Add ability to keep private Root CA key offline (#53)

When generating a new Root CA certificate, show the key in the GUI and ask the user to store it offline. When importing an existing CA make the root key optional. When the private key is needed but we don't have it, ask the user to provide it. You can now also create a CSR for the Issuer CA that can be signed by the offline Root CA.
hakwerk · Jun 8, 2023 · 9f77d1a · 9f77d1a
1 parent 7b13c6e
commit 9f77d1a
Show file tree

Hide file tree

Showing 6 changed files with 597 additions and 74 deletions.
diff --git a/gui/apply b/gui/apply
@@ -12,7 +12,11 @@ cd /opt/wwwstatic
 
 $baseDir/apply-nginx
 
-cp $PKI_ROOT_CERT_BASE.crl crl/
+if [ -e "$PKI_ROOT_CERT_BASE.crl" ]; then
+    cp $PKI_ROOT_CERT_BASE.crl crl/
+else
+    echo "WARNING: no Root CRL file present - please upload one from the manage page"
+fi
 cp $PKI_ROOT_CERT_BASE.pem certs/
 cp $PKI_ROOT_CERT_BASE.der certs/
 cp $PKI_INT_CERT_BASE.pem certs/

diff --git a/gui/apply-boulder b/gui/apply-boulder
@@ -191,13 +191,15 @@ fi
 if [ -e $PKI_ROOT_CERT_BASE.key ]; then
     cp -p $PKI_ROOT_CERT_BASE.key test-root.key
     cp -p $PKI_ROOT_CERT_BASE.key.der test-root.key.der
-    cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem
     openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem 2>/dev/null || openssl ec -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem
     openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in test-root.key -out test-root.p8
 fi
+if [ -e $PKI_ROOT_CERT_BASE.pem ]; then
+    cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem
+fi
 
 chown -R `ls -l PKI.md | cut -d" " -f 3,4 | sed 's/ /:/g'` .
 
-if [ -e $PKI_INT_CERT_BASE.key ] && [ -e $PKI_ROOT_CERT_BASE.key ]; then
+if [ -e $PKI_INT_CERT_BASE.key ] && [ -e $PKI_ROOT_CERT_BASE.pem ]; then
     [ -f setup_complete ] || touch setup_complete
 fi