[exim.git] / test / aux-fixed / exim-ca / genall

#!/bin/bash
#

set -e

# Debugging.  Set V for clica verbosity.
#set -x
V=
#V='-v'

clica --help >/dev/null 2>&1

echo Ensure time is set to 2012/11/01 12:34
echo use -  date -u 110112342012
echo hit return when ready
read junk

# Main suite: RSA certs
for tld in com org net
do
    iname="example.$tld"
    idir=$iname

####
    # create CAs & server certs
    rm -fr "$idir"

    # create CA cert + templates
    clica $V -D "$idir" -p password -B 1024 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/

    # create server certs
    # -m <months>
    clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
    clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
    clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1
    clica $V -D $idir -p password -s 201 -S  server2.$iname -m 301
    clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
    clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1

####

    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd $idir/server1.$iname
        openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
        cat server1.$iname.pem cacerts.pem > fullchain.pem
        rm cacerts.pem
    cd ../..

####

    # generate unlocked keys and client cert bundles
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SDIR=$idir/$server.$iname
	SPFX=$SDIR/$server.$iname
	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
    done

####

    # create OCSP reqs & resps
    CADIR=$idir/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # also need variation from Signer
    pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key

    # create some index files for the ocsp responder to work with
# tab-sep
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.$iname
V	130110200751Z		66	unknown	CN=revoked1.$iname
V	130110200751Z		67	unknown	CN=expired1.$iname
V	130110200751Z		c9	unknown	CN=server2.$iname
V	130110200751Z		ca	unknown	CN=revoked2.$iname
V	130110200751Z		cb	unknown	CN=expired2.$iname
EOF
    cat >$CADIR/index.revoked.txt <<EOF
R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.$iname
R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.$iname
R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.$iname
R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.$iname
R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.$iname
R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.$iname
EOF

    # Now create all the ocsp requests and responses
    IVALID="-index $CADIR/index.valid.txt"
    IREVOKED="-index $CADIR/index.revoked.txt"

    echo "unique_subject = yes" > $CADIR/index.valid.txt.attr
    echo "unique_subject = yes" > $CADIR/index.revoked.txt.attr

    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SPFX=$idir/$server.$iname/$server.$iname
	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	REQIN="-reqin $SPFX.ocsp.req"

	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.signer.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
    done
####
done

# Create one EC leaf cert in the RSA cert tree.  It will have an EC pubkey but be signed using its parent
# therefore its parent's algo, RSA.
clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
SDIR=example.com/server1_ec.example.com
SPFX=$SDIR/server1_ec.example.com
openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem


###############################################################################
# Limited suite: EC certs
# separate trust root & chain
# .com only, server1 good only, no ocsp
# with server1 in SAN of leaf

for tld in com
do
    iname="example_ec.$tld"
    idir=$iname

####
    # create CAs & server certs
    rm -fr "$idir"

    # create CA cert + templates
    clica $V -D "$idir" -p password -B 1024 -I -N $iname -F \
	-k ec -q nistp521 \
	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/

    # create server certs
    # -m <months>
    clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
	-k ec -q nistp521 \
	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex

####

    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd $idir/server1.$iname
        openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
        cat server1.$iname.pem cacerts.pem > fullchain.pem
        rm cacerts.pem
    cd ../..

####

    # generate unlocked keys and client cert bundles
    for server in server1
    do
	SDIR=$idir/$server.$iname
	SPFX=$SDIR/$server.$iname
	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
    done

####
    # create OCSP reqs & resps
    CADIR=$idir/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # create some index files for the ocsp responder to work with
# tab-sep
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.$iname
EOF

    # Now create all the ocsp requests and responses
    IVALID="-index $CADIR/index.valid.txt"
    for server in server1
    do
	SPFX=$idir/$server.$iname/$server.$iname
	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	REQIN="-reqin $SPFX.ocsp.req"

	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
    done
####
done

###############################################################################

echo Please to reset date to now.
echo 'service ntpdate start (not on a systemd though...)'
echo 
echo Then hit return
read junk


# Create CRL files in .der and .pem
# empty versions, and ones with the revoked servers
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.empty.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
    openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
done
sleep 2
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.v2.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    echo "addcert 102 $DATENOW" >>$CRLIN
    echo "addcert 202 $DATENOW" >>$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
    openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
done

# Finally, a single certificate-directory
cd example.com/server1.example.com
mkdir -p certdir
cd certdir
f=../../CA/CA.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
f=../../CA/Signer.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
cd ../../..

