Commit | Line | Data |
---|---|---|
f5d78688 JH |
1 | #!/bin/bash |
2 | # | |
3 | ||
f2f2c91b | 4 | set -e |
ba86e143 JH |
5 | |
6 | # Debugging. Set V for clica verbosity. | |
7 | #set -x | |
8 | V= | |
9 | #V='-v' | |
f2f2c91b | 10 | |
74e2fb4b JH |
11 | clica --help >/dev/null 2>&1 |
12 | ||
f5d78688 JH |
13 | echo Ensure time is set to 2012/11/01 12:34 |
14 | echo use - date -u 110112342012 | |
15 | echo hit return when ready | |
16 | read junk | |
ba86e143 JH |
17 | |
18 | # Main suite: RSA certs | |
f5d78688 JH |
19 | for tld in com org net |
20 | do | |
ba86e143 JH |
21 | iname="example.$tld" |
22 | idir=$iname | |
23 | ||
24 | #### | |
25 | # create CAs & server certs | |
f2f2c91b | 26 | rm -fr "$idir" |
2b4a568d | 27 | |
ba86e143 JH |
28 | # create CA cert + templates |
29 | clica $V -D "$idir" -p password -B 1024 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/ | |
30 | ||
31 | # create server certs | |
73ef9378 | 32 | # -m <months> |
ba86e143 | 33 | clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \ |
f2f2c91b | 34 | -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex |
ba86e143 JH |
35 | clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301 |
36 | clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1 | |
37 | clica $V -D $idir -p password -s 201 -S server2.$iname -m 301 | |
38 | clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301 | |
39 | clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1 | |
82525c6f | 40 | |
ba86e143 | 41 | #### |
82525c6f JH |
42 | |
43 | # openssl seems to generate a file (ca_chain.pam) in an order it | |
44 | # cannot then use (the key applies to the first cert in the file?). | |
45 | # Generate a shuffled one. | |
ba86e143 JH |
46 | cd $idir/server1.$iname |
47 | openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys | |
48 | cat server1.$iname.pem cacerts.pem > fullchain.pem | |
49 | rm cacerts.pem | |
82525c6f | 50 | cd ../.. |
f5d78688 | 51 | |
ba86e143 JH |
52 | #### |
53 | ||
54 | # generate unlocked keys and client cert bundles | |
55 | for server in server1 revoked1 expired1 server2 revoked2 expired2 | |
56 | do | |
57 | SDIR=$idir/$server.$iname | |
58 | SPFX=$SDIR/$server.$iname | |
59 | openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
60 | cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem | |
61 | done | |
62 | ||
63 | #### | |
64 | ||
65 | # create OCSP reqs & resps | |
66 | CADIR=$idir/CA | |
f5d78688 | 67 | #give ourselves an OSCP key to work with |
ba86e143 | 68 | pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password |
f5d78688 JH |
69 | openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key |
70 | ||
74e2fb4b | 71 | # also need variation from Signer |
ba86e143 | 72 | pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password |
74e2fb4b | 73 | openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key |
f5d78688 JH |
74 | |
75 | # create some index files for the ocsp responder to work with | |
74e2fb4b JH |
76 | # tab-sep |
77 | # 0: Revoked/Expired/Valid letter | |
78 | # 1: Expiry date (ASN1_UTCTIME) | |
79 | # 2: Revocation date | |
80 | # 3: Serial no. (unique) | |
81 | # 4: file | |
82 | # 5: DN, index | |
83 | ||
f5d78688 | 84 | cat >$CADIR/index.valid.txt <<EOF |
ba86e143 JH |
85 | V 130110200751Z 65 unknown CN=server1.$iname |
86 | V 130110200751Z 66 unknown CN=revoked1.$iname | |
87 | V 130110200751Z 67 unknown CN=expired1.$iname | |
88 | V 130110200751Z c9 unknown CN=server2.$iname | |
89 | V 130110200751Z ca unknown CN=revoked2.$iname | |
90 | V 130110200751Z cb unknown CN=expired2.$iname | |
f5d78688 JH |
91 | EOF |
92 | cat >$CADIR/index.revoked.txt <<EOF | |
ba86e143 JH |
93 | R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.$iname |
94 | R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.$iname | |
95 | R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.$iname | |
96 | R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.$iname | |
97 | R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.$iname | |
98 | R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.$iname | |
f5d78688 JH |
99 | EOF |
100 | ||
101 | # Now create all the ocsp requests and responses | |
ba86e143 JH |
102 | IVALID="-index $CADIR/index.valid.txt" |
103 | IREVOKED="-index $CADIR/index.revoked.txt" | |
f5d78688 JH |
104 | for server in server1 revoked1 expired1 server2 revoked2 expired2 |
105 | do | |
ba86e143 | 106 | SPFX=$idir/$server.$iname/$server.$iname |
74e2fb4b | 107 | openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -no_nonce -sha256 -reqout $SPFX.ocsp.req |
ba86e143 | 108 | REQIN="-reqin $SPFX.ocsp.req" |
74e2fb4b JH |
109 | |
110 | OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify" | |
ba86e143 JH |
111 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.good.resp |
112 | openssl ocsp $IVALID $OGENCOMMON -ndays 30 -sha256 $REQIN -respout $SPFX.ocsp.dated.resp | |
113 | openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.revoked.resp | |
74e2fb4b JH |
114 | |
115 | OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify" | |
ba86e143 JH |
116 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signer.good.resp |
