Commit | Line | Data |
---|---|---|
f5d78688 JH |
1 | #!/bin/bash |
2 | # | |
3 | ||
f2f2c91b | 4 | set -e |
ba86e143 JH |
5 | |
6 | # Debugging. Set V for clica verbosity. | |
7 | #set -x | |
8 | V= | |
9 | #V='-v' | |
f2f2c91b | 10 | |
74e2fb4b JH |
11 | clica --help >/dev/null 2>&1 |
12 | ||
f5d78688 JH |
13 | echo Ensure time is set to 2012/11/01 12:34 |
14 | echo use - date -u 110112342012 | |
15 | echo hit return when ready | |
16 | read junk | |
ba86e143 JH |
17 | |
18 | # Main suite: RSA certs | |
f5d78688 JH |
19 | for tld in com org net |
20 | do | |
ba86e143 JH |
21 | iname="example.$tld" |
22 | idir=$iname | |
23 | ||
24 | #### | |
25 | # create CAs & server certs | |
f2f2c91b | 26 | rm -fr "$idir" |
2b4a568d | 27 | |
ba86e143 JH |
28 | # create CA cert + templates |
29 | clica $V -D "$idir" -p password -B 1024 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/ | |
30 | ||
31 | # create server certs | |
73ef9378 | 32 | # -m <months> |
ba86e143 | 33 | clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \ |
f2f2c91b | 34 | -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex |
ba86e143 JH |
35 | clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301 |
36 | clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1 | |
37 | clica $V -D $idir -p password -s 201 -S server2.$iname -m 301 | |
38 | clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301 | |
39 | clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1 | |
82525c6f | 40 | |
ba86e143 | 41 | #### |
82525c6f JH |
42 | |
43 | # openssl seems to generate a file (ca_chain.pam) in an order it | |
44 | # cannot then use (the key applies to the first cert in the file?). | |
45 | # Generate a shuffled one. | |
ba86e143 JH |
46 | cd $idir/server1.$iname |
47 | openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys | |
48 | cat server1.$iname.pem cacerts.pem > fullchain.pem | |
49 | rm cacerts.pem | |
82525c6f | 50 | cd ../.. |
f5d78688 | 51 | |
ba86e143 JH |
52 | #### |
53 | ||
54 | # generate unlocked keys and client cert bundles | |
55 | for server in server1 revoked1 expired1 server2 revoked2 expired2 | |
56 | do | |
57 | SDIR=$idir/$server.$iname | |
58 | SPFX=$SDIR/$server.$iname | |
59 | openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
60 | cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem | |
61 | done | |
62 | ||
63 | #### | |
64 | ||
65 | # create OCSP reqs & resps | |
66 | CADIR=$idir/CA | |
f5d78688 | 67 | #give ourselves an OSCP key to work with |
ba86e143 | 68 | pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password |
f5d78688 JH |
69 | openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key |
70 | ||
74e2fb4b | 71 | # also need variation from Signer |
ba86e143 | 72 | pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password |
74e2fb4b | 73 | openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key |
f5d78688 JH |
74 | |
75 | # create some index files for the ocsp responder to work with | |
74e2fb4b JH |
76 | # tab-sep |
77 | # 0: Revoked/Expired/Valid letter | |
78 | # 1: Expiry date (ASN1_UTCTIME) | |
79 | # 2: Revocation date | |
80 | # 3: Serial no. (unique) | |
81 | # 4: file | |
82 | # 5: DN, index | |
83 | ||
f5d78688 | 84 | cat >$CADIR/index.valid.txt <<EOF |
ba86e143 JH |
85 | V 130110200751Z 65 unknown CN=server1.$iname |
86 | V 130110200751Z 66 unknown CN=revoked1.$iname | |
87 | V 130110200751Z 67 unknown CN=expired1.$iname | |
88 | V 130110200751Z c9 unknown CN=server2.$iname | |
89 | V 130110200751Z ca unknown CN=revoked2.$iname | |
90 | V 130110200751Z cb unknown CN=expired2.$iname | |
f5d78688 JH |
91 | EOF |
92 | cat >$CADIR/index.revoked.txt <<EOF | |
ba86e143 JH |
93 | R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.$iname |
94 | R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.$iname | |
