[exim.git] / test / aux-fixed / exim-ca / genall

#!/bin/bash
#

set -e

# Debugging.  Set V for clica verbosity.
#set -x
V=
#V='-v'

clica --help >/dev/null 2>&1

echo Ensure time is set to 2012/11/01 12:34
echo use -  date -u 110112342012
echo hit return when ready
read junk

# Main suite: RSA certs
for tld in com org net
do
    iname="example.$tld"
    idir=$iname

####
    # create CAs & server certs
    rm -fr "$idir"

    # create CA cert + templates
    clica $V -D "$idir" -p password -B 1024 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/

    # create server certs
    # -m <months>
    clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
    clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
    clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1
    clica $V -D $idir -p password -s 201 -S  server2.$iname -m 301
    clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
    clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1

####

    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd $idir/server1.$iname
        openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
        cat server1.$iname.pem cacerts.pem > fullchain.pem
        rm cacerts.pem
    cd ../..

####

    # generate unlocked keys and client cert bundles
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SDIR=$idir/$server.$iname
	SPFX=$SDIR/$server.$iname
	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
    done

####

    # create OCSP reqs & resps
    CADIR=$idir/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # also need variation from Signer
    pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key

    # create some index files for the ocsp responder to work with
# tab-sep
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.$iname
V	130110200751Z		66	unknown	CN=revoked1.$iname
V	130110200751Z		67	unknown	CN=expired1.$iname
V	130110200751Z		c9	unknown	CN=server2.$iname
V	130110200751Z		ca	unknown	CN=revoked2.$iname
V	130110200751Z		cb	unknown	CN=expired2.$iname
EOF
    cat >$CADIR/index.revoked.txt <<EOF
R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.$iname
R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.$iname
R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.$iname
R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.$iname
R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.$iname
R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.$iname
EOF

    # Now create all the ocsp requests and responses
    IVALID="-index $CADIR/index.valid.txt"
    IREVOKED="-index $CADIR/index.revoked.txt"
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SPFX=$idir/$server.$iname/$server.$iname
	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -no_nonce -sha256 -reqout $SPFX.ocsp.req
	REQIN="-reqin $SPFX.ocsp.req"

	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   -sha256 $REQIN -respout $SPFX.ocsp.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signer.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   -sha256 $REQIN -respout $SPFX.ocsp.signer.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signer.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   -sha256 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
    done
####
done

# Create one EC leaf cert in the RSA cert tree.  It will have an EC pubkey but be signed using its parent
# therefore its parent's algo, RSA.
clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
SDIR=example.com/server1_ec.example.com
SPFX=$SDIR/server1_ec.example.com
openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem


###############################################################################
# Limited suite: EC certs
# separate trust root & chain
# .com only, server1 good only, no ocsp
# with server1 in SAN of leaf

for tld in com
do
    iname="example_ec.$tld"
    idir=$iname

####
    # create CAs & server certs
    rm -fr "$idir"

    # create CA cert + templates
    clica $V -D "$idir" -p password -B 1024 -I -N $iname -F \
	-k ec -q nistp521 \
	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/

    # create server certs
    # -m <months>
    clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
	-k ec -q nistp521 \
	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex

####

    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd $idir/server1.$iname
        openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
        cat server1.$iname.pem cacerts.pem > fullchain.pem
        rm cacerts.pem
    cd ../..

####

    # generate unlocked keys and client cert bundles
    for server in server1
    do
	SDIR=$idir/$server.$iname
	SPFX=$SDIR/$server.$iname
	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
    done

done

###############################################################################

echo Please to reset date to now.
echo 'service ntpdate start (not on a systemd though...)'
echo 
echo Then hit return
read junk


# Create CRL files in .der and .pem
# empty versions, and ones with the revoked servers
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.empty.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
    openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
done
sleep 2
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.v2.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    echo "addcert 102 $DATENOW" >>$CRLIN
    echo "addcert 202 $DATENOW" >>$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
    openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
done

# Finally, a single certificate-directory
cd example.com/server1.example.com
mkdir -p certdir
cd certdir
f=../../CA/CA.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
f=../../CA/Signer.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
cd ../../..

