage && exit 0 ;;
*) echo -e -n "$ERR " && usage && exit 2;;
esac
done
if [ $OPTIND -le $# ]; then
echo -e -n "$ERR " && usage && exit 2
elif [ "${CERT}" = "" ]; then
echo -e -n "$ERR " && usage && exit 1
fi
# Fully-qualify path to cert
CERT_PATH=$( fullpath "${CERT}" )
echo -e "$SUCC Revoking certificate '${CERT_PATH}'"
if [ ! -f "${CERT_PATH}" ]; then
echo -e "$ERR Can not find certificate '${CERT_PATH}', exiting."
exit 1
fi
echo -e "$NOTE Verifying trusted chain"
openssl verify -CAfile ca/chain.pem "$CERT_PATH"
issuer_hash=$(openssl x509 -in "$CERT_PATH" -issuer_hash -noout)
ca_hash=$(openssl x509 -in ca/ca.crt -hash -noout)
if [ "x$issuer_hash" != "x$ca_hash" ]; then
echo -e "$ERR certificate was not issued by current CA, exiting. ($issuer_hash vs. $ca_hash)"
exit 1
fi
pushd "${BIN_DIR}/.." > /dev/null
echo "Reason for revocation: "
echo
echo "1. unspecified"
echo "2. keyCompromise"
echo "3. CACompromise"
echo "4. affiliationChanged"
echo "5. superseded"
echo "6. cessationOfOperation"
echo "7. certificateHold"
echo
echo -e -n "$INPUT Enter 1-7 [1]: "
read -r INDEX
[ -z "${INDEX}" ] && INDEX="1"
case $INDEX in
1) REASON="unspecified" ;;
2) REASON="keyCompromise" ;;
3) REASON="CACompromise" ;;
4) REASON="affiliationChanged" ;;
5) REASON="superseded" ;;
6) REASON="cessationOfOperation" ;;
7) REASON="certificateHold" ;;
*) echo -e "$ERR Unknown reason, exiting."; exit 1 ;;
esac
echo
echo -e "$SUCC You are about to revoke this certificate with reason '${REASON}'."
echo
echo -e -n "$INPUT Are you SURE you wish to continue? [y/N]: "
read -r SURE
if [ "${SURE}" != "y" ] && [ "${SURE}" != "Y" ]; then
echo -e "$ERR Exiting."
exit 1
fi
echo
echo -e -n "$INPUT Enter passphase for signing CA key: "
read -r -s PASS
echo
export CA_PASS="${PASS}"
export SAN=""
echo -e "$NOTE Revoke the certificate"
openssl ca \
-config ca/ca.conf \
-revoke "${CERT_PATH}" \
-crl_reason "${REASON}" \
-passin env:CA_PASS
echo -e "$NOTE Regenerate the CRL"
openssl ca -gencrl \
-config ca/ca.conf \
-out ca/ca.crl \
-passin env:CA_PASS
popd > /dev/null
echo -e "$SUCC Server certificate '${CERT_PATH}' revoked."