Skip to content

Instantly share code, notes, and snippets.

@selivan selivan/new-cadir.sh
Last active Dec 27, 2018

Embed
What would you like to do?
#!/bin/bash
#set -x
function die {
echo "ERROR: $*";
exit 1
}
usage_info="Usage: $0 ca_dir
Creates new ca dir with easy-rsa and encrypts it with ansible-vault.
Warning: unencrypted directory ca_dir.plainntext may remain if script was interrupted.
"
# Arguments
ca_dir="$1"
[ -e "$ca_dir" ] && die "Already exist: $ca_dir"
# Check for necessary programs
type openssl > /dev/null || die "openssl is not available in PATH"
type make-cadir > /dev/null || die "easy-rsa is not available in PATH"
type ansible-vault > /dev/null || die "ansible is not available in PATH"
# Abort if something goes wrong
set -e
scriptdir="$(readlink -f "$(dirname $0)")"
cd "$scriptdir"
mkdir -p "$ca_dir"
ca_dir="$(readlink -f "$ca_dir")"
ca_plaintext_dir="$ca_dir".plaintext
## NOTE: All *.key files are encrypted, *.crt and others are saved in plaintext
## Create unencrypted ca dir to manage keys
# make-cadir can not use existing directory, it creates a new one
make-cadir "$ca_plaintext_dir"
cd "$ca_plaintext_dir"
source ./vars
./clean-all
./build-ca
## Encrypt plaintext files
cd "$scriptdir"
ansible-vault encrypt "$ca_plaintext_dir"/keys/*.key
## Copy new certs and keys back to ca dir
mkdir -p "$ca_dir"/keys
cp -f "$ca_plaintext_dir"/keys/* "$ca_dir"/keys
cp -f "$ca_plaintext_dir"/vars "$ca_plaintext_dir"/*.cnf "$ca_dir"
## Remove unnecessary ca plaintext dir
rm -fr "$ca_plaintext_dir"
echo
echo "NOTE: don't forget to commit new files to git"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.