diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-12-09 01:05:21 +0100 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-12-09 01:18:57 +0100 | 
| commit | b4ae4b14c2d01f61d61408308475c3885d050112 (patch) | |
| tree | 56a83b9d68f4439a60c80b020e58187d295bc4ab /letsencrypt | |
| parent | 73a9239019b7dd3ace938f9bd4766cf0dabec6fd (diff) | |
wibble
Diffstat (limited to 'letsencrypt')
| -rwxr-xr-x | letsencrypt | 18 | 
1 files changed, 7 insertions, 11 deletions
| diff --git a/letsencrypt b/letsencrypt index 593ab8f..3486265 100755 --- a/letsencrypt +++ b/letsencrypt @@ -53,8 +53,10 @@ usage() {  		$NAME new-cert ACCOUNTKEY --output=CERT --csr=FILE  		$NAME new-cert ACCOUNTKEY --output=CERT --key=FILE [--hash=ALGO] [--subject=STRING] [--san=STRING] [--keyusage=STRING]  		  Request a new Certificate Issuance.  The Certificate Signing Request can be supplied directly, or -		  generated from the server key. +		  generated from the server key using options --hash, --subject, --san and --keyusage. +		    --min-age=SECONDS Skip the issuance if the certificate specified by --output exists and its +		                      expiration date is more than SECONDS ahead.  		    --csr=FILE        Certificate Signing Request to send (alternatively, use --key to generate it)  		    --key=FILE        Server private key (use --genkey to generate it)  		    --hash=DGST       Message digest to sign the CSR with (in PEM format) @@ -62,11 +64,9 @@ usage() {  		    --san=STRING      Comma-separated list of Subject Alternative Names formatted as "type:value"  		    --keyusage=STRING Comma-separated list of Key Usages, see x509v3_config(5ssl)  		                      (default: "digitalSignature,keyEncipherment,keyCertSign") +		    --output=FILE     Where to store the issued (signed) X.509 certificate  		    --chain[=FILE]    Store the server certificate along with its intermediate CA in FILE; if FILE is  		                      empty or omitted, use the file specified with --output -		    --min-age=SECONDS Don't do anything if the certificate specified by --output exists and its expiration -		                      is more than SECONDS ahead. -		    --output=FILE     Where to store the issued (signed) X.509 certificate  		    --notify=COMMAND  Command to run upon success.  (This option can be repeated.)  		$NAME revoke-cert {ACCOUNTKEY|SVRKEY} FILE [FILE ..] @@ -278,10 +278,9 @@ while read data; do      echo -n "$data" | openssl dgst -sha256 -sign "$ACCOUNTKEY" -hex | sed 's/.*=\s*//'  done >"$pipe" -if [ "$COMMAND" = 'new-cert' ]; then -    # https://crt.sh/?q=mail.fripost.org&iCAID=7395 -    # https://crt.sh/?spkisha1=$sha1 - +if [ "$COMMAND" != 'new-cert' ]; then +    [ "$QUIET" ] || echo OK +else      # Ensure the cert's pubkey matches that of the CSR, and that it's signed by the intended CA      if [ ! -s "$x509" ] ||           ! diff <(openssl req  -in "$CSR"  -pubkey -noout) \ @@ -317,7 +316,4 @@ if [ "$COMMAND" = 'new-cert' ]; then      for (( i=0; i<${#NOTIFY[@]}; i++ )); do          ${NOTIFY[$i]}      done - -else -    [ "$QUIET" ] || echo OK  fi | 