95 | R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.$iname | |
96 | R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.$iname | |
97 | R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.$iname | |
98 | R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.$iname | |
f5d78688 JH |
99 | EOF |
100 | ||
101 | # Now create all the ocsp requests and responses | |
ba86e143 JH |
102 | IVALID="-index $CADIR/index.valid.txt" |
103 | IREVOKED="-index $CADIR/index.revoked.txt" | |
4e0c20cb JH |
104 | |
105 | echo "unique_subject = yes" > $CADIR/index.valid.txt.attr | |
106 | echo "unique_subject = yes" > $CADIR/index.revoked.txt.attr | |
107 | ||
f5d78688 JH |
108 | for server in server1 revoked1 expired1 server2 revoked2 expired2 |
109 | do | |
ba86e143 | 110 | SPFX=$idir/$server.$iname/$server.$iname |
4e0c20cb | 111 | openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req |
ba86e143 | 112 | REQIN="-reqin $SPFX.ocsp.req" |
74e2fb4b JH |
113 | |
114 | OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify" | |
4e0c20cb JH |
115 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp |
116 | openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.dated.resp | |
117 | openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.revoked.resp | |
74e2fb4b JH |
118 | |
119 | OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify" | |
4e0c20cb JH |
120 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.good.resp |
121 | openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signer.dated.resp | |
122 | openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp | |
74e2fb4b JH |
123 | |
124 | OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify" | |
4e0c20cb JH |
125 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp |
126 | openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp | |
127 | openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp | |
f5d78688 | 128 | done |
ba86e143 | 129 | #### |
f5d78688 JH |
130 | done |
131 | ||
ba86e143 JH |
132 | # Create one EC leaf cert in the RSA cert tree. It will have an EC pubkey but be signed using its parent |
133 | # therefore its parent's algo, RSA. | |
134 | clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex' | |
135 | SDIR=example.com/server1_ec.example.com | |
136 | SPFX=$SDIR/server1_ec.example.com | |
137 | openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
138 | cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem | |
139 | ||
140 | ||
141 | ||
142 | ############################################################################### | |
143 | # Limited suite: EC certs | |
144 | # separate trust root & chain | |
145 | # .com only, server1 good only, no ocsp | |
146 | # with server1 in SAN of leaf | |
147 | ||
148 | for tld in com | |
f5d78688 | 149 | do |
ba86e143 JH |
150 | iname="example_ec.$tld" |
151 | idir=$iname | |
152 | ||
153 | #### | |
154 | # create CAs & server certs | |
155 | rm -fr "$idir" | |
156 | ||
157 | # create CA cert + templates | |
158 | clica $V -D "$idir" -p password -B 1024 -I -N $iname -F \ | |
159 | -k ec -q nistp521 \ | |
160 | -C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/ | |
161 | ||
162 | # create server certs | |
163 | # -m <months> | |
164 | clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \ | |
165 | -k ec -q nistp521 \ | |
166 | -8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex | |
167 | ||
168 | #### | |
169 | ||
170 | # openssl seems to generate a file (ca_chain.pam) in an order it | |
171 | # cannot then use (the key applies to the first cert in the file?). | |
172 | # Generate a shuffled one. | |
173 | cd $idir/server1.$iname | |
174 | openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys | |
175 | cat server1.$iname.pem cacerts.pem > fullchain.pem | |
176 | rm cacerts.pem | |
177 | cd ../.. | |
178 | ||
179 | #### | |
180 | ||
