Refactoring step-ca-install.sh

Reduce msg_xxx blocks Replace whiptail by 'prompt_input' function Moved all helper-scripts into 'step-ca-admin.sh'
2026-03-31 06:24:18 -04:00 · 2026-03-26 08:14:09 +01:00
parent 4d07835798
commit ddf4e2f2ba
1 changed files with 276 additions and 149 deletions
--- a/install/step-ca-install.sh
+++ b/install/step-ca-install.sh
@@ -27,83 +27,46 @@ STEPHOME="/root/.step"
 export STEPPATH=/etc/step-ca
 export STEPHOME=$STEPHOME

-$STD sed  -i '1i export STEPPATH=/etc/step-ca' /etc/profile
-$STD sed  -i '1i export STEPHOME=/root/.step' /etc/profile
+sed  -i '1i export STEPPATH=/etc/step-ca' /etc/profile
+sed  -i '1i export STEPHOME=/root/.step' /etc/profile

-$STD setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)
+setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)

 $STD useradd --user-group --system --home $(step path) --shell /bin/false step
 msg_ok "Installed step-ca and step-cli"

+DomainName="$(hostname -d)"
+
+PKIName="$(prompt_input "Enter PKIName" "MyHomePKI" 30)"
+PKIProvisioner="$(prompt_input "Enter PKIProvisioner" "pki@$DomainName" 30)"
+AcmeProvisioner="$(prompt_input "Enter AcmeProvisioner" "acme@$DomainName" 30)"
+X509MinDur="$(prompt_input "Enter X509MinDur" "48h" 30)"
+X509MaxDur="$(prompt_input "Enter X509MaxDur" "87600h" 30)"
+X509DefaultDur="$(prompt_input "Enter X509DefaultDur" "168h" 30)"
+
 msg_info "Initializing step-ca"
 DeploymentType="standalone"
-FQDN=$(hostname -f)
-DomainName=$(hostname -d)
-IP=${LOCAL_IP}
+FQDN="$(hostname -f)"
+IP="${LOCAL_IP}"
 LISTENER=":443"
-PKIName="MyHomePKI"
-PKIProvisioner="pki@$DomainName"
-AcmeProvisioner="acme@$DomainName"
-X509MinDur="48h"
-X509MaxDur="87600h"
-X509DefaultDur="168h"
-
-while true;
-do
-
-if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --yesno "Continue with below?\n
-PKIName: $PKIName
-PKIProvisioner: $PKIProvisioner
-AcmeProvisioner: $AcmeProvisioner
-X509MinDur: $X509MinDur
-X509MaxDur: $X509MaxDur
-X509DefaultDur: $X509DefaultDur" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then
-break
-fi
-
-PKIName=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'PKIName (e.g. MyHomePKI)' 10 50 "$PKIName" 3>&1 1>&2 2>&3)
-PKIProvisioner=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'PKIProvisioner (e.g. pki@$YourDomainName)' 10 50 "$PKIProvisioner" 3>&1 1>&2 2>&3)
-AcmeProvisioner=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'AcmeProvisioner (e.g. acme@YourDomainName)' 10 50 "$AcmeProvisioner" 3>&1 1>&2 2>&3)
-X509MinDur=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'X509MinDur (e.g. 48h)' 10 50 "$X509MinDur" 3>&1 1>&2 2>&3)
-X509MaxDur=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'X509MaxDur (e.g. 87600h)' 10 50 "$X509MaxDur" 3>&1 1>&2 2>&3)
-X509DefaultDur=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step ca init options" --inputbox 'X509DefaultDur (e.g. 168h)' 10 50 "$X509DefaultDur" 3>&1 1>&2 2>&3)
-
-done

 EncryptionPwdDir="$(step path)/encryption"
 PwdFile="$EncryptionPwdDir/ca.pwd"
 ProvisionerPwdFile="$EncryptionPwdDir/provisioner.pwd"
-
 mkdir -p "$EncryptionPwdDir"
-$STD gpg --gen-random --armor 2 32 >"$PwdFile"
-$STD gpg --gen-random --armor 2 32 >"$ProvisionerPwdFile"
+gpg -q --gen-random --armor 2 32 >"$PwdFile"
+gpg -q --gen-random --armor 2 32 >"$ProvisionerPwdFile"

