revoke_key.sh: add revokation check for new easyrsa layout. Try to merge with old easyrsa layout.
This commit is contained in:
parent
3c05c92ab1
commit
3f24f9a5f0
163
revoke_key.sh
163
revoke_key.sh
@ -7,6 +7,11 @@ _date="$(date +%Y-%m-%d-%H%M)"
|
||||
|
||||
key_names_reserverd="ta ca server"
|
||||
|
||||
# - For checking if revokation was successfull
|
||||
# -
|
||||
_CHECK_DIR="$(mktemp -d)"
|
||||
_RT_CERT="${_CHECK_DIR}/revoke-test.pem"
|
||||
|
||||
#---------------------------------------
|
||||
#-----------------------------
|
||||
# Some functions
|
||||
@ -17,6 +22,7 @@ clean_up() {
|
||||
|
||||
# Perform program exit housekeeping
|
||||
rm $log_file
|
||||
rm -rf $_CHECK_DIR
|
||||
blank_line
|
||||
exit $1
|
||||
}
|
||||
@ -61,7 +67,7 @@ fatal(){
|
||||
echo ""
|
||||
echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*"
|
||||
echo ""
|
||||
echo -e "\t\033[37m\033[1mInstalllation will be interrupted\033[m\033[m"
|
||||
echo -e "\t\033[37m\033[1mscript will be interrupted\033[m\033[m"
|
||||
echo ""
|
||||
clean_up 1
|
||||
}
|
||||
@ -96,6 +102,22 @@ echo_skipped() {
|
||||
trap clean_up SIGHUP SIGINT SIGTERM
|
||||
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Check some prerequisites
|
||||
# -------------
|
||||
|
||||
# -Is systemd supported on this system?
|
||||
# -
|
||||
systemd_supported=false
|
||||
systemd=$(which systemd)
|
||||
systemctl=$(which systemctl)
|
||||
|
||||
if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then
|
||||
systemd_supported=true
|
||||
fi
|
||||
|
||||
|
||||
clear
|
||||
echo ""
|
||||
echo -e "\033[21G\033[32mRevoke OpenVPN key.. \033[m"
|
||||
@ -221,6 +243,8 @@ else
|
||||
_CLIENT_CERT="${OPENVPN_KEY_DIR}/${KEY_NAME_TO_REVOKE}.crt"
|
||||
_CLIENT_KEY="${OPENVPN_KEY_DIR}/${KEY_NAME_TO_REVOKE}.key"
|
||||
fi
|
||||
_CRL="${OPENVPN_KEY_DIR}/crl.pem"
|
||||
_CA_CERT="${OPENVPN_KEY_DIR}/ca.crt"
|
||||
|
||||
|
||||
for _name in $key_names_reserverd ; do
|
||||
@ -272,6 +296,16 @@ else
|
||||
fatal "OpenVPN directory '$OPENVPN_BASE_DIR' not found!"
|
||||
fi
|
||||
|
||||
|
||||
echononl "Backup cert to revoke for further check. (see below"
|
||||
cp -a "$_CLIENT_CERT" "$_CHECK_DIR" > "$log_file" 2>&1
|
||||
if [[ $? -eq 0 ]] ; then
|
||||
echo_ok
|
||||
else
|
||||
echo_failed
|
||||
fatal "$(cat $log_file)"
|
||||
fi
|
||||
|
||||
if $EASYRSA_LAYOUT_NEW ; then
|
||||
|
||||
# ---
|
||||
@ -345,34 +379,18 @@ else
|
||||
echo -e "\033[32m--\033[m"
|
||||
echo ""
|
||||
|
||||
echononl "Change into key directory '$KEY_DIR'.."
|
||||
cd "$KEY_DIR" > "$log_file" 2>&1
|
||||
if [[ $? -eq 0 ]] ; then
|
||||
echo_ok
|
||||
else
|
||||
echo_failed
|
||||
fatal "$(cat $log_file)"
|
||||
fi
|
||||
|
||||
echononl "Set Defaults .."
|
||||
CRL="crl.pem"
|
||||
RT="revoke-test.pem"
|
||||
export KEY_CN=""
|
||||
export KEY_OU=""
|
||||
export KEY_NAME=""
|
||||
echo_ok
|
||||
|
||||
echononl "Remove file '$RT'.."
|
||||
rm -f "$RT" > "$log_file" 2>&1
|
||||
if [[ $? -eq 0 ]] ; then
|
||||
echo_ok
|
||||
else
|
||||
echo_failed
|
||||
fatal "$(cat $log_file)"
|
||||
fi
|
||||
#echononl "Change into key directory '$KEY_DIR'.."
|
||||
#cd "$KEY_DIR" > "$log_file" 2>&1
|
||||
#if [[ $? -eq 0 ]] ; then
|
||||
# echo_ok
|
||||
#else
|
||||
# echo_failed
|
||||
# fatal "$(cat $log_file)"
|
||||
#fi
|
||||
|
||||
echononl "Revoke key ${KEY_NAME_TO_REVOKE}.key and update data base .."
