projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Increase test CA key sizes from 512 to 1024 to handle TLS1.2 digest sizes.
[exim.git] / test / aux-fixed / exim-ca / genall
CommitLineData
f5d78688
JH		 1#!/bin/bash
2#
3
4echo Ensure time is set to 2012/11/01 12:34
5echo use - date -u 110112342012
6echo hit return when ready
7read junk
8for tld in com org net
9do
89f2a269 10 clica -D example.$tld -p password -B 1024 -I -N example.$tld -F -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/
f5d78688
JH		 11 clica -D example.$tld -p password -s 101 -S server1.example.$tld
12 clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
13 clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
14 clica -D example.$tld -p password -s 201 -S server2.example.$tld
15 clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
16 clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
17done
18
19# and loop again
20for tld in com org net
21do
22 CADIR=example.$tld/CA
23 #give ourselves an OSCP key to work with
24 pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
25 openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
26
27
28 # create some index files for the ocsp responder to work with
29 cat >$CADIR/index.valid.txt <<EOF
30V 130110200751Z 65 unknown CN=server1.example.$tld
31V 130110200751Z 66 unknown CN=revoked1.example.$tld
32V 130110200751Z 67 unknown CN=expired1.example.$tld
33V 130110200751Z c9 unknown CN=server2.example.$tld
34V 130110200751Z ca unknown CN=revoked2.example.$tld
35V 130110200751Z cb unknown CN=expired2.example.$tld
36EOF
37 cat >$CADIR/index.revoked.txt <<EOF
38R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
39R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
40R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
41R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
42R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
43R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
44EOF
45
46 # Now create all the ocsp requests and responses
47 OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
48 for server in server1 revoked1 expired1 server2 revoked2 expired2
49 do
50 SPFX=example.$tld/$server.example.$tld/$server.example.$tld
51 openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
52 openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
53 openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
54 openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
55 done
56done
57
58# and loop again to generate unlocked keys and client cert bundles
59for tld in com org net
60do
89f2a269
JH		 61 for server in server1 revoked1 expired1 server2 revoked2 expired2
62 do
f5d78688
JH		 63 SDIR=example.$tld/$server.example.$tld
64 SPFX=$SDIR/$server.example.$tld
65 openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
66 cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
67 done
68done
69
70echo Please to reset date to now.
71echo service ntpdate start
72echo
73echo Then hit return
74read junk
75
76# Create CRL files in .der and .pem
77# empty versions, and ones with the revoked servers
78for tld in com org net
79do
80 CADIR=example.$tld/CA
81 CRLIN=$CADIR/crl.empty.in.txt
82 DATENOW=`date -u +%Y%m%d%H%M%SZ`
83 echo "update=$DATENOW " >$CRLIN
84 crlutil -G -d $CADIR -f $CADIR/pwdfile \
85 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
86 openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
87done
88sleep 2
89for tld in com org net
90do
91 CADIR=example.$tld/CA
92 CRLIN=$CADIR/crl.v2.in.txt
93 DATENOW=`date -u +%Y%m%d%H%M%SZ`
94 echo "update=$DATENOW " >$CRLIN
95 echo "addcert 102 $DATENOW" >>$CRLIN
96 echo "addcert 202 $DATENOW" >>$CRLIN
97 crlutil -G -d $CADIR -f $CADIR/pwdfile \
98 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
99 openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
100done
101
89f2a269
JH		 102find example.* -type d -print0 | xargs -0 chmod 755
103find example.* -type f -print0 | xargs -0 chmod 644
104
f5d78688 105echo "CA, Certificate, CRL and OSCP Response generation complete"
Unnamed repository; edit this file 'description' to name the repository.