[exim.git] / test / aux-fixed / exim-ca / genall

#!/bin/bash
#

set -e

# Debugging.  Set V for clica verbosity.
set -x
#V=
V='-v'

clica --help >/dev/null 2>&1

echo Ensure time is set to 2012/11/01 12:34
echo use -  date -u 110112342012
echo hit return when ready
read junk

# Main suite: RSA certs
for tld in com org net
do
    iname="example.$tld"
    idir=$iname

####
    # create CAs & server certs
    rm -fr "$idir"

    # create CA cert + templates
    clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/

    # create server certs
    # -m <months>
    clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
    clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
    clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1

    clica $V -D $idir -p password -s 201 -S  server2.$iname -m 301 \
	-3 'CN=clica CA rsa,O=example.com' -8 '*.test.ex'
    clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
    clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1

####

    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    for n in 1 2
    do
      cd $idir/server$n.$iname
        openssl pkcs12 -in server$n.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
        cat server$n.$iname.pem cacerts.pem > fullchain.pem
        rm cacerts.pem
      cd ../..
    done

####

    # generate unlocked keys and client cert bundles
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SDIR=$idir/$server.$iname
	SPFX=$SDIR/$server.$iname
	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
    done

####

    # create OCSP reqs & resps
    CADIR=$idir/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # also need variation from Signer
    pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key

    # create some index files for the ocsp responder to work with
# tab-sep
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.$iname
V	130110200751Z		66	unknown	CN=revoked1.$iname
V	130110200751Z		67	unknown	CN=expired1.$iname
V	130110200751Z		c9	unknown	CN=server2.$iname
V	130110200751Z		ca	unknown	CN=revoked2.$iname
V	130110200751Z		cb	unknown	CN=expired2.$iname
EOF
    cat >$CADIR/index.revoked.txt <<EOF
R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.$iname
R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.$iname
R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.$iname
R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.$iname
R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.$iname
R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.$iname
EOF

    # Now create all the ocsp requests and responses
    IVALID="-index $CADIR/index.valid.txt"
    IREVOKED="-index $CADIR/index.revoked.txt"

    echo "unique_subject = yes" > $CADIR/index.valid.txt.attr
    echo "unique_subject = yes" > $CADIR/index.revoked.txt.attr

    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SPFX=$idir/$server.$iname/$server.$iname
	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	REQIN="-reqin $SPFX.ocsp.req"

	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.signer.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
    done
####
done

# Create one EC leaf cert in the RSA cert tree.  It will have an EC pubkey but be signed using its parent
# therefore its parent's algo, RSA.
clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
SDIR=example.com/server1_ec.example.com
SPFX=$SDIR/server1_ec.example.com
openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem


###############################################################################
# Limited suite: EC certs
# separate trust root & chain
# .com only, server1 good only, no ocsp
# with server1 in SAN of leaf

for tld in com
do
    iname="example_ec.$tld"
    idir=$iname

####
    # create CAs & server certs
    rm -fr "$idir"

    # create CA cert + templates
    clica $V -D "$idir" -p password -B 2048 -I -N $iname -F \
	-k ec -q nistp521 \
	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/

    # create server certs
    # -m <months>
    clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
	-k ec -q nistp521 \
	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex

####

    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd $idir/server1.$iname
        openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
        cat server1.$iname.pem cacerts.pem > fullchain.pem
        rm cacerts.pem
    cd ../..

####

    # generate unlocked keys and client cert bundles
    for server in server1
    do
	SDIR=$idir/$server.$iname
	SPFX=$SDIR/$server.$iname
	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem $idir/CA/Signer.pem >$SPFX.chain.pem
    done

####
    # create OCSP reqs & resps
    CADIR=$idir/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # create some index files for the ocsp responder to work with
# tab-sep
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.$iname
EOF

    # Now create all the ocsp requests and responses
    IVALID="-index $CADIR/index.valid.txt"
    for server in server1
    do
	SPFX=$idir/$server.$iname/$server.$iname
	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	REQIN="-reqin $SPFX.ocsp.req"

	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
    done
####
done

###############################################################################

echo Please to reset date to now.
echo 'service ntpdate start (not on a systemd though...)'
echo 
echo Then hit return
read junk


