-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconduit-certs.sh
More file actions
executable file
·127 lines (106 loc) · 3.56 KB
/
conduit-certs.sh
File metadata and controls
executable file
·127 lines (106 loc) · 3.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/env bash
# conduit-certs.sh
# Manage TLS certificates for QP Conduit services.
#
# Usage:
# conduit-certs.sh List all certificates
# conduit-certs.sh --rotate hub Reissue certificate for hub
# conduit-certs.sh --inspect hub Show certificate details
# conduit-certs.sh --trust Install CA in system trust store
#
# Copyright 2026 Quantum Pipes Technologies, LLC
# SPDX-License-Identifier: Apache-2.0
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck disable=SC1091
source "$SCRIPT_DIR/conduit-preflight.sh"
# ---------------------------------------------------------------------------
# Usage
# ---------------------------------------------------------------------------
usage() {
cat <<EOF
Usage: conduit-certs.sh [OPTIONS]
Manage TLS certificates for registered services.
Options:
--rotate NAME Revoke and reissue certificate for a service
--inspect NAME Show detailed certificate information
--trust Install the internal CA in the system trust store
-h, --help Show this help
With no options, lists all certificates and their expiry dates.
EOF
exit 0
}
# ---------------------------------------------------------------------------
# Parse arguments
# ---------------------------------------------------------------------------
ACTION="list"
TARGET_NAME=""
for arg in "$@"; do
case "$arg" in
--rotate=*) ACTION="rotate"; TARGET_NAME="${arg#*=}" ;;
--inspect=*) ACTION="inspect"; TARGET_NAME="${arg#*=}" ;;
--trust) ACTION="trust" ;;
--help|-h) usage ;;
*)
log_error "Unknown option: $arg"
usage
;;
esac
done
# ---------------------------------------------------------------------------
# Actions
# ---------------------------------------------------------------------------
case "$ACTION" in
list)
echo ""
echo "=== TLS Certificates ==="
echo ""
tls_list_certs
echo ""
;;
rotate)
if [[ -z "$TARGET_NAME" ]]; then
log_error "Service name required for --rotate"
exit 1
fi
validate_service_name "$TARGET_NAME"
echo ""
log_info "Rotating certificate for: $TARGET_NAME"
# Revoke old cert
tls_revoke_cert "$TARGET_NAME"
# Issue new cert
tls_issue_cert "$TARGET_NAME"
# Regenerate routes and reload
route_generate_caddyfile
route_reload 2>/dev/null || log_warn "Caddy not running. Restart to use new certificate."
audit_log "cert_rotate" "success" \
"Certificate rotated for service: ${TARGET_NAME}" \
"{\"name\":\"${TARGET_NAME}\"}"
log_success "Certificate rotated for '$TARGET_NAME'"
echo ""
;;
inspect)
if [[ -z "$TARGET_NAME" ]]; then
log_error "Service name required for --inspect"
exit 1
fi
validate_service_name "$TARGET_NAME"
certs_dir="${CONDUIT_CERTS_DIR:-$(ensure_config_dir)/certs}"
cert_file="${certs_dir}/${TARGET_NAME}/cert.pem"
if [[ ! -f "$cert_file" ]]; then
log_error "No certificate found for service '$TARGET_NAME'"
exit 1
fi
echo ""
echo "=== Certificate: $TARGET_NAME ==="
echo ""
openssl x509 -in "$cert_file" -text -noout
echo ""
;;
trust)
echo ""
log_info "Installing internal CA into system trust store..."
tls_trust_ca
echo ""
;;
esac