pwd
ls -l

find example* -type d -print0 | xargs -0 chmod 755
find example* -type f -print0 | xargs -0 chmod 644

echo "CA, Certificate, CRL and OSCP Response generation complete"
Commit	Line	Data
f5d78688 JH	1	#!/bin/bash
	2	#
	3
f2f2c91b	4	set -e
ba86e143 JH	5
	6	# Debugging. Set V for clica verbosity.
	7	#set -x
	8	V=
	9	#V='-v'
f2f2c91b	10
74e2fb4b JH	11	clica --help >/dev/null 2>&1
74e2fb4b JH	12
f5d78688 JH	13	echo Ensure time is set to 2012/11/01 12:34
	14	echo use - date -u 110112342012
	15	echo hit return when ready
	16	read junk
ba86e143 JH	17
ba86e143 JH	18	# Main suite: RSA certs
f5d78688 JH	19	for tld in com org net
f5d78688 JH	20	do
ba86e143 JH	21	iname="example.$tld"
	22	idir=$iname
	23
	24	####
	25	# create CAs & server certs
f2f2c91b	26	rm -fr "$idir"
2b4a568d	27
ba86e143 JH	28	# create CA cert + templates
	29	clica $V -D "$idir" -p password -B 1024 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/
	30
	31	# create server certs
73ef9378	32	# -m <months>
ba86e143	33	clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
f2f2c91b	34	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
ba86e143 JH	35	clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
	36	clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1
	37	clica $V -D $idir -p password -s 201 -S server2.$iname -m 301
	38	clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
	39	clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1
82525c6f	40
ba86e143	41	####
82525c6f JH	42
	43	# openssl seems to generate a file (ca_chain.pam) in an order it
	44	# cannot then use (the key applies to the first cert in the file?).
	45	# Generate a shuffled one.
ba86e143 JH	46	cd $idir/server1.$iname
	47	openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	48	cat server1.$iname.pem cacerts.pem > fullchain.pem
	49	rm cacerts.pem
82525c6f	50	cd ../..
f5d78688	51
ba86e143 JH	52	####
	53
	54	# generate unlocked keys and client cert bundles
	55	for server in server1 revoked1 expired1 server2 revoked2 expired2
	56	do
	57	SDIR=$idir/$server.$iname
	58	SPFX=$SDIR/$server.$iname
	59	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	60	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
	61	done
	62
	63	####
	64
	65	# create OCSP reqs & resps
	66	CADIR=$idir/CA
f5d78688	67	#give ourselves an OSCP key to work with
ba86e143	68	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
f5d78688 JH	69	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
f5d78688 JH	70
74e2fb4b	71	# also need variation from Signer
ba86e143	72	pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
74e2fb4b	73	openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key
f5d78688 JH	74
f5d78688 JH	75	# create some index files for the ocsp responder to work with
74e2fb4b JH	76	# tab-sep
	77	# 0: Revoked/Expired/Valid letter
	78	# 1: Expiry date (ASN1_UTCTIME)
	79	# 2: Revocation date
	80	# 3: Serial no. (unique)
	81	# 4: file
	82	# 5: DN, index
	83
f5d78688	84	cat >$CADIR/index.valid.txt <<EOF
ba86e143 JH	85	V 130110200751Z 65 unknown CN=server1.$iname
	86	V 130110200751Z 66 unknown CN=revoked1.$iname
	87	V 130110200751Z 67 unknown CN=expired1.$iname
	88	V 130110200751Z c9 unknown CN=server2.$iname
	89	V 130110200751Z ca unknown CN=revoked2.$iname
	90	V 130110200751Z cb unknown CN=expired2.$iname
f5d78688 JH	91	EOF
f5d78688 JH	92	cat >$CADIR/index.revoked.txt <<EOF
ba86e143 JH	93	R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.$iname
	94	R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.$iname
	95	R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.$iname
	96	R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.$iname
	97	R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.$iname
	98	R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.$iname
f5d78688 JH	99	EOF
	100
	101	# Now create all the ocsp requests and responses
ba86e143 JH	102	IVALID="-index $CADIR/index.valid.txt"
ba86e143 JH	103	IREVOKED="-index $CADIR/index.revoked.txt"
f5d78688 JH	104	for server in server1 revoked1 expired1 server2 revoked2 expired2
f5d78688 JH	105	do
ba86e143	106	SPFX=$idir/$server.$iname/$server.$iname
74e2fb4b	107	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -no_nonce -sha256 -reqout $SPFX.ocsp.req
ba86e143	108	REQIN="-reqin $SPFX.ocsp.req"
74e2fb4b JH	109
74e2fb4b JH	110	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
ba86e143 JH	111	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.good.resp
	112	openssl ocsp $IVALID $OGENCOMMON -ndays 30 -sha256 $REQIN -respout $SPFX.ocsp.dated.resp
	113	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.revoked.resp
74e2fb4b JH	114
74e2fb4b JH	115	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
