[exim.git] / test / aux-fixed / exim-ca / genall

#!/bin/bash
#

set -e
set -x

clica --help >/dev/null 2>&1

echo Ensure time is set to 2012/11/01 12:34
echo use -  date -u 110112342012
echo hit return when ready
read junk
for tld in com org net
do
    idir="example.$tld"
    rm -fr "$idir"
    clica -D "$idir" -p password -B 1024 -I -N example.$tld -F \
	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/

    # -m <months>
    clica -D example.$tld -p password -s 101 -S server1.example.$tld -m 301 \
	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
    clica -D example.$tld -p password -s 102 -S revoked1.example.$tld -m 301
    clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
    clica -D example.$tld -p password -s 201 -S  server2.example.$tld -m 301
    clica -D example.$tld -p password -s 202 -S revoked2.example.$tld -m 301
    clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1


    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd example.$tld/server1.example.$tld
    openssl pkcs12 -in server1.example.$tld.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
    cat server1.example.$tld.pem cacerts.pem > fullchain.pem
    rm cacerts.pem
    cd ../..
done

# and loop again
for tld in com org net
do
    CADIR=example.$tld/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # also need variation from Signer
    pk12util -o $CADIR/Signer.p12 -n 'Signing Cert' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key

    # create some index files for the ocsp responder to work with
# tab-sep
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.example.$tld
V	130110200751Z		66	unknown	CN=revoked1.example.$tld
V	130110200751Z		67	unknown	CN=expired1.example.$tld
V	130110200751Z		c9	unknown	CN=server2.example.$tld
V	130110200751Z		ca	unknown	CN=revoked2.example.$tld
V	130110200751Z		cb	unknown	CN=expired2.example.$tld
EOF
    cat >$CADIR/index.revoked.txt <<EOF
R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.example.$tld
R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.example.$tld
R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.example.$tld
R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.example.$tld
R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.example.$tld
R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.example.$tld
EOF

    # Now create all the ocsp requests and responses
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SPFX=example.$tld/$server.example.$tld/$server.example.$tld
	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -no_nonce -sha256 -reqout $SPFX.ocsp.req

	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.good.resp
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.dated.resp
	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.good.resp
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.dated.resp
	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.revoked.resp
    done
done

# and loop again to generate unlocked keys and client cert bundles
for tld in com org net
do
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SDIR=example.$tld/$server.example.$tld
	SPFX=$SDIR/$server.example.$tld
	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
    done
done

echo Please to reset date to now.
echo 'service ntpdate start (not on a systemd though...)'
echo 
echo Then hit return
read junk

# Create CRL files in .der and .pem
# empty versions, and ones with the revoked servers
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.empty.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
    openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
done
sleep 2
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.v2.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    echo "addcert 102 $DATENOW" >>$CRLIN
    echo "addcert 202 $DATENOW" >>$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
    openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
done

# Finally, a single certificate-directory
cd example.com/server1.example.com
mkdir -p certdir
cd certdir
f=../../CA/CA.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
f=../../CA/Signer.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
cd ../../..

pwd
ls -l

find example.* -type d -print0 | xargs -0 chmod 755
find example.* -type f -print0 | xargs -0 chmod 644

