Fix the renewal scripts

templates/client-host-certificate.sh.j2

@@ -23,10 +23,7 @@ fi
 if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
     echo ""
     echo "A certificate already exists"
-    echo "If you want to renew it, then remove the following files and run che command again:"
-    echo "${easy_rsa_issued_dir}/${host_arg}.crt"
-    echo "${easy_rsa_keys_dir}/${host_arg}.key"
-    echo "${easy_rsa_reqs_dir}/${host_arg}.req"
+    echo "If you want to renew it, then use the command renew-client-host-certificate"
     echo ""
     exit 1
 fi

templates/personal-certificate.sh.j2

@@ -25,10 +25,7 @@ fi
 if [ -f "${easy_rsa_issued_dir}/${name_arg}.crt" ] ; then
     echo ""
     echo "A certificate already exists"
-    echo "If you want to renew it, then remove the following files and run che command again:"
-    echo "${easy_rsa_issued_dir}/${name_arg}.crt"
-    echo "${easy_rsa_keys_dir}/${name_arg}.key"
-    echo "${easy_rsa_reqs_dir}/${name_arg}.req"
+    echo "If you want to renew it, then use the command renew-personal-certificate"
     echo ""
     exit 1
 fi

templates/renew-client-host-certificate.sh.j2

@@ -1,8 +1,10 @@
 #!/bin/bash
 
+_retval=
+
 host_arg=
 if [ $# -ne 1 ] ; then
-    echo "You need to pass just one argument: the full hostname for wich the certificate is required"
+    echo "You need to pass just one argument: the full hostname for wich the certificate renewal is required"
     exit 1
 else
     host_arg="$1"
@@ -11,24 +13,41 @@ fi
 easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
 easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
 easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
+easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
 easy_vars_file="${easy_rsa_base_dir}/vars"
 if [ -f "${easy_vars_file}.tmpl" ] ; then
     echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
     exit 1
 fi
 
+if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
+    rm -f "${easy_rsa_issued_dir}/${host_arg}.crt"
+    rm -f "${easy_rsa_keys_dir}/${host_arg}.key"
+    rm -f "${easy_rsa_reqs_dir}/${host_arg}.req"
+else
+    echo "No previous certificate exists. This is not a renewal, aborting."
+    exit 1
+fi
+
 echo ""
-echo "Starting the renewal of a client host certificate."
+echo "Starting the creation of the client host certificate."
 echo ""
 
 cd "$easy_rsa_base_dir"
-./easyrsa renew "$host_arg" nopass
+./easyrsa build-client-full "$host_arg" nopass
+retval=$?
 
-echo ""
-echo "Done."
-echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
-echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
-echo ""
-echo "Remember that the key of the host certificates do not passphrase protected"
+if [ $retval -eq 0 ] ; then
+    echo ""
+    echo "Done."
+    echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
+    echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
+    echo ""
+    echo "Remember that the key of the host certificates do not passphrase protected"
+else
+    echo ""
+    echo "Something went wrong, the certificate creation failed"
+    echo ""
+fi
 
 exit 0

templates/renew-personal-certificate.sh.j2

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+_retval=
+
 name_arg=
 email_arg=
 if [ $# -ne 2 ] ; then
@@ -13,14 +15,24 @@ fi
 easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
 easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
 easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
+easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
 easy_vars_file="${easy_rsa_base_dir}/vars"
 if [ -f "${easy_vars_file}.tmpl" ] ; then
     echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
     exit 1
 fi
 
+if [ -f "${easy_rsa_issued_dir}/${name_arg}.crt" ] ; then
+    rm -f "${easy_rsa_issued_dir}/${name_arg}.crt"
+    rm -f "${easy_rsa_keys_dir}/${name_arg}.key"
+    rm -f "${easy_rsa_reqs_dir}/${name_arg}.req"
+else
+    echo "No previous certificate exists. This is not a renewal, aborting."
+    exit 1
+fi
+
 echo ""
-echo "Starting the renewal of a client host certificate."
+echo "Starting the creation of a client host certificate."
 echo "Remember that you need to supply a passphrase for the private key."
 echo ""
 
@@ -29,13 +41,21 @@ sleep 5
 cd "$easy_rsa_base_dir"
 cp -f "$easy_vars_file" "${easy_vars_file}.tmpl"
 sed -i -e "s/{{ easy_rsa_req_email }}/$email_arg/g" "$easy_vars_file"
-./easyrsa renew "$name_arg"
+./easyrsa build-client-full "$name_arg"
 mv -f "${easy_vars_file}.tmpl" "$easy_vars_file"
 
-echo ""
-echo "Done."
-echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt"
-echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key"
-echo ""
+retval=$?
+
+if [ $retval -eq 0 ] ; then
+    echo ""
+    echo "Done."
+    echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt"
+    echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key"
+    echo ""
+else
+    echo ""
+    echo "Something went wrong, the certificate creation failed"
+    echo ""
+fi
 
 exit 0

templates/renew-server-host-certificate.sh.j2

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+_retval=
+
 host_arg=
 if [ $# -ne 1 ] ; then
     echo "You need to pass just one argument: the full hostname for wich the certificate is required"
@@ -11,24 +13,41 @@ fi
 easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
 easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
 easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
+easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
 easy_vars_file="${easy_rsa_base_dir}/vars"
 if [ -f "${easy_vars_file}.tmpl" ] ; then
     echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
     exit 1
 fi
 
+if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
+    rm -f "${easy_rsa_issued_dir}/${host_arg}.crt"
+    rm -f "${easy_rsa_keys_dir}/${host_arg}.key"
+    rm -f "${easy_rsa_reqs_dir}/${host_arg}.req"
+else
+    echo "No previous certificate exists. This is not a renewal, aborting."
+    exit 1
+fi
+
 echo ""
-echo "Starting the renewal of a server host certificate."
+echo "Starting the creation of a server host certificate."
 echo ""
 
 cd "$easy_rsa_base_dir"
-./easyrsa renew "$host_arg" nopass
+./easyrsa build-server-full "$host_arg" nopass
+retval=$?
 
-echo ""
-echo "Done."
-echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
-echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
-echo ""
-echo "Remember that the key of the host certificates do not passphrase protected"
+if [ $retval -eq 0 ] ; then
+    echo ""
+    echo "Done."
+    echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
+    echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
+    echo ""
+    echo "Remember that the key of the host certificates do not passphrase protected"
+else
+    echo ""
+    echo "Something went wrong, the certificate creation failed"
+    echo ""
+fi
 
 exit 0

templates/safessl-easyrsa.cnf

@@ -55,7 +55,7 @@ emailAddress		= optional
 # Easy-RSA request handling
 # We key off $DN_MODE to determine how to format the DN
 [ req ]
-default_bits		= 3072
+default_bits		= 4096
 default_keyfile 	= privkey.pem
 default_md		= sha384
 distinguished_name	= cn_only

templates/server-host-certificate.sh.j2

@@ -22,11 +22,8 @@ fi
 
 if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
     echo ""
-    echo "A certificate already exists"
-    echo "If you want to renew it, then remove the following files and run che command again:"
-    echo "${easy_rsa_issued_dir}/${host_arg}.crt"
-    echo "${easy_rsa_keys_dir}/${host_arg}.key"
-    echo "${easy_rsa_reqs_dir}/${host_arg}.req"
+    echo "A certificate already exists."
+    echo "If you want to renew it, then use the command renew-server-host-certificate"
     echo ""
     exit 1
 fi