Added ca-list-certs functionality, still more to do to add expiration checks
This commit is contained in:
parent
737089ff6f
commit
968461678d
2 changed files with 71 additions and 0 deletions
50
bin/ca-list-certs
Executable file
50
bin/ca-list-certs
Executable file
|
|
@ -0,0 +1,50 @@
|
|||
#!/bin/bash
|
||||
|
||||
source $(dirname $(dirname $0))/../lib/ca-functions
|
||||
|
||||
usage() {
|
||||
cat <<__EOT__
|
||||
Usage: $PROGNAME [options] <common name>|<path to certificate>
|
||||
|
||||
Options:
|
||||
-h, --help Print this helpful message!
|
||||
-f, --config FILE Use config file instead of $CONFFILE
|
||||
-t, --type TYPE Certificate type: "server" (default), "client" or "user"
|
||||
-e, --expiring Show certificates that are expiring within 90 days
|
||||
|
||||
__EOT__
|
||||
}
|
||||
|
||||
short="hf:e"
|
||||
long="help,config:,expiring"
|
||||
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
|
||||
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
|
||||
eval set -- "$opts";
|
||||
|
||||
while :; do
|
||||
case "$1" in
|
||||
-h|--help) usage; exit 0;;
|
||||
-f|--config) shift; CONFFILE="$1"; CONFFILECLI=1; shift;;
|
||||
-e|--expiring) shift; USER_EXPIRE="1"; shift;;
|
||||
--) shift; break;;
|
||||
*) echo "Unknown value '$1'"; exit 1;;
|
||||
esac
|
||||
done
|
||||
|
||||
# load up the configuration file
|
||||
ca_load_conf
|
||||
|
||||
for group in ca server client user; do
|
||||
case $group in
|
||||
ca) echo "Certificate Authorities:";;
|
||||
server) echo; echo "Server Certificates:";;
|
||||
client) echo; echo "Client Certificates:";;
|
||||
user) echo; echo "User Certificates:";;
|
||||
esac
|
||||
|
||||
while read certFile; do
|
||||
#echo "File: $certFile"
|
||||
cert_info "$certFile"
|
||||
done < <(find "$CA_HOME/crt/" -type f -name "*.${group}.crt")
|
||||
done
|
||||
|
||||
|
|
@ -268,3 +268,24 @@ ca_find_cnf() {
|
|||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
cert_info() {
|
||||
local certFile="$1"
|
||||
local certCN certIssuer certValid certExpire certCA certFilename
|
||||
|
||||
if [ -r "$certFile" ]; then
|
||||
certFilename=$(basename "$certFile")
|
||||
certCN="$(openssl x509 -in "$certFile" -noout -subject | sed -r 's|.*CN=(.*)|\1|; s|/[^/]*=.*$||')"
|
||||
certIssuer="$(openssl x509 -in "$certFile" -noout -issuer | sed -r 's|.*CN=(.*)|\1|; s|/[^/]*=.*$||')"
|
||||
certValid="$(openssl x509 -in "$certFile" -noout -startdate | sed -r 's|.*notBefore=(.*)|\1|;')"
|
||||
certExpire="$(openssl x509 -in "$certFile" -noout -enddate | sed -r 's|.*notAfter=(.*)$|\1|;')"
|
||||
if [ "$certCN" = "$certIssuer" ]; then
|
||||
echo "$certFilename: $certCN expires on $certExpire"
|
||||
else
|
||||
echo "$certFilename: $certCN issued by $certIssuer expires on $certExpire"
|
||||
fi
|
||||
else
|
||||
echo "ERROR: $certFile does not exist or cannot be read"
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue