From b7608928617ad10bec9846bd66675bd5f8458c25 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zolt=C3=A1n=20Felleg?= <zoltan.felleg@userrendszerhaz.hu>
Date: Tue, 1 Apr 2025 10:47:25 +0200
Subject: [PATCH] Updated updatecerts.sh (added user-CA -> ssh-agent
 requirement).

---
 doc.txt        | 9 +++++----
 updatecerts.sh | 9 ++++++++-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/doc.txt b/doc.txt
index ebb1d03..45ce4c6 100644
--- a/doc.txt
+++ b/doc.txt
@@ -18,8 +18,9 @@ user key generation:
 
 user key signing:
   ssh-keygen -I <certificate identity> \
-             [-n <principals>] \
              -s <user CA private key file> \
+             [-U] \
+             [-n <principals>] \
              -V <start YYYYMMDD[HHMM]:end YYYYMMDD[HHMM]> \
              [-z <serial number>] \
              <public key file>
@@ -47,10 +48,10 @@ host CA setup (as root on ssh clients):
   echo "@cert-authority *.useribm.hu <contents of host-CA.pub>" >>/etc/ssh/ssh_known_hosts
 
 host key signing (as root on ssh servers):
-  ssh-keygen -h \
-             -I <fqdn> \
-             [-n <fqdns>] \
+  ssh-keygen -I <fqdn> \
              -s <host CA private key file> \
+             -h \
+             [-n <fqdns>] \
              /etc/ssh/ssh_host_ed25519_key.pub
   where
     fqdns: comma (and no space) separated target hosts
diff --git a/updatecerts.sh b/updatecerts.sh
index 102d03e..01fe35e 100755
--- a/updatecerts.sh
+++ b/updatecerts.sh
@@ -1,6 +1,12 @@
 #!/bin/sh
 
 
+ssh-add -l | grep --quiet --word-regexp "user-CA"
+if [ $? -ne 0 ]
+then
+    echo "user-CA must be added to ssh-agent (ssh-add user-CA)." >&2
+    exit 1
+fi
 CERT_YEAR_QUARTER=$(echo $1 | grep '^20[0-9][0-9]q[1-4]$')
 if [ -z "$CERT_YEAR_QUARTER" ]
 then
@@ -24,8 +30,9 @@ CERT_END_YYYYMMDD="${CERT_YEAR}${CERT_END_MM}01"
 ls *-cert.pub | sed 's/-cert.pub$//' | while read CAP_NAME
 do
     ssh-keygen -I ${CAP_NAME}-$CERT_YEAR_QUARTER \
-               -n $CAP_NAME \
                -s user-CA \
+               -U \
+               -n $CAP_NAME \
                -V ${CERT_START_YYYYMMDD}:$CERT_END_YYYYMMDD \
                ${CAP_NAME}.pub
 done
-- 
2.54.0