Commit | Line | Data |
---|---|---|
f5d78688 JH |
1 | #!/bin/bash |
2 | # | |
3 | ||
4 | echo Ensure time is set to 2012/11/01 12:34 | |
5 | echo use - date -u 110112342012 | |
6 | echo hit return when ready | |
7 | read junk | |
8 | for tld in com org net | |
9 | do | |
89f2a269 | 10 | clica -D example.$tld -p password -B 1024 -I -N example.$tld -F -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/ |
f5d78688 JH |
11 | clica -D example.$tld -p password -s 101 -S server1.example.$tld |
12 | clica -D example.$tld -p password -s 102 -S revoked1.example.$tld | |
13 | clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1 | |
14 | clica -D example.$tld -p password -s 201 -S server2.example.$tld | |
15 | clica -D example.$tld -p password -s 202 -S revoked2.example.$tld | |
16 | clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1 | |
17 | done | |
18 | ||
19 | # and loop again | |
20 | for tld in com org net | |
21 | do | |
22 | CADIR=example.$tld/CA | |
23 | #give ourselves an OSCP key to work with | |
24 | pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password | |
25 | openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key | |
26 | ||
27 | ||
28 | # create some index files for the ocsp responder to work with | |
29 | cat >$CADIR/index.valid.txt <<EOF | |
30 | V 130110200751Z 65 unknown CN=server1.example.$tld | |
31 | V 130110200751Z 66 unknown CN=revoked1.example.$tld | |
32 | V 130110200751Z 67 unknown CN=expired1.example.$tld | |
33 | V 130110200751Z c9 unknown CN=server2.example.$tld | |
34 | V 130110200751Z ca unknown CN=revoked2.example.$tld | |
35 | V 130110200751Z cb unknown CN=expired2.example.$tld | |
36 | EOF | |
37 | cat >$CADIR/index.revoked.txt <<EOF | |
38 | R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld | |
39 | R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld | |
40 | R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld | |
41 | R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld | |
42 | R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld | |
43 | R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld | |
44 | EOF | |
45 | ||
46 | # Now create all the ocsp requests and responses | |
47 | OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify" | |
48 | for server in server1 revoked1 expired1 server2 revoked2 expired2 | |
49 | do | |
50 | SPFX=example.$tld/$server.example.$tld/$server.example.$tld | |
51 | openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req | |
52 | openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp | |
53 | openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp | |
54 | openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp | |
55 | done | |
56 | done | |
57 | ||
58 | # and loop again to generate unlocked keys and client cert bundles | |
59 | for tld in com org net | |
60 | do | |
89f2a269 JH |
61 | for server in server1 revoked1 expired1 server2 revoked2 expired2 |
62 | do | |
f5d78688 JH |
63 | SDIR=example.$tld/$server.example.$tld |
64 | SPFX=$SDIR/$server.example.$tld | |
65 | openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
66 | cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem | |
67 | done | |
68 | done | |
69 | ||
70 | echo Please to reset date to now. | |
71 | echo service ntpdate start | |
72 | echo | |
73 | echo Then hit return | |
74 | read junk | |
75 | ||
76 | # Create CRL files in .der and .pem | |
77 | # empty versions, and ones with the revoked servers | |
78 | for tld in com org net | |
79 | do | |
80 | CADIR=example.$tld/CA | |
81 | CRLIN=$CADIR/crl.empty.in.txt | |
82 | DATENOW=`date -u +%Y%m%d%H%M%SZ` | |
83 | echo "update=$DATENOW " >$CRLIN | |
84 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
85 | -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty | |
86 | openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem | |
87 | done | |
88 | sleep 2 | |
89 | for tld in com org net | |
90 | do | |
91 | CADIR=example.$tld/CA | |
92 | CRLIN=$CADIR/crl.v2.in.txt | |
93 | DATENOW=`date -u +%Y%m%d%H%M%SZ` | |
94 | echo "update=$DATENOW " >$CRLIN | |
95 | echo "addcert 102 $DATENOW" >>$CRLIN | |
96 | echo "addcert 202 $DATENOW" >>$CRLIN | |
97 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
98 | -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2 | |
99 | openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem | |
100 | done | |
101 | ||
89f2a269 JH |
102 | find example.* -type d -print0 | xargs -0 chmod 755 |
103 | find example.* -type f -print0 | xargs -0 chmod 644 | |
104 | ||
f5d78688 | 105 | echo "CA, Certificate, CRL and OSCP Response generation complete" |