#!/bin/bash -x

# revoke a certificate, regenerate CRL,
# and verify revocation

CRL="crl.pem"
RT="revoke-test.pem"

export PATH=/usr/sbin:/usr/bin:/sbin:/bin:

if [ $# -ne 2 ]; then
    echo "usage: revoke-full <common-name>";
    exit 1
fi

if [ "$KEY_DIR" ]; then
    cd "$KEY_DIR"

    rm -f "$RT"
pwd
    # revoke key and generate a new CRL
    $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"

    # generate a new CRL -- try to be compatible with
    # intermediate PKIs
echo    $OPENSSL ca -verbose -gencrl -out "$KEY_DIR/$CRL" -config "$KEY_CONFIG"
    $OPENSSL ca -verbose -gencrl -out $KEY_DIR/$CRL -config "$KEY_CONFIG" 2>&1

    if [ -e export-ca.crt ]; then
	cat export-ca.crt "$CRL" >"$RT"
    else
	cat ca.crt "$CRL" >"$RT"
    fi
   
    # verify the revocation
    $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
else
    echo 'Please source the vars script first (i.e. "source ./vars")'
    echo 'Make sure you have edited it to reflect your configuration.'
fi