-$STD step ca init \
-  --deployment-type=$DeploymentType \
-  --ssh \
-  --name=$PKIName \
-  --dns="$FQDN" \
-  --dns="$IP" \
-  --address=$LISTENER \
-  --provisioner="$PKIProvisioner" \
-  --password-file="$PwdFile" \
-  --provisioner-password-file="$ProvisionerPwdFile"
+$STD step ca init --deployment-type="$DeploymentType" --ssh --name="$PKIName" --dns="$FQDN" --dns="$IP" --address="$LISTENER" --provisioner="$PKIProvisioner" --password-file="$PwdFile" --provisioner-password-file="$ProvisionerPwdFile"

 ln -s "$PwdFile" "$(step path)/password.txt"
 chown -R step:step $(step path)
 chmod -R 700 $(step path)
-
 $STD step ca provisioner add "$AcmeProvisioner" --type ACME --admin-name "$AcmeProvisioner"
-$STD step ca provisioner update "$PKIProvisioner" \
-   --x509-min-dur=$X509MinDur \
-   --x509-max-dur=$X509MaxDur \
-   --x509-default-dur=$X509DefaultDur \
-   --allow-renewal-after-expiry
-$STD step ca provisioner update "$AcmeProvisioner" \
-   --x509-min-dur=$X509MinDur \
-   --x509-max-dur=$X509MaxDur \
-   --x509-default-dur=$X509DefaultDur \
-   --allow-renewal-after-expiry
+$STD step ca provisioner update "$PKIProvisioner" --x509-min-dur="$X509MinDur" --x509-max-dur="$X509MaxDur" --x509-default-dur="$X509DefaultDur" --allow-renewal-after-expiry
+$STD step ca provisioner update "$AcmeProvisioner" --x509-min-dur="$X509MinDur" --x509-max-dur="$X509MaxDur" --x509-default-dur="$X509DefaultDur" --allow-renewal-after-expiry
+$STD step certificate install --all $(step path)/certs/root_ca.crt
+$STD update-ca-certificates
 msg_ok "Initialized step-ca"

 msg_info "Start step-ca as a Daemon"
@@ -164,109 +127,273 @@ EOF
 $STD systemctl enable -q --now step-ca
 msg_ok "Started step-ca as a Daemon"

-msg_info "Install root CA certificate into system's default trust store"
-$STD step certificate install --all $(step path)/certs/root_ca.crt
-$STD update-ca-certificates
-msg_ok "Installed root CA certificate into system's default trust store"
-
-msg_info "Install step-batcher to export step-ca badger database"
-StepBadgerX509Certs="$STEPHOME/step-badger-x509Certs.sh"
-StepBadgerSshCerts="$STEPHOME/step-badger-sshCerts.sh"
-
 fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz"
 ln -s /opt/step-badger/step-badger /usr/local/bin/step-badger

