From: Markus Germeier <markus@germeier.com>
Date: Sun, 6 Dec 2015 15:27:15 +0000 (+0100)
Subject: generate a new private key for each csr if the user wishes so
X-Git-Url: https://git.street.me.uk/andy/dehydrated.git/commitdiff_plain/3dbbb461f196d4e98c49962dc6c9bb6669465f95?hp=-c

generate a new private key for each csr if the user wishes so
---

3dbbb461f196d4e98c49962dc6c9bb6669465f95
diff --git a/config.sh.example b/config.sh.example
index 2ad949b..11b6033 100644
--- a/config.sh.example
+++ b/config.sh.example
@@ -11,3 +11,6 @@
 
 # try to renew certs that are within RENEW_DAYS days of there expire date
 #RENEW_DAYS="14"
+
+# create new private key for each csr (yes|no)
+#PRIVATE_KEY_RENEW=no
diff --git a/letsencrypt.sh b/letsencrypt.sh
index ca5a6b1..cc000d1 100755
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -11,6 +11,7 @@ HOOK_CHALLENGE=
 RENEW_DAYS="14"
 KEYSIZE="4096"
 WELLKNOWN=".acme-challenges"
+PRIVATE_KEY_RENEW=no
 
 if [[ -e "config.sh" ]]; then
   . ./config.sh
@@ -97,11 +98,19 @@ sign_domain() {
   altnames="${*}"
   echo "Signing domain ${1} (${*})..."
 
-  # If there is no existing certificate directory we need a new private key
+  # If there is no existing certificate directory => make it
   if [[ ! -e "certs/${domain}" ]]; then
+    echo "  + make directory certs/${domain} ..."
     mkdir -p "certs/${domain}"
+  fi
+
+  # generate a new private key if we need or want one
+  if [[ ! -f "certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
     echo "  + Generating private key..."
-    openssl genrsa -out "certs/${domain}/privkey.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
+    timestamp="$(date +%s)"
+    openssl genrsa -out "certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
+    rm -f "certs/${domain}/privkey.pem"
+    ln -s "privkey-${timestamp}.pem" "certs/${domain}/privkey.pem"
   fi
 
   # Generate signing request config and the actual signing request