echo "CA, Certificate, CRL and OSCP Response generation complete"
Commit	Line	Data
f5d78688 JH	1	#!/bin/bash
	2	#
	3
f2f2c91b JH	4	set -e
	5	set -x
	6
74e2fb4b JH	7	clica --help >/dev/null 2>&1
74e2fb4b JH	8
f5d78688 JH	9	echo Ensure time is set to 2012/11/01 12:34
	10	echo use - date -u 110112342012
	11	echo hit return when ready
	12	read junk
	13	for tld in com org net
	14	do
f2f2c91b JH	15	idir="example.$tld"
	16	rm -fr "$idir"
	17	clica -D "$idir" -p password -B 1024 -I -N example.$tld -F \
74e2fb4b	18	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/
2b4a568d	19
73ef9378 JH	20	# -m <months>
73ef9378 JH	21	clica -D example.$tld -p password -s 101 -S server1.example.$tld -m 301 \
f2f2c91b	22	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
73ef9378	23	clica -D example.$tld -p password -s 102 -S revoked1.example.$tld -m 301
f5d78688	24	clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
73ef9378 JH	25	clica -D example.$tld -p password -s 201 -S server2.example.$tld -m 301
73ef9378 JH	26	clica -D example.$tld -p password -s 202 -S revoked2.example.$tld -m 301
f5d78688	27	clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
82525c6f JH	28
	29
	30	# openssl seems to generate a file (ca_chain.pam) in an order it
	31	# cannot then use (the key applies to the first cert in the file?).
	32	# Generate a shuffled one.
	33	cd example.$tld/server1.example.$tld
f2f2c91b JH	34	openssl pkcs12 -in server1.example.$tld.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
f2f2c91b JH	35	cat server1.example.$tld.pem cacerts.pem > fullchain.pem
82525c6f JH	36	rm cacerts.pem
82525c6f JH	37	cd ../..
f5d78688 JH	38	done
	39
	40	# and loop again
	41	for tld in com org net
	42	do
	43	CADIR=example.$tld/CA
	44	#give ourselves an OSCP key to work with
	45	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
	46	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
	47
74e2fb4b JH	48	# also need variation from Signer
	49	pk12util -o $CADIR/Signer.p12 -n 'Signing Cert' -d $CADIR -K password -W password
	50	openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key
f5d78688 JH	51
f5d78688 JH	52	# create some index files for the ocsp responder to work with
74e2fb4b JH	53	# tab-sep
	54	# 0: Revoked/Expired/Valid letter
	55	# 1: Expiry date (ASN1_UTCTIME)
	56	# 2: Revocation date
	57	# 3: Serial no. (unique)
	58	# 4: file
	59	# 5: DN, index
	60
f5d78688 JH	61	cat >$CADIR/index.valid.txt <<EOF
	62	V 130110200751Z 65 unknown CN=server1.example.$tld
	63	V 130110200751Z 66 unknown CN=revoked1.example.$tld
	64	V 130110200751Z 67 unknown CN=expired1.example.$tld
	65	V 130110200751Z c9 unknown CN=server2.example.$tld
	66	V 130110200751Z ca unknown CN=revoked2.example.$tld
	67	V 130110200751Z cb unknown CN=expired2.example.$tld
	68	EOF
	69	cat >$CADIR/index.revoked.txt <<EOF
	70	R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
	71	R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
	72	R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
	73	R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
	74	R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
	75	R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
	76	EOF
	77
	78	# Now create all the ocsp requests and responses
f5d78688 JH	79	for server in server1 revoked1 expired1 server2 revoked2 expired2
	80	do
	81	SPFX=example.$tld/$server.example.$tld/$server.example.$tld
74e2fb4b JH	82	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -no_nonce -sha256 -reqout $SPFX.ocsp.req
	83
	84	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	85	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
	86	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
	87	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
	88
	89	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
	90	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.good.resp
	91	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.dated.resp
	92	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.revoked.resp
	93
	94	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
	95	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.good.resp
	96	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.dated.resp
	97	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.revoked.resp
f5d78688 JH	98	done
	99	done
	100
	101	# and loop again to generate unlocked keys and client cert bundles
	102	for tld in com org net
	103	do
89f2a269 JH	104	for server in server1 revoked1 expired1 server2 revoked2 expired2
89f2a269 JH	105	do
f5d78688 JH	106	SDIR=example.$tld/$server.example.$tld
	107	SPFX=$SDIR/$server.example.$tld
	108	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	109	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
	110	done
	111	done
	112
	113	echo Please to reset date to now.
f2f2c91b	114	echo 'service ntpdate start (not on a systemd though...)'
f5d78688 JH	115	echo
	116	echo Then hit return
	117	read junk
	118
	119	# Create CRL files in .der and .pem
	120	# empty versions, and ones with the revoked servers
	121	for tld in com org net
	122	do
	123	CADIR=example.$tld/CA
	124	CRLIN=$CADIR/crl.empty.in.txt
	125	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	126	echo "update=$DATENOW " >$CRLIN
	127	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	128	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
	129	openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
	130	done
	131	sleep 2
	132	for tld in com org net
	133	do
	134	CADIR=example.$tld/CA
	135	CRLIN=$CADIR/crl.v2.in.txt
	136	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	137	echo "update=$DATENOW " >$CRLIN
	138	echo "addcert 102 $DATENOW" >>$CRLIN
	139	echo "addcert 202 $DATENOW" >>$CRLIN
	140	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	141	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
	142	openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
	143	done
	144
a7fec7a7 JH	145	# Finally, a single certificate-directory
a7fec7a7 JH	146	cd example.com/server1.example.com
f2f2c91b	147	mkdir -p certdir
a7fec7a7 JH	148	cd certdir
	149	f=../../CA/CA.pem
	150	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	151	rm -f $h.0
a7fec7a7 JH	152	ln -s $f $h.0
	153	f=../../CA/Signer.pem
	154	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	155	rm -f $h.0
a7fec7a7	156	ln -s $f $h.0
f2f2c91b JH	157	cd ../../..
	158
	159	pwd
	160	ls -l
a7fec7a7	161
89f2a269 JH	162	find example.* -type d -print0 \| xargs -0 chmod 755
	163	find example.* -type f -print0 \| xargs -0 chmod 644
	164
f5d78688	165	echo "CA, Certificate, CRL and OSCP Response generation complete"