#! /usr/bin/tclsh
### -*-tcl-*-
###
### Generate a new root key
###
### (c) 2022 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software: you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or (at
### your option) any later version.
###
### This program is distributed in the hope that it will be useful, but
### WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
### General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program.  If not, write to the Free Software
### Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
### USA.

## Find the common utilities.
source [file join [file dirname $argv0] "../lib/func.tcl"]

## Open the database
sqlite3 db "$CERTROOT/state/ca.db"
db nullvalue nil
cd "$CERTROOT"

## Refresh the database's idea of request profiles.
sync-profiles

## Rename the old CA key so we don't lose it.
set i 0
while {[file exists private/ca-$i.key]} { set i [expr {$i + 1}] }
file rename private/ca.key private/ca-$i.key
file rename ca.cert ca-$i.cert

## Make a new key.
generate-root-key

## Generate new certificates for all of the live requests.
set now [now]
foreach id [db eval { SELECT id FROM request WHERE st = 'active' }] {
  issue-cert $id $now
}

## Update OpenSSL's database of things.
exec openssl ca -config "etc/openssl.conf" -updatedb 2>@1

## Generate a CRL.
exec openssl ca -config "etc/openssl.conf" -gencrl | \
    openssl crl -text -out "crl" 2>@1

## Call the user hook.
update-hook

###----- That's all, folks --------------------------------------------------