pwd
ls -l

find example* -type d -print0 | xargs -0 chmod 755
find example* -type f -print0 | xargs -0 chmod 644

echo "CA, Certificate, CRL and OSCP Response generation complete"
Commit	Line	Data
f5d78688 JH	1	#!/bin/bash
	2	#
	3
f2f2c91b	4	set -e
ba86e143 JH	5
	6	# Debugging. Set V for clica verbosity.
	7	#set -x
	8	V=
	9	#V='-v'
f2f2c91b	10
74e2fb4b JH	11	clica --help >/dev/null 2>&1
74e2fb4b JH	12
f5d78688 JH	13	echo Ensure time is set to 2012/11/01 12:34
	14	echo use - date -u 110112342012
	15	echo hit return when ready
	16	read junk
ba86e143 JH	17
ba86e143 JH	18	# Main suite: RSA certs
f5d78688 JH	19	for tld in com org net
f5d78688 JH	20	do
ba86e143 JH	21	iname="example.$tld"
	22	idir=$iname
	23
	24	####
	25	# create CAs & server certs
f2f2c91b	26	rm -fr "$idir"
2b4a568d	27
ba86e143 JH	28	# create CA cert + templates
	29	clica $V -D "$idir" -p password -B 1024 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/
	30
	31	# create server certs
73ef9378	32	# -m <months>
ba86e143	33	clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
f2f2c91b	34	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
ba86e143 JH	35	clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
	36	clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1
	37	clica $V -D $idir -p password -s 201 -S server2.$iname -m 301
	38	clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
	39	clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1
82525c6f	40
ba86e143	41	####
82525c6f JH	42
	43	# openssl seems to generate a file (ca_chain.pam) in an order it
	44	# cannot then use (the key applies to the first cert in the file?).
	45	# Generate a shuffled one.
ba86e143 JH	46	cd $idir/server1.$iname
	47	openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	48	cat server1.$iname.pem cacerts.pem > fullchain.pem
	49	rm cacerts.pem
82525c6f	50	cd ../..
f5d78688	51
ba86e143 JH	52	####
	53
	54	# generate unlocked keys and client cert bundles
	55	for server in server1 revoked1 expired1 server2 revoked2 expired2
	56	do
	57	SDIR=$idir/$server.$iname
	58	SPFX=$SDIR/$server.$iname
	59	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	60	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
	61	done
	62
	63	####
	64
	65	# create OCSP reqs & resps
	66	CADIR=$idir/CA
f5d78688	67	#give ourselves an OSCP key to work with
ba86e143	68	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
f5d78688 JH	69	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
f5d78688 JH	70
74e2fb4b	71	# also need variation from Signer
ba86e143	72	pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
74e2fb4b	73	openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key
f5d78688 JH	74
f5d78688 JH	75	# create some index files for the ocsp responder to work with
74e2fb4b JH	76	# tab-sep
	77	# 0: Revoked/Expired/Valid letter
	78	# 1: Expiry date (ASN1_UTCTIME)
	79	# 2: Revocation date
	80	# 3: Serial no. (unique)
	81	# 4: file
	82	# 5: DN, index
	83
f5d78688	84	cat >$CADIR/index.valid.txt <<EOF
ba86e143 JH	85	V 130110200751Z 65 unknown CN=server1.$iname
	86	V 130110200751Z 66 unknown CN=revoked1.$iname
	87	V 130110200751Z 67 unknown CN=expired1.$iname
	88	V 130110200751Z c9 unknown CN=server2.$iname
	89	V 130110200751Z ca unknown CN=revoked2.$iname
	90	V 130110200751Z cb unknown CN=expired2.$iname
f5d78688 JH	91	EOF
f5d78688 JH	92	cat >$CADIR/index.revoked.txt <<EOF
ba86e143 JH	93	R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.$iname
	94	R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.$iname
	95	R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.$iname
	96	R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.$iname
	97	R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.$iname
	98	R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.$iname
f5d78688 JH	99	EOF
	100
	101	# Now create all the ocsp requests and responses
ba86e143 JH	102	IVALID="-index $CADIR/index.valid.txt"
ba86e143 JH	103	IREVOKED="-index $CADIR/index.revoked.txt"
4e0c20cb JH	104
	105	echo "unique_subject = yes" > $CADIR/index.valid.txt.attr
	106	echo "unique_subject = yes" > $CADIR/index.revoked.txt.attr
	107
f5d78688 JH	108	for server in server1 revoked1 expired1 server2 revoked2 expired2
f5d78688 JH	109	do
ba86e143	110	SPFX=$idir/$server.$iname/$server.$iname
4e0c20cb	111	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
ba86e143	112	REQIN="-reqin $SPFX.ocsp.req"
74e2fb4b JH	113
74e2fb4b JH	114	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
4e0c20cb JH	115	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	116	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.dated.resp
	117	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.revoked.resp
74e2fb4b JH	118
74e2fb4b JH	119	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
4e0c20cb JH	120	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.good.resp
	121	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signer.dated.resp
	122	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp
74e2fb4b JH	123
74e2fb4b JH	124	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
4e0c20cb JH	125	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
	126	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