181 | # generate unlocked keys and client cert bundles | |
182 | for server in server1 | |
89f2a269 | 183 | do |
ba86e143 JH |
184 | SDIR=$idir/$server.$iname |
185 | SPFX=$SDIR/$server.$iname | |
186 | openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
f5d78688 JH |
187 | cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem |
188 | done | |
ba86e143 | 189 | |
4e0c20cb JH |
190 | #### |
191 | # create OCSP reqs & resps | |
192 | CADIR=$idir/CA | |
193 | #give ourselves an OSCP key to work with | |
194 | pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password | |
195 | openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key | |
196 | ||
197 | # create some index files for the ocsp responder to work with | |
198 | # tab-sep | |
199 | # 0: Revoked/Expired/Valid letter | |
200 | # 1: Expiry date (ASN1_UTCTIME) | |
201 | # 2: Revocation date | |
202 | # 3: Serial no. (unique) | |
203 | # 4: file | |
204 | # 5: DN, index | |
205 | ||
206 | cat >$CADIR/index.valid.txt <<EOF | |
207 | V 130110200751Z 65 unknown CN=server1.$iname | |
208 | EOF | |
209 | ||
210 | # Now create all the ocsp requests and responses | |
211 | IVALID="-index $CADIR/index.valid.txt" | |
212 | for server in server1 | |
213 | do | |
214 | SPFX=$idir/$server.$iname/$server.$iname | |
215 | openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req | |
216 | REQIN="-reqin $SPFX.ocsp.req" | |
217 | ||
218 | OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify" | |
219 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp | |
220 | done | |
221 | #### | |
f5d78688 JH |
222 | done |
223 | ||
ba86e143 JH |
224 | ############################################################################### |
225 | ||
f5d78688 | 226 | echo Please to reset date to now. |
f2f2c91b | 227 | echo 'service ntpdate start (not on a systemd though...)' |
f5d78688 JH |
228 | echo |
229 | echo Then hit return | |
230 | read junk | |
231 | ||
ba86e143 JH |
232 | |
233 | ||
f5d78688 JH |
234 | # Create CRL files in .der and .pem |
235 | # empty versions, and ones with the revoked servers | |
236 | for tld in com org net | |
237 | do | |
238 | CADIR=example.$tld/CA | |
239 | CRLIN=$CADIR/crl.empty.in.txt | |
240 | DATENOW=`date -u +%Y%m%d%H%M%SZ` | |
241 | echo "update=$DATENOW " >$CRLIN | |
242 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
ba86e143 | 243 | -n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty |
f5d78688 JH |
244 | openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem |
245 | done | |
246 | sleep 2 | |
247 | for tld in com org net | |
248 | do | |
249 | CADIR=example.$tld/CA | |
250 | CRLIN=$CADIR/crl.v2.in.txt | |
251 | DATENOW=`date -u +%Y%m%d%H%M%SZ` | |
252 | echo "update=$DATENOW " >$CRLIN | |
253 | echo "addcert 102 $DATENOW" >>$CRLIN | |
254 | echo "addcert 202 $DATENOW" >>$CRLIN | |
255 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
ba86e143 | 256 | -n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2 |
f5d78688 JH |
257 | openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem |
258 | done | |
259 | ||
a7fec7a7 JH |
260 | # Finally, a single certificate-directory |
261 | cd example.com/server1.example.com | |
f2f2c91b | 262 | mkdir -p certdir |
a7fec7a7 JH |
263 | cd certdir |
264 | f=../../CA/CA.pem | |
265 | h=`openssl x509 -hash -noout -in $f` | |
f2f2c91b | 266 | rm -f $h.0 |
a7fec7a7 JH |
267 | ln -s $f $h.0 |
268 | f=../../CA/Signer.pem | |
269 | h=`openssl x509 -hash -noout -in $f` | |
f2f2c91b | 270 | rm -f $h.0 |
a7fec7a7 | 271 | ln -s $f $h.0 |
f2f2c91b JH |
272 | cd ../../.. |
273 | ||
274 | pwd | |
275 | ls -l | |
a7fec7a7 | 276 | |
ba86e143 JH |
277 | find example* -type d -print0 | xargs -0 chmod 755 |
278 | find example* -type f -print0 | xargs -0 chmod 644 | |
89f2a269 | 279 | |
f5d78688 | 280 | echo "CA, Certificate, CRL and OSCP Response generation complete" |