117 | openssl ocsp $IVALID $OGENCOMMON -ndays 30 -sha256 $REQIN -respout $SPFX.ocsp.signer.dated.resp | |
118 | openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signer.revoked.resp | |
74e2fb4b JH |
119 | |
120 | OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify" | |
ba86e143 JH |
121 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signernocert.good.resp |
122 | openssl ocsp $IVALID $OGENCOMMON -ndays 30 -sha256 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp | |
123 | openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 -sha256 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp | |
f5d78688 | 124 | done |
ba86e143 | 125 | #### |
f5d78688 JH |
126 | done |
127 | ||
ba86e143 JH |
128 | # Create one EC leaf cert in the RSA cert tree. It will have an EC pubkey but be signed using its parent |
129 | # therefore its parent's algo, RSA. | |
130 | clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex' | |
131 | SDIR=example.com/server1_ec.example.com | |
132 | SPFX=$SDIR/server1_ec.example.com | |
133 | openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
134 | cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem | |
135 | ||
136 | ||
137 | ||
138 | ############################################################################### | |
139 | # Limited suite: EC certs | |
140 | # separate trust root & chain | |
141 | # .com only, server1 good only, no ocsp | |
142 | # with server1 in SAN of leaf | |
143 | ||
144 | for tld in com | |
f5d78688 | 145 | do |
ba86e143 JH |
146 | iname="example_ec.$tld" |
147 | idir=$iname | |
148 | ||
149 | #### | |
150 | # create CAs & server certs | |
151 | rm -fr "$idir" | |
152 | ||
153 | # create CA cert + templates | |
154 | clica $V -D "$idir" -p password -B 1024 -I -N $iname -F \ | |
155 | -k ec -q nistp521 \ | |
156 | -C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/ | |
157 | ||
158 | # create server certs | |
159 | # -m <months> | |
160 | clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \ | |
161 | -k ec -q nistp521 \ | |
162 | -8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex | |
163 | ||
164 | #### | |
165 | ||
166 | # openssl seems to generate a file (ca_chain.pam) in an order it | |
167 | # cannot then use (the key applies to the first cert in the file?). | |
168 | # Generate a shuffled one. | |
169 | cd $idir/server1.$iname | |
170 | openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys | |
171 | cat server1.$iname.pem cacerts.pem > fullchain.pem | |
172 | rm cacerts.pem | |
173 | cd ../.. | |
174 | ||
175 | #### | |
176 | ||
177 | # generate unlocked keys and client cert bundles | |
178 | for server in server1 | |
89f2a269 | 179 | do |
ba86e143 JH |
180 | SDIR=$idir/$server.$iname |
181 | SPFX=$SDIR/$server.$iname | |
182 | openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
f5d78688 JH |
183 | cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem |
184 | done | |
ba86e143 | 185 | |
f5d78688 JH |
186 | done |
187 | ||
ba86e143 JH |
188 | ############################################################################### |
189 | ||
f5d78688 | 190 | echo Please to reset date to now. |
f2f2c91b | 191 | echo 'service ntpdate start (not on a systemd though...)' |
f5d78688 JH |
192 | echo |
193 | echo Then hit return | |
194 | read junk | |
195 | ||
ba86e143 JH |
196 | |
197 | ||
f5d78688 JH |
198 | # Create CRL files in .der and .pem |
199 | # empty versions, and ones with the revoked servers | |
200 | for tld in com org net | |
201 | do | |
202 | CADIR=example.$tld/CA | |
203 | CRLIN=$CADIR/crl.empty.in.txt | |
204 | DATENOW=`date -u +%Y%m%d%H%M%SZ` | |
205 | echo "update=$DATENOW " >$CRLIN | |
206 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
ba86e143 | 207 | -n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty |
f5d78688 JH |
208 | openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem |
209 | done | |
210 | sleep 2 | |
211 | for tld in com org net | |
212 | do | |
213 | CADIR=example.$tld/CA | |
214 | CRLIN=$CADIR/crl.v2.in.txt | |
215 | DATENOW=`date -u +%Y%m%d%H%M%SZ` | |
216 | echo "update=$DATENOW " >$CRLIN | |
217 | echo "addcert 102 $DATENOW" >>$CRLIN | |
218 | echo "addcert 202 $DATENOW" >>$CRLIN | |
219 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
ba86e143 | 220 | -n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2 |
f5d78688 JH |
221 | openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem |
222 | done | |
223 | ||
a7fec7a7 JH |
224 | # Finally, a single certificate-directory |
225 | cd example.com/server1.example.com | |
f2f2c91b | 226 | mkdir -p certdir |
a7fec7a7 JH |
227 | cd certdir |
228 | f=../../CA/CA.pem | |
229 | h=`openssl x509 -hash -noout -in $f` | |
f2f2c91b | 230 | rm -f $h.0 |
a7fec7a7 JH |
231 | ln -s $f $h.0 |
232 | f=../../CA/Signer.pem | |
233 | h=`openssl x509 -hash -noout -in $f` | |
f2f2c91b | 234 | rm -f $h.0 |
a7fec7a7 | 235 | ln -s $f $h.0 |
f2f2c91b JH |
236 | cd ../../.. |
237 | ||
238 | pwd | |
239 | ls -l | |
a7fec7a7 | 240 | |
ba86e143 JH |
241 | find example* -type d -print0 | xargs -0 chmod 755 |
242 | find example* -type f -print0 | xargs -0 chmod 644 | |
89f2a269 | 243 | |
f5d78688 | 244 | echo "CA, Certificate, CRL and OSCP Response generation complete" |