diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 96931202c04f40b30cd573ed1d4d4c2001bd5ea4..a90cac3a2c6d69240ea6d2c543fbd1a315d25478 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,14 +1,16 @@
 -   repo: git://github.com/pre-commit/pre-commit-hooks
-    sha: 97b88d9610bcc03982ddac33caba98bb2b751f5f
+    sha: v0.9.1
     hooks:
     -   id: check-added-large-files
     -   id: check-yaml
     -   id: check-merge-conflict
 -   repo: https://www.shore.co.il/git/shell-pre-commit/
-    sha: v0.1.0
+    sha: v0.5.4
     hooks:
     -   id: shell-lint
-        files: ssl-ca
+        files: &shellscripts ssl-ca
+    -   id: shellcheck
+        files: *shellscripts
 -   repo: local
     hooks:
     -   id: test
diff --git a/ssl-ca b/ssl-ca
index 13c469d5cc236b85806c34108cebe46aa46060d4..27a4b2c660bc0ccfe7f40e7bf11d253bea2bacac 100755
--- a/ssl-ca
+++ b/ssl-ca
@@ -1,7 +1,8 @@
-#!/bin/sh -e
+#!/bin/sh
+set -eu
 
-test $(which openssl) || ( echo "Can't find openssl."; exit 1)
-seed="$(hexdump -n10 -e '10/1 "%02o" "\n"' /dev/urandom)"
+which openssl >/dev/null || ( echo "Can't find openssl."; exit 1)
+#seed="$(hexdump -n10 -e '10/1 "%02o" "\n"' /dev/urandom)"
 config=\
 "[ ca ]
 default_ca = CA_default
@@ -51,12 +52,14 @@ usage () {
 }
 
 init () {
+    # shellcheck disable=SC2039
     local cn
-    export cn="$(basename $PWD)"
+    cn="$(basename "$PWD")"
+    export cd
     mkdir -p certs keys
     if [ -e openssl.cnf ]
     then
-        echo openssl.cnf already exists, skipping generation.
+        echo openssl.cnf already exists, skipping generation. >&2
     else
         echo "$config" > "openssl.cnf"
     fi
@@ -99,6 +102,7 @@ init () {
 }
 
 sign_key () {
+    # shellcheck disable=SC2039
     local csr cn
     if [ $# -lt 1 ] || [ "$1" = "" ]
     then
@@ -117,9 +121,10 @@ sign_key () {
         exit 1
     fi
     csr="$(mktemp -t ssl-ca-XXXXXXXXX)"
-    export cn="$1.$(basename $PWD)"
+    cn="$1.$(basename "$PWD")"
+    export cn
     openssl req \
-        -key keys/$1 \
+        -key "keys/$1" \
         -new \
         -reqexts v3_req \
         -config openssl.cnf \
@@ -173,16 +178,16 @@ case "$1" in
     sign)
         for key in keys/*
         do
-            if [ ! -f "certs/$(basename $key)" ]
+            if [ ! -f "certs/$(basename "$key")" ]
             then
-                sign_key "$(basename $key)"
+                sign_key "$(basename "$key")"
             fi
         done
         ;;
     resign)
         for key in keys/*
         do
-            sign_key "$(basename $key)"
+            sign_key "$(basename "$key")"
         done
         ;;
     *)