Skip to content

Instantly share code, notes, and snippets.

@selivan

selivan/new-cadir.sh

Last active December 27, 2018 14:56
Show Gist options
  • Save selivan/5dde4d1d6370c48bd670c48732501c0a to your computer and use it in GitHub Desktop.
Save selivan/5dde4d1d6370c48bd670c48732501c0a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
new-cadir.sh
#!/bin/bash
#set -x
function die {
echo "ERROR: $*";
exit 1
}
usage_info="Usage: $0 ca_dir
Creates new ca dir with easy-rsa and encrypts it with ansible-vault.
Warning: unencrypted directory ca_dir.plainntext may remain if script was interrupted.
"
# Arguments
ca_dir="$1"
[ -e "$ca_dir" ] && die "Already exist: $ca_dir"
# Check for necessary programs
type openssl > /dev/null || die "openssl is not available in PATH"
type make-cadir > /dev/null || die "easy-rsa is not available in PATH"
type ansible-vault > /dev/null || die "ansible is not available in PATH"
# Abort if something goes wrong
set -e
scriptdir="$(readlink -f "$(dirname $0)")"
cd "$scriptdir"
mkdir -p "$ca_dir"
ca_dir="$(readlink -f "$ca_dir")"
ca_plaintext_dir="$ca_dir".plaintext
## NOTE: All *.key files are encrypted, *.crt and others are saved in plaintext
## Create unencrypted ca dir to manage keys
# make-cadir can not use existing directory, it creates a new one
make-cadir "$ca_plaintext_dir"
cd "$ca_plaintext_dir"
source ./vars
./clean-all
./build-ca
## Encrypt plaintext files
cd "$scriptdir"
ansible-vault encrypt "$ca_plaintext_dir"/keys/*.key
## Copy new certs and keys back to ca dir
mkdir -p "$ca_dir"/keys
cp -f "$ca_plaintext_dir"/keys/* "$ca_dir"/keys
cp -f "$ca_plaintext_dir"/vars "$ca_plaintext_dir"/*.cnf "$ca_dir"
## Remove unnecessary ca plaintext dir
rm -fr "$ca_plaintext_dir"
echo
echo "NOTE: don't forget to commit new files to git"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment