slawek/simple-ca
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update: replace hash symlink with CA bundle for certificate verification
All checks were successful
/ test (push) Successful in 17s
Details

Browse Source
This commit is contained in:
Sławek Koszewski
2026-04-24 23:25:44 +02:00
parent c29537c9e6
commit c043410436
4 changed files with 39 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
simple-ca.sh
View File

@@ -22,19 +22,19 @@
# These functions require Bash and OpenSSL to be installed on the system.
function make_hash_link() {
local CERT_PATH="$1"
if [[ ! -f "$CERT_PATH" ]]; then
echo "ERROR: Certificate file $CERT_PATH does not exist." >&2
return 1
function _rebuild_ca_bundle() {
local CA_DIR="$1"
local BUNDLE="$CA_DIR/ca_bundle.pem"
: > "$BUNDLE"
if [[ -f "$CA_DIR/ca_cert.pem" ]]; then
cat "$CA_DIR/ca_cert.pem" >> "$BUNDLE"
fi
local CERT_DIR="$(dirname "$CERT_PATH")"
local HASH="$(openssl x509 -in "$CERT_PATH" -noout -hash 2>/dev/null)"
if [[ -z "$HASH" ]]; then
echo "ERROR: Failed to calculate hash for certificate $CERT_PATH." >&2
return 1
fi
ln -sf "$(basename "$CERT_PATH")" "$CERT_DIR/${HASH}.0"
local f
for f in "$CA_DIR"/*_cert.pem; do
[[ -f "$f" ]] || continue
[[ "$(basename "$f")" == "ca_cert.pem" ]] && continue
cat "$f" >> "$BUNDLE"
done
}
function make_ca() {
@@ -129,8 +129,8 @@ function make_ca() {
return 1
fi
# Make a "hash" symlink for the CA certificate to allow OpenSSL to find it when verifying other certificates
make_hash_link "$CA_DIR/$ROOT_CA_CERT"
# Rebuild the CA bundle (root + any issuing CAs) for use with `openssl verify -CAfile`
_rebuild_ca_bundle "$CA_DIR"
if [[ -n "$AIA_BASE_URL" ]]; then
echo "$AIA_BASE_URL" > "$CA_DIR/aia_base_url.txt"
@@ -162,8 +162,8 @@ function make_ca() {
fi
fi
# Make a "hash" symlink for the issuing CA certificate to allow OpenSSL to find it when verifying other certificates
make_hash_link "$CA_DIR/${CA_CERT}"
# Rebuild the CA bundle (root + any issuing CAs) for use with `openssl verify -CAfile`
_rebuild_ca_bundle "$CA_DIR"
if [[ -n "$AIA_BASE_URL" ]]; then
echo "$AIA_BASE_URL" > "$CA_DIR/aia_base_url.txt"