@@ -3316,6 +3316,11 @@ Unable to revoke as the input-file is not a valid certificate.
33163316Certificate was expected at:
33173317* $crt_in"
33183318
3319+ # Forbid self-signed cert from being expired/renewed/revoked
3320+ if forbid_selfsign "$crt_in"; then
3321+ user_error "Cannot $cmd a self-signed certificate."
3322+ fi
3323+
33193324 # Verify request
33203325 if [ -f "$req_in" ]; then
33213326 verify_file req "$req_in" || user_error "\
@@ -3508,6 +3513,11 @@ Missing certificate file:
35083513* $crt_in"
35093514 fi
35103515
3516+ # Forbid self-signed cert from being expired/renewed/revoked
3517+ if forbid_selfsign "$crt_in"; then
3518+ user_error "Cannot $cmd a self-signed certificate."
3519+ fi
3520+
35113521 # get the serial number of the certificate
35123522 cert_serial=
35133523 ssl_cert_serial "$crt_in" cert_serial || \
@@ -3553,6 +3563,23 @@ It can be revoked with command 'revoke-expired'.
35533563It is now possible to sign a new certificate for '$file_name_base'"
35543564} # => expire_cert()
35553565
3566+ # Forbid a self-signed cert from being expired/renewed/revoked
3567+ # by a CA that has nothing to do with the cert
3568+ forbid_selfsign() {
3569+ # cert temp-file
3570+ forbid_selfsign_tmp=
3571+ easyrsa_mktemp forbid_selfsign_tmp || \
3572+ die "easyrsa_mktemp forbid_selfsign_tmp"
3573+
3574+ # SSL text
3575+ "$EASYRSA_OPENSSL" x509 -in "$1" -noout -text \
3576+ > "$forbid_selfsign_tmp" || \
3577+ die "forbid_selfsign - ssl text"
3578+
3579+ # test for CA:TRUE
3580+ grep -q "^[[:blank:]]*CA:TRUE$" "$forbid_selfsign_tmp"
3581+ } # => forbid_selfsign()
3582+
35563583# gen-crl backend
35573584gen_crl() {
35583585 out_file="$EASYRSA_PKI/crl.pem"
0 commit comments