# Create CRL files in .der and .pem
# empty versions, and ones with the revoked servers
DATENOW=`date -u +%Y%m%d%H%M%SZ`
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.empty.in.txt
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
    openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
done
sleep 2
DATENOW=`date -u +%Y%m%d%H%M%SZ`
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.v2.in.txt
    echo "update=$DATENOW " >$CRLIN
    echo "addcert 102 $DATENOW" >>$CRLIN
    echo "addcert 202 $DATENOW" >>$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
    openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem

    CRLIN=$CADIR/crl.Signer.in.txt
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Certificate Authority rsa' -c $CRLIN -o $CADIR/crl.Signer
    openssl crl -in $CADIR/crl.Signer -inform der -out $CADIR/crl.Signer.pem

    cat $CADIR/crl.Signer.pem $CADIR/crl.v2.pem > $CADIR/crl.chain.pem
done

# Finally, a single certificate-directory
cd example.com/server1.example.com
mkdir -p certdir
cd certdir
f=../../CA/CA.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
f=../../CA/Signer.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
cd ../../..

pwd
ls -l

find example* -type d -print0 | xargs -0 chmod 755
find example* -type f -print0 | xargs -0 chmod 644

echo "CA, Certificate, CRL and OSCP Response generation complete"
Commit	Line	Data
f5d78688 JH	1	#!/bin/bash
	2	#
	3
f2f2c91b	4	set -e
ba86e143 JH	5
ba86e143 JH	6	# Debugging. Set V for clica verbosity.
854586e1 JH	7	set -x
	8	#V=
	9	V='-v'
f2f2c91b	10
74e2fb4b JH	11	clica --help >/dev/null 2>&1
74e2fb4b JH	12
f5d78688 JH	13	echo Ensure time is set to 2012/11/01 12:34
	14	echo use - date -u 110112342012
	15	echo hit return when ready
	16	read junk
ba86e143 JH	17
ba86e143 JH	18	# Main suite: RSA certs
f5d78688 JH	19	for tld in com org net
f5d78688 JH	20	do
ba86e143 JH	21	iname="example.$tld"
	22	idir=$iname
	23
	24	####
	25	# create CAs & server certs
f2f2c91b	26	rm -fr "$idir"
2b4a568d	27
ba86e143	28	# create CA cert + templates
a7a1ad14	29	clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/
ba86e143 JH	30
ba86e143 JH	31	# create server certs
73ef9378	32	# -m <months>
ba86e143	33	clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
f2f2c91b	34	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
ba86e143 JH	35	clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
ba86e143 JH	36	clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1
854586e1 JH	37
	38	clica $V -D $idir -p password -s 201 -S server2.$iname -m 301 \
	39	-3 'CN=clica CA rsa,O=example.com' -8 '*.test.ex'
ba86e143 JH	40	clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
ba86e143 JH	41	clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1
82525c6f	42
ba86e143	43	####
82525c6f JH	44
	45	# openssl seems to generate a file (ca_chain.pam) in an order it
	46	# cannot then use (the key applies to the first cert in the file?).
	47	# Generate a shuffled one.
854586e1 JH	48	for n in 1 2
	49	do
	50	cd $idir/server$n.$iname
	51	openssl pkcs12 -in server$n.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	52	cat server$n.$iname.pem cacerts.pem > fullchain.pem
ba86e143	53	rm cacerts.pem
854586e1 JH	54	cd ../..
854586e1 JH	55	done
f5d78688	56
ba86e143 JH	57	####
	58
	59	# generate unlocked keys and client cert bundles
	60	for server in server1 revoked1 expired1 server2 revoked2 expired2
	61	do
	62	SDIR=$idir/$server.$iname
	63	SPFX=$SDIR/$server.$iname
	64	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	65	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
	66	done
	67
	68	####
	69
	70	# create OCSP reqs & resps
	71	CADIR=$idir/CA
f5d78688	72	#give ourselves an OSCP key to work with
ba86e143	73	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
f5d78688 JH	74	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
f5d78688 JH	75
74e2fb4b	76	# also need variation from Signer
ba86e143	77	pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
74e2fb4b	78	openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key
f5d78688 JH	79
