From 55e02c6a13eb2474a4dcae345c3f9c166174525d Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Thu, 14 Apr 2022 15:18:57 +0200
Subject: [PATCH] Check if CN already exists only after having asked for user
 password

Otherwise, with "-p", "--replace-existing" and "--non-interactive", with
CA_PASSWORD set but PASSWORD unset, the existing certificate was revoked but
the new one could'nt be created. Now, PASSWORD must be set or the exisiting
certificate won't be revoked
---
 shellpki | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/shellpki b/shellpki
index 9fc7c5b..ed7584e 100755
--- a/shellpki
+++ b/shellpki
@@ -630,7 +630,7 @@ create() {
         # get CN from CSR
         cn=$("${OPENSSL_BIN}" req -noout -subject -in "${csr_file}" | grep -Eo "CN\s*=[^,/]*" | cut -d'=' -f2 | xargs)
 
-        # check if CN already exist
+        # check if CN already exists
         if [ -f "${crt_file}" ]; then
             replace_existing_or_abort "${cn}"
         fi
@@ -665,11 +665,6 @@ create() {
         ovpn_file="${OVPN_DIR}/${cn}-${SUFFIX}.ovpn"
         pkcs12_file="${PKCS12_DIR}/${cn}-${SUFFIX}.p12"
 
-        # check if CN already exist
-        if [ -f "${crt_file}" ]; then
-            replace_existing_or_abort "${cn}"
-        fi
-
         # ask for CA passphrase
         ask_ca_password 0
 
@@ -677,6 +672,11 @@ create() {
             ask_user_password
         fi
 
+        # check if CN already exists
+        if [ -f "${crt_file}" ]; then
+            replace_existing_or_abort "${cn}"
+        fi
+
         # generate private key
         pass_args=""
         if [ -n "${password_file:-}" ]; then