From b4ae4b14c2d01f61d61408308475c3885d050112 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2015 01:05:21 +0100
Subject: wibble

---
 letsencrypt | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/letsencrypt b/letsencrypt
index 593ab8f..3486265 100755
--- a/letsencrypt
+++ b/letsencrypt
@@ -53,8 +53,10 @@ usage() {
 		$NAME new-cert ACCOUNTKEY --output=CERT --csr=FILE
 		$NAME new-cert ACCOUNTKEY --output=CERT --key=FILE [--hash=ALGO] [--subject=STRING] [--san=STRING] [--keyusage=STRING]
 		  Request a new Certificate Issuance.  The Certificate Signing Request can be supplied directly, or
-		  generated from the server key.
+		  generated from the server key using options --hash, --subject, --san and --keyusage.
 
+		    --min-age=SECONDS Skip the issuance if the certificate specified by --output exists and its
+		                      expiration date is more than SECONDS ahead.
 		    --csr=FILE        Certificate Signing Request to send (alternatively, use --key to generate it)
 		    --key=FILE        Server private key (use --genkey to generate it)
 		    --hash=DGST       Message digest to sign the CSR with (in PEM format)
@@ -62,11 +64,9 @@ usage() {
 		    --san=STRING      Comma-separated list of Subject Alternative Names formatted as "type:value"
 		    --keyusage=STRING Comma-separated list of Key Usages, see x509v3_config(5ssl)
 		                      (default: "digitalSignature,keyEncipherment,keyCertSign")
+		    --output=FILE     Where to store the issued (signed) X.509 certificate
 		    --chain[=FILE]    Store the server certificate along with its intermediate CA in FILE; if FILE is
 		                      empty or omitted, use the file specified with --output
-		    --min-age=SECONDS Don't do anything if the certificate specified by --output exists and its expiration
-		                      is more than SECONDS ahead.
-		    --output=FILE     Where to store the issued (signed) X.509 certificate
 		    --notify=COMMAND  Command to run upon success.  (This option can be repeated.)
 
 		$NAME revoke-cert {ACCOUNTKEY|SVRKEY} FILE [FILE ..]
@@ -278,10 +278,9 @@ while read data; do
     echo -n "$data" | openssl dgst -sha256 -sign "$ACCOUNTKEY" -hex | sed 's/.*=\s*//'
 done >"$pipe"
 
-if [ "$COMMAND" = 'new-cert' ]; then
-    # https://crt.sh/?q=mail.fripost.org&iCAID=7395
-    # https://crt.sh/?spkisha1=$sha1
-
+if [ "$COMMAND" != 'new-cert' ]; then
+    [ "$QUIET" ] || echo OK
+else
     # Ensure the cert's pubkey matches that of the CSR, and that it's signed by the intended CA
     if [ ! -s "$x509" ] ||
          ! diff <(openssl req  -in "$CSR"  -pubkey -noout) \
@@ -317,7 +316,4 @@ if [ "$COMMAND" = 'new-cert' ]; then
     for (( i=0; i<${#NOTIFY[@]}; i++ )); do
         ${NOTIFY[$i]}
     done
-
-else
-    [ "$QUIET" ] || echo OK
 fi
-- 
cgit v1.2.3