generate a new private key for each csr if the user wishes so

diff --git a/config.sh.example b/config.sh.example
index 2ad949b45fca946ee9f6aebf88f596d7345cff7a..11b6033ba84bf57ce032b24065601c44ad61e227 100644 (file)
--- a/config.sh.example
+++ b/config.sh.example
@@ -11,3 +11,6 @@
 
 # try to renew certs that are within RENEW_DAYS days of there expire date
 #RENEW_DAYS="14"
+
+# create new private key for each csr (yes|no)
+#PRIVATE_KEY_RENEW=no

diff --git a/letsencrypt.sh b/letsencrypt.sh
index ca5a6b19df87257a5b936148afd73bd5c09d53b9..cc000d15f87b4033c007547dc67b2b22155a720f 100755 (executable)
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -11,6 +11,7 @@ HOOK_CHALLENGE=
 RENEW_DAYS="14"
 KEYSIZE="4096"
 WELLKNOWN=".acme-challenges"
+PRIVATE_KEY_RENEW=no
 
 if [[ -e "config.sh" ]]; then
   . ./config.sh
@@ -97,11 +98,19 @@ sign_domain() {
   altnames="${*}"
   echo "Signing domain ${1} (${*})..."
 
-  # If there is no existing certificate directory we need a new private key
+  # If there is no existing certificate directory => make it
   if [[ ! -e "certs/${domain}" ]]; then
+    echo "  + make directory certs/${domain} ..."
     mkdir -p "certs/${domain}"
+  fi
+
+  # generate a new private key if we need or want one
+  if [[ ! -f "certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
     echo "  + Generating private key..."
-    openssl genrsa -out "certs/${domain}/privkey.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
+    timestamp="$(date +%s)"
+    openssl genrsa -out "certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
+    rm -f "certs/${domain}/privkey.pem"
+    ln -s "privkey-${timestamp}.pem" "certs/${domain}/privkey.pem"
   fi
 
   # Generate signing request config and the actual signing request