57 lines
1.8 KiB
Bash
57 lines
1.8 KiB
Bash
#!/bin/bash
|
|
|
|
# Get configuration
|
|
if [ -f /etc/make-ca.conf ]; then
|
|
. /etc/make-ca.conf
|
|
else
|
|
#Use defaults if make-ca.conf does not exist
|
|
ANCHORDIR="/etc/pki/anchors"
|
|
ANCHORLIST="/etc/pki/anchors.md5sums"
|
|
LOCALDIR="/etc/ssl/local"
|
|
MD5SUM="/usr/bin/md5sum"
|
|
fi
|
|
|
|
# Dump to a temporary directory
|
|
TEMPDIR=`mktemp -d`
|
|
/usr/bin/trust extract --filter=certificates \
|
|
--format=openssl-directory \
|
|
--overwrite \
|
|
"${TEMPDIR}"
|
|
|
|
# Create a list of anchors that were not present or have been modified
|
|
"${MD5SUM}" "${ANCHORDIR}"/* \
|
|
2> /dev/null > "${TEMPDIR}/anchors.md5sums"
|
|
diff -au "${ANCHORLIST}" "${TEMPDIR}/anchors.md5sums" \
|
|
2> /dev/null > "${TEMPDIR}/diff"
|
|
grep "^+[a-z,0-9]" "${TEMPDIR}/diff" | cut -d " " -f 3 | \
|
|
sed '/x-certificate-extension/d' 2> /dev/null > "${TEMPDIR}/certlist"
|
|
|
|
echo -e "\nThe following certificates have local modifications:\n"
|
|
|
|
# Copy new certificates to LOCALDIR
|
|
for certificate in `cat "${TEMPDIR}/certlist"` ; do
|
|
LABEL=`grep -m 1 "^label:" "${certificate}" | sed 's@^label: @@'`
|
|
LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@"@@g' -e 's@ @_@g'`
|
|
|
|
# Determine default usage (this can be changed later)
|
|
usage=$(openssl x509 -in ${certificate} -noout -text | \
|
|
grep -A1 "X509v3 Key Usage:")
|
|
trust=""
|
|
echo ${usage} | grep -q "Certificate Sign" &&
|
|
trust="${trust} -addtrust serverAuth"
|
|
echo ${usage} | grep -q "Digital Signature" &&
|
|
trust="${trust} -addtrust emailProtection"
|
|
|
|
# Place into LOCALDIR
|
|
openssl x509 -in ${certificate} -text -fingerprint -setalias "${LABEL}" \
|
|
${trust} -out "${LOCALDIR}/${LABELNEW}.pem"
|
|
echo -e "${LABELNEW}"
|
|
unset LABEL LABELNEW usage trust
|
|
done
|
|
echo ""
|
|
|
|
# Clean up
|
|
rm -rf "${TEMPDIR}"
|
|
unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR
|
|
|