+msg_info "Install step-ca Admin script"
+mkdir -p "$STEPHOME"
+cat <<'ADDON_EOF' >"$STEPHOME/step-ca-admin.sh"
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Joerg Heinemann (heinemannj)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+
+function header_info() {
+  clear
+  cat <<"EOF"
+         __                                 ___       __          _     
+   _____/ /____  ____        _________ _   /   | ____/ /___ ___  (_)___ 
+  / ___/ __/ _ \/ __ \______/ ___/ __ `/  / /| |/ __  / __ `__ \/ / __ \
+ (__  ) /_/  __/ /_/ /_____/ /__/ /_/ /  / ___ / /_/ / / / / / / / / / /
+/____/\__/\___/ .___/      \___/\__,_/  /_/  |_\__,_/_/ /_/ /_/_/_/ /_/ 
+             /_/                                                            
+
+EOF
+}
+
+function die() {
+  echo -e "\n${BL}[ERROR]${GN} ${RD}${1}${CL}\n"
+  exit
+}
+
+function success() {
+  echo -e "${BL}[SUCCESS]${GN} ${1}${CL}\n"
+  exit
+}
+
+function whiptail_menu() {
+  MENU_ARRAY=()
+  MSG_MAX_LENGTH=0
+  while read -r TAG ITEM; do
+    OFFSET=2
+    ((${#ITEM} + OFFSET > MSG_MAX_LENGTH)) && MSG_MAX_LENGTH=${#ITEM}+OFFSET
+    MENU_ARRAY+=("$TAG" "$ITEM " "OFF")
+  done < <(echo "$1")
+}
+
+function x509_list() {
+  CERT_LIST=""
+  cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
+  cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
+  if [[ $(step-badger x509Certs "${STEPHOME}/db-copy" 2>/dev/null) ]]; then
+    CERT_LIST=$(step-badger x509Certs ${STEPHOME}/db-copy 2>/dev/null)
+  fi
+}
+
+function ssh_list() {
+  CERT_LIST=""
+  cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
+  cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
+  if [[ $(step-badger sshCerts "${STEPHOME}/db-copy" 2>/dev/null) ]]; then
+    CERT_LIST=$(step-badgersshCerts ${STEPHOME}/db-copy 2>/dev/null)
+  fi
+}
+
+function x509_serial_to_cn() {
+  x509_list
+  CN="$(echo "${CERT_LIST}" | grep "${SERIAL_NUMBER}" | awk '{print $2}' | sed 's/CN=//g')"
+  CRT="$STEPHOME/certs/x509/$CN.crt"
+  KEY="$STEPHOME/certs/x509/$CN.key"
+  if ! [[ -f ${CRT} ]]; then
+    die "Certificate ${CRT} not found!"
+  elif ! [[ -f ${KEY} ]]; then
+    die "Private Key ${KEY} not found!"
+  fi
+}
+
+function x509_revoke() {
+  # shellcheck disable=SC2206
+  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
+  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
+    echo -e "${BL}[Info]${GN} Revoke x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}"
+    echo
+    TOKEN=$(step ca token --provisioner="$PROVISIONER" --provisioner-password-file="$PROVISIONER_PASSWORD" --revoke "${SERIAL_NUMBER}")
+    step ca revoke --token "$TOKEN" "${SERIAL_NUMBER}" || die "Failed to revoke certificate!"
+    echo
+  done
+  success "Finished."
+}
+
+function x509_renew() {
+  # shellcheck disable=SC2206
+  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
+  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
+    echo -e "${BL}[Info]${GN} Renew x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}"
+    echo
+    x509_serial_to_cn
+    step ca renew "${CRT}" "${KEY}" --force || die "Failed to renew certificate!"
+    echo
+  done
+  success "Finished."
+}
+
+function x509_inspect() {
+  # shellcheck disable=SC2206
+  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
+  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
+    echo -e "${BL}[Info]${GN} Inspect x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}\n"
+    x509_serial_to_cn
+    step certificate inspect "${CRT}" || die "Failed to inspect certificate!"
+    if ! [[ $(step certificate inspect "${CRT}" | grep "${SERIAL_NUMBER}") ]]; then
+      die "Serial Number ${SERIAL_NUMBER} mismatch!"
+    fi
+    echo -e "\n${BL}[Info]${GN} Public Key:${CL}\n"
+    cat "${CRT}"
+    echo -e "\n${BL}[Info]${GN} Private Key:${CL}\n"
+    cat "${KEY}"
+    echo
+  done
+  success "Finished."
+}
+
+function x509_request() {
+  FQDN=""
+  SAN=""
+
+  while true; do
+    FQDN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nFQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3)
+    IP=$(dig +short "$FQDN")
+    if [[ -z "$IP" ]]; then
+      die "Resolution failed for $FQDN!"
+    fi
+    HOST=$(echo "$FQDN" | awk -F'.' '{print $1}')
+    IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nIP Address (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3)
+    HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nHostname (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3)
+    SAN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nSubject Alternative Name(s) (SAN) (e.g. myapp-1.example.com, myapp-2.example.com)' 10 50 "$SAN" 3>&1 1>&2 2>&3)
+    VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nValidity (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3)
+
+    # shellcheck disable=SC2034
+    if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --yesno "Continue with below?\n
+      FQDN: $FQDN
+      Hostname: $HOST
+      IP Address: $IP
+      Subject Alternative Name(s) (SAN): $SAN
+      Validity: $VALID_TO" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then
+      break
+    fi
+  done
+
+  echo -e "${BL}[Info]${GN} Request x509 Certificate with subject ${BL}${FQDN}${GN}:${CL}"
+  echo
+  CRT="$STEPHOME/certs/x509/$FQDN.crt"
+  KEY="$STEPHOME/certs/x509/$FQDN.key"
+
+  SAN="$FQDN, $HOST, $IP, $SAN"
+
+  IFS=', ' read -r -a array <<< "$SAN"
+  for element in "${array[@]}"
+  do
+    SAN_ARRAY+=(--san "$element")
+  done
+
+  step ca certificate "$FQDN" "$CRT" "$KEY" \
+    --provisioner="$PROVISIONER" \
+    --provisioner-password-file="$PROVISIONER_PASSWORD" \
+    --not-after="$VALID_TO" \
+    "${SAN_ARRAY[@]}" \
+  || die "Failed to request certificate!"
+
+  echo -e "\n${BL}[Info]${GN} Inspect Certificate:${CL}\n"
+  step certificate inspect "${CRT}" || die "Failed to inspect certificate!"
+  echo -e "\n${BL}[Info]${GN} Public Key:${CL}\n"
+  cat "${CRT}"
+  echo -e "\n${BL}[Info]${GN} Private Key:${CL}\n"
+  cat "${KEY}"
+  echo
+  success "Finished."
+}
+
+set -eEuo pipefail
+# shellcheck disable=SC2034
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+YW=$(echo "\033[33m")
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+BL=$(echo "\033[36m")
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+RD=$(echo "\033[01;31m")
+# shellcheck disable=SC2034
+CM='\xE2\x9C\x94\033'
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+GN=$(echo "\033[1;92m")
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+CL=$(echo "\033[m")
+
+# Telemetry
+# shellcheck disable=SC1090
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/api.func) 2>/dev/null || true
+declare -f init_tool_telemetry &>/dev/null && init_tool_telemetry "step-ca-admin" "step-ca"
+
+header_info
+
 mkdir --parents "$STEPHOME/db-copy/"
-mkdir --parents "$STEPHOME/certs/ca/"
-mkdir --parents "$STEPHOME/certs/ssh/"
-mkdir --parents "$STEPHOME/certs/x509/"
+mkdir --parents "$STEPHOME/certs/ca/_archive/"
+mkdir --parents "$STEPHOME/certs/ssh/_archive/"
+mkdir --parents "$STEPHOME/certs/x509/_archive/"

