search

debops / ansible-pki

Bootstrap and manage internal PKI, Certificate Authorities and OpenSSL/GnuTLS certificates
GNU General Public License v3.0
65 stars 29 forks source link

LetsEncrypt add/remove domain to cert #72

Open Polichronucci opened 8 years ago

Polichronucci commented 8 years ago

The pki-realm script support renewal of scripts that are about to expire, but if I modify the configuration of a certificate it wont update the certificate. Right now only deletion of the whole realm directory works.

A check like the following could do the check and then remove the keys like the pki-realm script already does upon cert expiration.

cur_san=$(openssl x509 -in public/cert.pem -noout -text |awk '/X509v3 Subject Alternative Name:/{ P=1; next } /X509v3 Certificate Policies:/ {exit} P' | sed 's/ //g' |tr ',' '\n' |sed 's/DNS://' |sort) 
new_san=$(grep 'DNS.' acme/openssl.conf |cut -d= -f2 |sed 's/ //g' |sort)
diff $cur_san $new_san
drybjed commented 8 years ago

Thanks! I'll check it out and try to imlement automatic update of the domains, for all authorities if possible. This should be very useful. :)