ba86e143 JH	116	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signer.good.resp
	117	openssl ocsp $IVALID $OGENCOMMON -ndays 30 -sha256 $REQIN -respout $SPFX.ocsp.signer.dated.resp
	118	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signer.revoked.resp
74e2fb4b JH	119
74e2fb4b JH	120	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
ba86e143 JH	121	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
	122	openssl ocsp $IVALID $OGENCOMMON -ndays 30 -sha256 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
	123	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
f5d78688	124	done
ba86e143	125	####
f5d78688 JH	126	done
f5d78688 JH	127
ba86e143 JH	128	# Create one EC leaf cert in the RSA cert tree. It will have an EC pubkey but be signed using its parent
	129	# therefore its parent's algo, RSA.
	130	clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
	131	SDIR=example.com/server1_ec.example.com
	132	SPFX=$SDIR/server1_ec.example.com
	133	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	134	cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem
	135
	136
	137
	138	###############################################################################
	139	# Limited suite: EC certs
	140	# separate trust root & chain
	141	# .com only, server1 good only, no ocsp
	142	# with server1 in SAN of leaf
	143
	144	for tld in com
f5d78688	145	do
ba86e143 JH	146	iname="example_ec.$tld"
	147	idir=$iname
	148
	149	####
	150	# create CAs & server certs
	151	rm -fr "$idir"
	152
	153	# create CA cert + templates
	154	clica $V -D "$idir" -p password -B 1024 -I -N $iname -F \
	155	-k ec -q nistp521 \
	156	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/
	157
	158	# create server certs
	159	# -m <months>
	160	clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
	161	-k ec -q nistp521 \
	162	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
	163
	164	####
	165
	166	# openssl seems to generate a file (ca_chain.pam) in an order it
	167	# cannot then use (the key applies to the first cert in the file?).
	168	# Generate a shuffled one.
	169	cd $idir/server1.$iname
	170	openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	171	cat server1.$iname.pem cacerts.pem > fullchain.pem
	172	rm cacerts.pem
	173	cd ../..
	174
	175	####
	176
	177	# generate unlocked keys and client cert bundles
	178	for server in server1
89f2a269	179	do
ba86e143 JH	180	SDIR=$idir/$server.$iname
	181	SPFX=$SDIR/$server.$iname
	182	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
f5d78688 JH	183	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
f5d78688 JH	184	done
ba86e143	185
f5d78688 JH	186	done
f5d78688 JH	187
ba86e143 JH	188	###############################################################################
ba86e143 JH	189
f5d78688	190	echo Please to reset date to now.
f2f2c91b	191	echo 'service ntpdate start (not on a systemd though...)'
f5d78688 JH	192	echo
	193	echo Then hit return
	194	read junk
	195
ba86e143 JH	196
ba86e143 JH	197
f5d78688 JH	198	# Create CRL files in .der and .pem
	199	# empty versions, and ones with the revoked servers
	200	for tld in com org net
	201	do
	202	CADIR=example.$tld/CA
	203	CRLIN=$CADIR/crl.empty.in.txt
	204	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	205	echo "update=$DATENOW " >$CRLIN
	206	crlutil -G -d $CADIR -f $CADIR/pwdfile \
ba86e143	207	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
f5d78688 JH	208	openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
	209	done
	210	sleep 2
	211	for tld in com org net
	212	do
	213	CADIR=example.$tld/CA
	214	CRLIN=$CADIR/crl.v2.in.txt
	215	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	216	echo "update=$DATENOW " >$CRLIN
	217	echo "addcert 102 $DATENOW" >>$CRLIN
	218	echo "addcert 202 $DATENOW" >>$CRLIN
	219	crlutil -G -d $CADIR -f $CADIR/pwdfile \
ba86e143	220	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
f5d78688 JH	221	openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
	222	done
	223
a7fec7a7 JH	224	# Finally, a single certificate-directory
a7fec7a7 JH	225	cd example.com/server1.example.com
f2f2c91b	226	mkdir -p certdir
a7fec7a7 JH	227	cd certdir
	228	f=../../CA/CA.pem
	229	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	230	rm -f $h.0
a7fec7a7 JH	231	ln -s $f $h.0
	232	f=../../CA/Signer.pem
	233	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	234	rm -f $h.0
a7fec7a7	235	ln -s $f $h.0
f2f2c91b JH	236	cd ../../..
	237
	238	pwd
	239	ls -l
a7fec7a7	240
ba86e143 JH	241	find example* -type d -print0 \| xargs -0 chmod 755
ba86e143 JH	242	find example* -type f -print0 \| xargs -0 chmod 644
89f2a269	243
f5d78688	244	echo "CA, Certificate, CRL and OSCP Response generation complete"