f5d78688 JH	80	# create some index files for the ocsp responder to work with
74e2fb4b JH	81	# tab-sep
	82	# 0: Revoked/Expired/Valid letter
	83	# 1: Expiry date (ASN1_UTCTIME)
	84	# 2: Revocation date
	85	# 3: Serial no. (unique)
	86	# 4: file
	87	# 5: DN, index
	88
f5d78688	89	cat >$CADIR/index.valid.txt <<EOF
ba86e143 JH	90	V 130110200751Z 65 unknown CN=server1.$iname
	91	V 130110200751Z 66 unknown CN=revoked1.$iname
	92	V 130110200751Z 67 unknown CN=expired1.$iname
	93	V 130110200751Z c9 unknown CN=server2.$iname
	94	V 130110200751Z ca unknown CN=revoked2.$iname
	95	V 130110200751Z cb unknown CN=expired2.$iname
f5d78688 JH	96	EOF
f5d78688 JH	97	cat >$CADIR/index.revoked.txt <<EOF
ba86e143 JH	98	R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.$iname
	99	R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.$iname
	100	R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.$iname
	101	R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.$iname
	102	R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.$iname
	103	R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.$iname
f5d78688 JH	104	EOF
	105
	106	# Now create all the ocsp requests and responses
ba86e143 JH	107	IVALID="-index $CADIR/index.valid.txt"
ba86e143 JH	108	IREVOKED="-index $CADIR/index.revoked.txt"
4e0c20cb JH	109
	110	echo "unique_subject = yes" > $CADIR/index.valid.txt.attr
	111	echo "unique_subject = yes" > $CADIR/index.revoked.txt.attr
	112
f5d78688 JH	113	for server in server1 revoked1 expired1 server2 revoked2 expired2
f5d78688 JH	114	do
ba86e143	115	SPFX=$idir/$server.$iname/$server.$iname
4e0c20cb	116	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
ba86e143	117	REQIN="-reqin $SPFX.ocsp.req"
74e2fb4b JH	118
74e2fb4b JH	119	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
4e0c20cb JH	120	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	121	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.dated.resp
	122	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.revoked.resp
74e2fb4b JH	123
74e2fb4b JH	124	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
4e0c20cb JH	125	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.good.resp
	126	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signer.dated.resp
	127	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp
74e2fb4b JH	128
74e2fb4b JH	129	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
4e0c20cb JH	130	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
	131	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
	132	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
f5d78688	133	done
ba86e143	134	####
f5d78688 JH	135	done
f5d78688 JH	136
ba86e143 JH	137	# Create one EC leaf cert in the RSA cert tree. It will have an EC pubkey but be signed using its parent
	138	# therefore its parent's algo, RSA.
	139	clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
	140	SDIR=example.com/server1_ec.example.com
	141	SPFX=$SDIR/server1_ec.example.com
	142	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	143	cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem
	144
	145
	146
	147	###############################################################################
	148	# Limited suite: EC certs
	149	# separate trust root & chain
	150	# .com only, server1 good only, no ocsp
	151	# with server1 in SAN of leaf
	152
	153	for tld in com
f5d78688	154	do
ba86e143 JH	155	iname="example_ec.$tld"
	156	idir=$iname
	157
	158	####
	159	# create CAs & server certs
	160	rm -fr "$idir"
	161
	162	# create CA cert + templates
a7a1ad14	163	clica $V -D "$idir" -p password -B 2048 -I -N $iname -F \
ba86e143 JH	164	-k ec -q nistp521 \
	165	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/
	166
	167	# create server certs
	168	# -m <months>
	169	clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
	170	-k ec -q nistp521 \
	171	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
	172
	173	####
	174
	175	# openssl seems to generate a file (ca_chain.pam) in an order it
	176	# cannot then use (the key applies to the first cert in the file?).
