[TLS] cert-staple.sh - refresh OCSP responses (#2469)
convenience script that can be run periodically from scheduled job to refresh OCSP responses used for OCSP stapling
This commit is contained in:
parent
b2b6257c7a
commit
0563407d09
|
|
@ -1,4 +1,5 @@
|
|||
EXTRA_DIST= \
|
||||
cert-staple.sh \
|
||||
create-mime.conf.pl \
|
||||
rrdtool-graph.sh \
|
||||
spawn-php.sh
|
||||
|
|
|
|||
|
|
@ -0,0 +1,63 @@
|
|||
#!/bin/sh
|
||||
|
||||
CERT_PEM="$1" # input (cert.pem)
|
||||
CHAIN_PEM="$2" # input (chain.pem)
|
||||
OCSP_DER="$3" # output symlink (staple.der)
|
||||
|
||||
OCSP_TMP="" # temporary file
|
||||
|
||||
if [[ -z "$CERT_PEM" ]] || [[ -z "$CHAIN_PEM" ]] || [[ -z "$OCSP_DER" ]] \
|
||||
|| [[ ! -f "$CERT_PEM" ]] || [[ ! -f "$CHAIN_PEM" ]]; then
|
||||
echo 1>&2 "usage: cert-staple.sh cert.pem chain.pem staple.der"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
function errexit {
|
||||
[[ -n "$OCSP_TMP" ]] && rm -f "$OCSP_TMP"
|
||||
exit 1
|
||||
}
|
||||
|
||||
# get URI of OCSP responder from certificate
|
||||
OCSP_URI=$(openssl x509 -in "$CERT_PEM" -ocsp_uri -noout)
|
||||
[[ $? = 0 ]] && [[ -n "$OCSP_URI" ]] || exit 1
|
||||
|
||||
# get OCSP response from OCSP responder
|
||||
OCSP_TMP="$OCSP_DER.$$"
|
||||
OCSP_RESP=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respout "$OCSP_TMP" -noverify -no_nonce -url "$OCSP_URI")
|
||||
[[ $? = 0 ]] || errexit
|
||||
|
||||
# parse OCSP response from OCSP responder
|
||||
#
|
||||
#$CERT_PEM: good
|
||||
# This Update: Jun 5 21:00:00 2020 GMT
|
||||
# Next Update: Jun 12 21:00:00 2020 GMT
|
||||
|
||||
ocsp_status="$(printf %s "$OCSP_RESP" | head -1)"
|
||||
[[ "$ocsp_status" = "$CERT_PEM: good" ]] || errexit
|
||||
|
||||
next_update="$(printf %s "$OCSP_RESP" | grep 'Next Update:')"
|
||||
next_date="$(printf %s "$next_update" | sed 's/.*Next Update: //')"
|
||||
[[ -n "$next_date" ]] || errexit
|
||||
ocsp_expire=$(date -d "$next_date" +%s)
|
||||
|
||||
# validate OCSP response
|
||||
ocsp_verify=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respin "$OCSP_TMP" -no_nonce -out /dev/null 2>&1)
|
||||
[[ "$ocsp_verify" = "Response verify OK" ]] || errexit
|
||||
|
||||
# rename and update symlink to install OCSP response to be used in OCSP stapling
|
||||
OCSP_OUT="$OCSP_DER.$ocsp_expire"
|
||||
mv "$OCSP_TMP" "$OCSP_OUT" || errexit
|
||||
OCSP_TMP=""
|
||||
ln -sf "${OCSP_OUT##*/}" "$OCSP_DER" || errexit
|
||||
|
||||
# debug: display text output of OCSP .der file
|
||||
#openssl ocsp -respin "$OCSP_DER" -resp_text -noverify
|
||||
|
||||
# remove old OCSP responses which have expired
|
||||
now=$(date +%s)
|
||||
for i in "$OCSP_DER".*; do
|
||||
ts="${i#${OCSP_DER}.}"
|
||||
if [[ -n "$ts" ]] && [[ "$ts" -lt "$now" ]]; then
|
||||
rm -f "$i"
|
||||
fi
|
||||
done
|
||||
Loading…
Reference in New Issue