-$STD cat <<'EOF' >$StepBadgerX509Certs
-#!/usr/bin/env bash
-#
-# See: https://github.com/lukasz-lobocki/step-badger
-#
-
-cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
-cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
-
-step-badger x509Certs "$STEPHOME/db-copy" \
-        --dnsnames \
-        --emailaddresses \
-        --ipaddresses \
-        --uris \
-        --issuer \
-        --crl \
-        --provisioner \
-        --algorithm
-EOF
-$STD cat <<'EOF' >$StepBadgerSshCerts
-#!/usr/bin/env bash
-#
-# See: https://github.com/lukasz-lobocki/step-badger
-#
-
-cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
-cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
-
-step-badger sshCerts "$STEPHOME/db-copy" \
-        --algorithm
-EOF
-chmod 700 $StepBadgerX509Certs
-chmod 700 $StepBadgerSshCerts
-msg_ok "Installed step-batcher to export step-ca badger database"
-
-msg_info "Install step-ca helper scripts"
-StepRequest="$STEPHOME/step-ca-request.sh"
-$STD cat <<'EOF' >$StepRequest
-#!/usr/bin/env bash
-#
-StepCertDir="$STEPHOME/certs/x509"
+PROVISIONER=$(jq '.authority.provisioners.[] | select(.type=="JWK") | .name' "$(step path)"/config/ca.json)
+PROVISIONER="${PROVISIONER#\"}"
+PROVISIONER="${PROVISIONER%\"}"
 PROVISIONER_PASSWORD=$(step path)/encryption/provisioner.pwd

