#! /usr/bin/env tclsh set dir [file normalize [file dirname [info script]]] lappend auto_path [file join $dir ..] package require pki 0.10 proc loadCertData {directory} { foreach certFile [glob -nocomplain -directory $directory *.crt] { set rootFile [file rootname $certFile] set id [file tail $rootFile] set keyFile "${rootFile}.key" set keyPassFile "${rootFile}.key.password" if {![file readable $certFile] || ![file readable $keyFile]} { continue } set password "" if {[file exists $keyPassFile]} { set fd [open $keyPassFile r] set password [gets $fd] close $fd } set fd [open $certFile] set cert [dict get [::pki::parse [read $fd]] certificate] close $fd set fd [open $keyFile] set cert [dict merge $cert [::pki::pkcs::parse_key [read $fd] $password]] close $fd dict set toProcess $id [dict create certFile $certFile data $cert] } return $toProcess } proc updateCerts {caCert certs} { foreach {id cert} $certs { set certFile [dict get $cert certFile] set cert [dict get $cert data] set validStart [clock seconds] set extensions [dict get $cert extensions] if {$id eq "ca"} { set oldSerialNumber [dict get $cert serial_number] set isCA true set validEnd [clock add $validStart 10 years] set serialNumber [expr {$oldSerialNumber + 1}] } else { set isCA false set validEnd [clock add $validStart 9 years] set serialNumber [clock microseconds] } # pki 0.10 didnt support these dict unset extensions id-ce-authorityKeyIdentifier dict unset extensions id-ce-subjectKeyIdentifier dict unset extensions 2.5.29.37 set newCert [::pki::x509::create_cert $cert $caCert $serialNumber $validStart $validEnd $isCA $extensions 1 sha256] set fd [open $certFile w] puts $fd [string trimright $newCert "\n"] close $fd } } set certInfo [loadCertData $dir] set caCert [dict get $certInfo ca data] updateCerts $caCert $certInfo