diff options
| -rw-r--r-- | rpkid.without_tls/rpki/myrpki.py | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/rpkid.without_tls/rpki/myrpki.py b/rpkid.without_tls/rpki/myrpki.py index f4fd8218..bdbdbbe9 100644 --- a/rpkid.without_tls/rpki/myrpki.py +++ b/rpkid.without_tls/rpki/myrpki.py @@ -1023,6 +1023,48 @@ class main(rpki.cli.Cmd): etree_write(e, repo_file_name, msg = 'This is the "repository offer" file for you to use if you want to publish in your own repository') + + def do_update_bpki(self, arg): + """ + Update BPKI certificates. Assumes an existing RPKI installation. + + Basic plan here is to reissue all BPKI certificates we can, right + now. In the long run we might want to be more clever about only + touching ones that need maintenance, but this will do for a start. + + Most likely this should be run under cron. + """ + + if self.bpki_servers: + bpkis = (self.bpki_resources, self.bpki_servers) + else: + bpkis = (self.bpki_resources,) + + for bpki in bpkis: + for cer in glob.iglob("%s/*.cer" % bpki.dir): + key = cer[0:-4] + ".key" + req = cer[0:-4] + ".req" + if os.path.exists(key): + print "Regenerating BPKI PKCS #10", req + bpki.run_openssl("x509", "-x509toreq", "-in", cer, "-out", req, "-signkey", key) + print "Clearing BPKI certificate", cer + os.unlink(cer) + if cer == bpki.cer: + assert req == bpki.req + print "Regenerating certificate", cer + bpki.run_ca("-selfsign", "-extensions", "ca_x509_ext_ca", "-in", req, "-out", cer) + + print "Regenerating CRLs" + for bpki in bpkis: + bpki.run_ca("-gencrl", "-out", bpki.crl) + + self.do_initialize(None) + if self.run_rpkid or self.run_pubd or self.run_rootd: + self.do_configure_daemons(arg) + else: + self.do_configure_resources(None) + + def do_configure_child(self, arg): """ Configure a new child of this RPKI entity, given the child's XML |