-while true;
-do
+whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --yesno "This will maintain step-ca issued x509 and ssh Certificates. Proceed?" 10 58

-FQDN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'FQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3)
-IP=$(dig +short $FQDN)
-if [[ -z "$IP" ]]; then
-    echo "Resolution failed for $FQDN"
-    exit
-fi
-HOST=$(echo $FQDN | awk -F'.' '{print $1}')
-IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'IP Address (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3)
-HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'Hostname (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3)
-SAN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'Subject Alternative Name(s) (SAN) (e.g. myapp-1.example.com, myapp-2.example.com)' 10 50 "$SAN" 3>&1 1>&2 2>&3)
-VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox 'Validity (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3)
+MENU_ARRAY=("x509" "Maintain x509 Certificates." "ON")
+MENU_ARRAY+=("ssh" "Maintain ssh Certificates." "OFF")
+CERT_TYPE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --radiolist "\nSelect Certificate Type:" 16 48 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')

-if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --yesno "Continue with below?\n
-FQDN: $FQDN
-Hostname: $HOST
-IP Address: $IP
-Subject Alternative Name(s) (SAN): $SAN
-Validity: $VALID_TO" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then
-break
-fi
+[[ -z ${CERT_TYPE} ]] && die "No Certificate Type selected!"

-done
+case ${CERT_TYPE} in
+("x509")
+  x509_list
+  CERT_LIST=$(echo "$CERT_LIST" | awk 'NR>1 {print $1 " " $2 "|" $3 "|" $4 "|" $5}')
+  if [[ $CERT_LIST ]]; then
+    whiptail_menu "$CERT_LIST"
+  else
+    MENU_ARRAY=()
+    MSG_MAX_LENGTH=2
+  fi
+  MENU_ARRAY+=("" "Create a new Certificate" "OFF")
+  CERT_SERIAL_NUMBERS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificates on $(hostname)" --checklist "\nSelect Certificate(s) to maintain:\n" 16 $((MSG_MAX_LENGTH + 55)) 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')

-SAN="$FQDN, $HOST, $IP, $SAN"
+  [[ -z ${CERT_SERIAL_NUMBERS} ]] && x509_request
+  
+  MENU_ARRAY=("Renew" "Renew x509 Certificates." "ON")
+  MENU_ARRAY+=("Revoke" "Revoke x509 Certificates." "OFF")
+  MENU_ARRAY+=("Inspect" "Inspect x509 Certificates." "OFF")
+  CERT_MAINTENANCE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --radiolist "\nSelect Maintenance Type:" 16 48 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')

-IFS=', ' read -r -a array <<< "$SAN"
-for element in "${array[@]}"
-do
-    SAN_ARRAY+=(--san "$element")
-done
-
-step ca certificate $FQDN $StepCertDir/$FQDN.crt $StepCertDir/$FQDN.key \
-  --provisioner-password-file=$PROVISIONER_PASSWORD \
-  --not-after=$VALID_TO \
-  "${SAN_ARRAY[@]}" \
-  && step certificate inspect $StepCertDir/$FQDN.crt \
-  || echo "Failed to request certificate"; exit
-EOF
-chmod 700 $StepRequest
-msg_ok "Installed step-ca helper scripts"
+  case ${CERT_MAINTENANCE} in
+  ("Renew")
+    x509_renew "${CERT_SERIAL_NUMBERS[@]}"
+    ;;
+  ("Revoke")
+    x509_revoke "${CERT_SERIAL_NUMBERS[@]}"
+    ;;
+  ("Inspect")
+    x509_inspect "${CERT_SERIAL_NUMBERS[@]}"
+    ;;
+  *)
+    die "Unsupported CERT_MAINTENANCE Option!"
+    ;;
+  esac
+  ;;
+("ssh")
+  die "Maintain ssh Certificates - To be implemented in future"
+  ;;
+*)
+  die "Unsupported CERT_TYPE Option!"
+  ;;
+esac
+ADDON_EOF
+chmod 700 "$STEPHOME/step-ca-admin.sh"
+msg_ok "Installed step-ca Admin script"

 motd_ssh
 customize