	127	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
f5d78688	128	done
ba86e143	129	####
f5d78688 JH	130	done
f5d78688 JH	131
ba86e143 JH	132	# Create one EC leaf cert in the RSA cert tree. It will have an EC pubkey but be signed using its parent
	133	# therefore its parent's algo, RSA.
	134	clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
	135	SDIR=example.com/server1_ec.example.com
	136	SPFX=$SDIR/server1_ec.example.com
	137	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	138	cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem
	139
	140
	141
	142	###############################################################################
	143	# Limited suite: EC certs
	144	# separate trust root & chain
	145	# .com only, server1 good only, no ocsp
	146	# with server1 in SAN of leaf
	147
	148	for tld in com
f5d78688	149	do
ba86e143 JH	150	iname="example_ec.$tld"
	151	idir=$iname
	152
	153	####
	154	# create CAs & server certs
	155	rm -fr "$idir"
	156
	157	# create CA cert + templates
	158	clica $V -D "$idir" -p password -B 1024 -I -N $iname -F \
	159	-k ec -q nistp521 \
	160	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/
	161
	162	# create server certs
	163	# -m <months>
	164	clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
	165	-k ec -q nistp521 \
	166	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
	167
	168	####
	169
	170	# openssl seems to generate a file (ca_chain.pam) in an order it
	171	# cannot then use (the key applies to the first cert in the file?).
	172	# Generate a shuffled one.
	173	cd $idir/server1.$iname
	174	openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	175	cat server1.$iname.pem cacerts.pem > fullchain.pem
	176	rm cacerts.pem
	177	cd ../..
	178
	179	####
	180
	181	# generate unlocked keys and client cert bundles
	182	for server in server1
89f2a269	183	do
ba86e143 JH	184	SDIR=$idir/$server.$iname
	185	SPFX=$SDIR/$server.$iname
	186	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
f5d78688 JH	187	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
f5d78688 JH	188	done
ba86e143	189
4e0c20cb JH	190	####
	191	# create OCSP reqs & resps
	192	CADIR=$idir/CA
	193	#give ourselves an OSCP key to work with
	194	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password
	195	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
	196
	197	# create some index files for the ocsp responder to work with
	198	# tab-sep
	199	# 0: Revoked/Expired/Valid letter
	200	# 1: Expiry date (ASN1_UTCTIME)
	201	# 2: Revocation date
	202	# 3: Serial no. (unique)
	203	# 4: file
	204	# 5: DN, index
	205
	206	cat >$CADIR/index.valid.txt <<EOF
	207	V 130110200751Z 65 unknown CN=server1.$iname
	208	EOF
	209
	210	# Now create all the ocsp requests and responses
	211	IVALID="-index $CADIR/index.valid.txt"
	212	for server in server1
	213	do
	214	SPFX=$idir/$server.$iname/$server.$iname
	215	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	216	REQIN="-reqin $SPFX.ocsp.req"
	217
	218	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	219	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	220	done
	221	####
f5d78688 JH	222	done
f5d78688 JH	223
ba86e143 JH	224	###############################################################################
ba86e143 JH	225
f5d78688	226	echo Please to reset date to now.
f2f2c91b	227	echo 'service ntpdate start (not on a systemd though...)'
f5d78688 JH	228	echo
	229	echo Then hit return
	230	read junk
	231
ba86e143 JH	232
ba86e143 JH	233
f5d78688 JH	234	# Create CRL files in .der and .pem
	235	# empty versions, and ones with the revoked servers
	236	for tld in com org net
	237	do
	238	CADIR=example.$tld/CA
	239	CRLIN=$CADIR/crl.empty.in.txt
	240	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	241	echo "update=$DATENOW " >$CRLIN
	242	crlutil -G -d $CADIR -f $CADIR/pwdfile \
ba86e143	243	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
f5d78688 JH	244	openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
	245	done
	246	sleep 2
	247	for tld in com org net
	248	do
	249	CADIR=example.$tld/CA
	250	CRLIN=$CADIR/crl.v2.in.txt
	251	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	252	echo "update=$DATENOW " >$CRLIN
	253	echo "addcert 102 $DATENOW" >>$CRLIN
	254	echo "addcert 202 $DATENOW" >>$CRLIN
	255	crlutil -G -d $CADIR -f $CADIR/pwdfile \
ba86e143	256	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
f5d78688 JH	257	openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
	258	done
	259
a7fec7a7 JH	260	# Finally, a single certificate-directory
a7fec7a7 JH	261	cd example.com/server1.example.com
f2f2c91b	262	mkdir -p certdir
a7fec7a7 JH	263	cd certdir
	264	f=../../CA/CA.pem
	265	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	266	rm -f $h.0
a7fec7a7 JH	267	ln -s $f $h.0
	268	f=../../CA/Signer.pem
	269	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	270	rm -f $h.0
a7fec7a7	271	ln -s $f $h.0
f2f2c91b JH	272	cd ../../..
	273
	274	pwd
	275	ls -l
a7fec7a7	276
ba86e143 JH	277	find example* -type d -print0 \| xargs -0 chmod 755
ba86e143 JH	278	find example* -type f -print0 \| xargs -0 chmod 644
89f2a269	279
f5d78688	280	echo "CA, Certificate, CRL and OSCP Response generation complete"