	177	# Generate a shuffled one.
	178	cd $idir/server1.$iname
	179	openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	180	cat server1.$iname.pem cacerts.pem > fullchain.pem
	181	rm cacerts.pem
	182	cd ../..
	183
	184	####
	185
	186	# generate unlocked keys and client cert bundles
	187	for server in server1
89f2a269	188	do
ba86e143 JH	189	SDIR=$idir/$server.$iname
	190	SPFX=$SDIR/$server.$iname
	191	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
dc9c8f8b	192	cat $SPFX.pem $idir/CA/Signer.pem >$SPFX.chain.pem
f5d78688	193	done
ba86e143	194
b66afe22 JH	195	####
	196	# create OCSP reqs & resps
	197	CADIR=$idir/CA
	198	#give ourselves an OSCP key to work with
	199	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password
	200	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
	201
	202	# create some index files for the ocsp responder to work with
	203	# tab-sep
	204	# 0: Revoked/Expired/Valid letter
	205	# 1: Expiry date (ASN1_UTCTIME)
	206	# 2: Revocation date
	207	# 3: Serial no. (unique)
	208	# 4: file
	209	# 5: DN, index
	210
	211	cat >$CADIR/index.valid.txt <<EOF
	212	V 130110200751Z 65 unknown CN=server1.$iname
	213	EOF
	214
	215	# Now create all the ocsp requests and responses
	216	IVALID="-index $CADIR/index.valid.txt"
	217	for server in server1
	218	do
	219	SPFX=$idir/$server.$iname/$server.$iname
	220	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	221	REQIN="-reqin $SPFX.ocsp.req"
	222
	223	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	224	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	225	done
	226	####
f5d78688 JH	227	done
f5d78688 JH	228
ba86e143 JH	229	###############################################################################
ba86e143 JH	230
f5d78688	231	echo Please to reset date to now.
f2f2c91b	232	echo 'service ntpdate start (not on a systemd though...)'
f5d78688 JH	233	echo
	234	echo Then hit return
	235	read junk
	236
ba86e143 JH	237
ba86e143 JH	238
f5d78688 JH	239	# Create CRL files in .der and .pem
f5d78688 JH	240	# empty versions, and ones with the revoked servers
dc9c8f8b	241	DATENOW=`date -u +%Y%m%d%H%M%SZ`
f5d78688 JH	242	for tld in com org net
	243	do
	244	CADIR=example.$tld/CA
	245	CRLIN=$CADIR/crl.empty.in.txt
f5d78688 JH	246	echo "update=$DATENOW " >$CRLIN
f5d78688 JH	247	crlutil -G -d $CADIR -f $CADIR/pwdfile \
ba86e143	248	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
f5d78688 JH	249	openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
	250	done
	251	sleep 2
dc9c8f8b	252	DATENOW=`date -u +%Y%m%d%H%M%SZ`
f5d78688 JH	253	for tld in com org net
	254	do
	255	CADIR=example.$tld/CA
	256	CRLIN=$CADIR/crl.v2.in.txt
f5d78688 JH	257	echo "update=$DATENOW " >$CRLIN
	258	echo "addcert 102 $DATENOW" >>$CRLIN
	259	echo "addcert 202 $DATENOW" >>$CRLIN
	260	crlutil -G -d $CADIR -f $CADIR/pwdfile \
ba86e143	261	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
f5d78688	262	openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
dc9c8f8b JH	263
	264	CRLIN=$CADIR/crl.Signer.in.txt
	265	echo "update=$DATENOW " >$CRLIN
	266	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	267	-n 'Certificate Authority rsa' -c $CRLIN -o $CADIR/crl.Signer
	268	openssl crl -in $CADIR/crl.Signer -inform der -out $CADIR/crl.Signer.pem
	269
	270	cat $CADIR/crl.Signer.pem $CADIR/crl.v2.pem > $CADIR/crl.chain.pem
f5d78688 JH	271	done
f5d78688 JH	272
a7fec7a7 JH	273	# Finally, a single certificate-directory
a7fec7a7 JH	274	cd example.com/server1.example.com
f2f2c91b	275	mkdir -p certdir
a7fec7a7 JH	276	cd certdir
	277	f=../../CA/CA.pem
	278	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	279	rm -f $h.0
a7fec7a7 JH	280	ln -s $f $h.0
	281	f=../../CA/Signer.pem
	282	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	283	rm -f $h.0
a7fec7a7	284	ln -s $f $h.0
f2f2c91b JH	285	cd ../../..
	286
	287	pwd
	288	ls -l
a7fec7a7	289
ba86e143 JH	290	find example* -type d -print0 \| xargs -0 chmod 755
ba86e143 JH	291	find example* -type f -print0 \| xargs -0 chmod 644
89f2a269	292
f5d78688	293	echo "CA, Certificate, CRL and OSCP Response generation complete"