generated from sdavids/sdavids-project-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
delete_ca_based_cert.sh
executable file
·114 lines (90 loc) · 2.94 KB
/
delete_ca_based_cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/usr/bin/env sh
# SPDX-FileCopyrightText: © 2024 Sebastian Davids <sdavids@gmx.de>
# SPDX-License-Identifier: Apache-2.0
# easyrsa needs to be in $PATH
# Mac:
# brew install easy-rsa
# Linux:
# https://easy-rsa.readthedocs.io/en/latest/#obtaining-and-using-easy-rsa
set -eu
# shellcheck disable=SC2143
if [ "$(easyrsa --version | grep -E -c 'Version:\s+3.1')" -ne 1 ]; then
echo 'only version 3.1 of easyRSA supported' >&2
exit 1
fi
readonly base_dir="${1:-$PWD}"
readonly host_name="${2:-localhost}"
if [ "${host_name}" = 'ca' ]; then
echo "'ca' is not allowed due to it being the name of the certificate authority" >&2
exit 2
fi
# https://easy-rsa.readthedocs.io/en/latest/advanced/#openssl-config
if [ -n "${EASYRSA_PKI+x}" ]; then
readonly pki_dir="${EASYRSA_PKI}"
else
config_dir="${HOME}/.easyrsa"
if [ "$(uname)" = 'Darwin' ]; then
config_dir="${HOME}/Library/Application\ Support/easyrsa"
fi
if [ -n "${XDG_DATA_HOME+x}" ]; then
config_dir="${XDG_DATA_HOME}/easyrsa"
fi
readonly pki_dir="${config_dir}/pki"
export EASYRSA_PKI="${pki_dir}"
unset config_dir
fi
if [ ! -d "${pki_dir}" ]; then
printf "The PKI directory '%s' does not exist; therefore the CA has not been created yet.\n\nExecute the create_ca.sh script to create the CA.\n" "${pki_dir}" >&2
exit 3
fi
readonly key_path="${base_dir}/key.pem"
readonly cert_path="${base_dir}/cert.pem"
readonly easyrsa_key_path="${pki_dir}/private/${host_name}.key"
readonly easyrsa_cert_path="${pki_dir}/issued/${host_name}.crt"
readonly easyrsa_inline_path="${pki_dir}/inline/${host_name}.inline"
readonly easyrsa_req_path="${pki_dir}/reqs/${host_name}.req"
readonly easyrsa_renewed_path="${pki_dir}/renewed/issued/${host_name}.crt"
readonly easyrsa_index_path="${pki_dir}/index.txt"
if [ -f "${easyrsa_cert_path}" ]; then
easyrsa_serial_path="${pki_dir}/certs_by_serial/$(openssl x509 -serial -noout -in "${easyrsa_cert_path}" | sed 's/serial=\(.*\)/\1/').pem"
else
easyrsa_serial_path=""
fi
readonly easyrsa_serial_path
if [ -f "${key_path}" ]; then
rm -f "${key_path}"
fi
if [ -f "${cert_path}" ]; then
rm -f "${cert_path}"
fi
if [ -f "${easyrsa_key_path}" ]; then
rm -f "${easyrsa_key_path}"
fi
if [ -f "${easyrsa_cert_path}" ]; then
rm -f "${easyrsa_cert_path}"
fi
if [ -f "${easyrsa_req_path}" ]; then
rm -f "${easyrsa_req_path}"
fi
if [ -f "${easyrsa_inline_path}" ]; then
rm -f "${easyrsa_inline_path}"
fi
if [ -f "${easyrsa_renewed_path}" ]; then
rm -f "${easyrsa_renewed_path}"
fi
if [ -f "${easyrsa_serial_path}" ]; then
rm -f "${easyrsa_serial_path}"
fi
# delete empty certs dir if not $PWD
if [ -d "${base_dir}" ] \
&& [ "${base_dir}" != "$PWD" ] \
&& [ "${base_dir}" != '.' ] \
&& [ -z "$(ls -A "${base_dir}")" ]; then
rmdir "${base_dir}"
fi
if [ "$(uname)" = 'Darwin' ]; then
sed -i '' "/\/CN=${host_name}$/d" "${easyrsa_index_path}"
else
sed -i "/\/CN=${host_name}$/d" "${easyrsa_index_path}"
fi
easyrsa --silent update-db 2>/dev/null