|
||||
$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1
|
||||
#$OPENSSL ca -revoke "${KEY_NAME_TO_REVOKE}.crt" -config "$KEY_CONFIG" > "$log_file" 2>&1
|
||||
$OPENSSL ca -revoke "${_CLIENT_KEY}" -config "$KEY_CONFIG" > "$log_file" 2>&1
|
||||
if [[ $? -eq 0 ]] ; then
|
||||
echo_ok
|
||||
else
|
||||
@ -381,48 +399,67 @@ else
|
||||
fi
|
||||
|
||||
echononl "Generate a new CRL -- try to be compatible with intermediate PKIs"
|
||||
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
|
||||
#$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
|
||||
$OPENSSL ca -gencrl -out "$_CRL" -config "$KEY_CONFIG" > "$log_file" 2>&1
|
||||
if [[ $? -eq 0 ]] ; then
|
||||
echo_ok
|
||||
else
|
||||
echo_failed
|
||||
fatal "$(cat $log_file)"
|
||||
fi
|
||||
|
||||
# ---
|
||||
# - Check if Revokation was sucessfully.
|
||||
# ---
|
||||
echo ""
|
||||
echo -e "\033[32m--\033[m"
|
||||
echo "Check if Revokation of Key $(basename "$_CLIENT_KEY") was sucessfully.."
|
||||
echo -e "\033[32m--\033[m"
|
||||
echo ""
|
||||
|
||||
echononl "Create CA file '$RT' from $CRL to check against.."
|
||||
if [ -e export-ca.crt ]; then
|
||||
cat export-ca.crt "$CRL" >"$RT" 2> "$log_file"
|
||||
_retval=$?
|
||||
else
|
||||
cat ca.crt "$CRL" >"$RT" 2> "$log_file"
|
||||
_retval=$?
|
||||
fi
|
||||
if [[ $_retval -eq 0 ]]; then
|
||||
echo_ok
|
||||
else
|
||||
echo_failed
|
||||
error "$(cat $log_file)"
|
||||
fatal "Verifying the revocation is not possible!"
|
||||
fi
|
||||
|
||||
echononl "Verify the revocation.."
|
||||
$OPENSSL verify -CAfile "$RT" -crl_check "${KEY_NAME_TO_REVOKE}.crt" > "$log_file" 2>&1
|
||||
if [[ $? -eq 2 ]]; then
|
||||
echo_ok
|
||||
info "Key \033[37m\033[1m${KEY_NAME_TO_REVOKE}.key\033[m successfully revoked."
|
||||
else
|
||||
echo_failed
|
||||
error "$(cat $log_file)"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Check if Revokation was sucessfully.
|
||||
# ---
|
||||
echo ""
|
||||
echo -e "\033[32m--\033[m"
|
||||
echo "Check if Revokation of Key $(basename "$_CLIENT_KEY") was sucessfully.."
|
||||
echo -e "\033[32m--\033[m"
|
||||
echo ""
|
||||
|
||||
# - "Create CA file '$_RT_CERT' including (new) $_CRL to check against..
|
||||
# -
|
||||
echononl "Create CA file '$_RT_CERT' to check against.."
|
||||
cat "$_CA_CERT" "$_CRL" >"$_RT_CERT" 2> "$log_file"
|
||||
if [[ $? -eq 0 ]] ; then
|
||||
echo_ok
|
||||
else
|
||||
echo_failed
|
||||
error "$(cat $log_file)"
|
||||
fatal "Verifying the revocation is not possible!"
|
||||
fi
|
||||
|
||||
[[ -z "$OPENSSL" ]] && OPENSSL="$(which openssl)"
|
||||
|
||||
echononl "Verify the revocation.."
|
||||
$OPENSSL verify -CAfile "$_RT_CERT" -crl_check "${_CHECK_DIR}/$(basename "$_CLIENT_CERT")" > "$log_file" 2>&1
|
||||
if [[ $? -eq 2 ]]; then
|
||||
echo_ok
|
||||
info "Key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m successfully revoked."
|
||||
else
|
||||
echo_failed
|
||||
error "$(cat $log_file)"
|
||||
fi
|
||||
|
||||
# ---
|
||||
# - Start apache webservice
|
||||
# ---
|
||||
echo ""
|
||||
echononl "\tRestart OpenVPN Service.."
|
||||
if $systemd_supported ; then
|
||||
systemctl restart openvpn > $log_file 2>&1
|
||||
else
|
||||
/etc/init.d/openvpn restart > $log_file 2>&1
|
||||
fi
|
||||
if [ "$?" = "0" ]; then
|
||||
echo_ok
|
||||
else
|
||||
echo_failed
|
||||
error "$(cat $log_file)"
|
||||
warn "Restarting OpenVPN Service failed!."
|
||||
fi
|
||||
|
||||
|
||||
clean_up 0
|
||||
|
Loading…
x
Reference in New Issue
Block a user