[exim.git] / test / aux-fixed / exim-ca / genall

#!/bin/bash
#

set -e
set -x

echo Ensure time is set to 2012/11/01 12:34
echo use -  date -u 110112342012
echo hit return when ready
read junk
for tld in com org net
do
    idir="example.$tld"
    rm -fr "$idir"
    clica -D "$idir" -p password -B 1024 -I -N example.$tld -F \
	-C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/

    clica -D example.$tld -p password -s 101 -S server1.example.$tld \
	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
    clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
    clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
    clica -D example.$tld -p password -s 201 -S server2.example.$tld
    clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
    clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1


    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd example.$tld/server1.example.$tld
    openssl pkcs12 -in server1.example.$tld.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
    cat server1.example.$tld.pem cacerts.pem > fullchain.pem
    rm cacerts.pem
    cd ../..
done

# and loop again
for tld in com org net
do
    CADIR=example.$tld/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key


    # create some index files for the ocsp responder to work with
    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.example.$tld
V	130110200751Z		66	unknown	CN=revoked1.example.$tld
V	130110200751Z		67	unknown	CN=expired1.example.$tld
V	130110200751Z		c9	unknown	CN=server2.example.$tld
V	130110200751Z		ca	unknown	CN=revoked2.example.$tld
V	130110200751Z		cb	unknown	CN=expired2.example.$tld
EOF
    cat >$CADIR/index.revoked.txt <<EOF
R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.example.$tld
R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.example.$tld
R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.example.$tld
R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.example.$tld
R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.example.$tld
R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.example.$tld
EOF

    # Now create all the ocsp requests and responses
    OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SPFX=example.$tld/$server.example.$tld/$server.example.$tld
	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
    done
done

# and loop again to generate unlocked keys and client cert bundles
for tld in com org net
do
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SDIR=example.$tld/$server.example.$tld
	SPFX=$SDIR/$server.example.$tld
	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
    done
done

echo Please to reset date to now.
echo 'service ntpdate start (not on a systemd though...)'
echo 
echo Then hit return
read junk

# Create CRL files in .der and .pem
# empty versions, and ones with the revoked servers
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.empty.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
    openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
done
sleep 2
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.v2.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    echo "addcert 102 $DATENOW" >>$CRLIN
    echo "addcert 202 $DATENOW" >>$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
    openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
done

# Finally, a single certificate-directory
cd example.com/server1.example.com
mkdir -p certdir
cd certdir
f=../../CA/CA.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
f=../../CA/Signer.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
cd ../../..

pwd
ls -l

find example.* -type d -print0 | xargs -0 chmod 755
find example.* -type f -print0 | xargs -0 chmod 644

echo "CA, Certificate, CRL and OSCP Response generation complete"
Commit	Line	Data
f5d78688 JH	1	#!/bin/bash
	2	#
	3
bfe645c1 JH	4	set -e
	5	set -x
	6
f5d78688 JH	7	echo Ensure time is set to 2012/11/01 12:34
	8	echo use - date -u 110112342012
	9	echo hit return when ready
	10	read junk
	11	for tld in com org net
	12	do
bfe645c1 JH	13	idir="example.$tld"
	14	rm -fr "$idir"
	15	clica -D "$idir" -p password -B 1024 -I -N example.$tld -F \
2b4a568d JH	16	-C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/
	17
	18	clica -D example.$tld -p password -s 101 -S server1.example.$tld \
bfe645c1	19	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
f5d78688 JH	20	clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
	21	clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
	22	clica -D example.$tld -p password -s 201 -S server2.example.$tld
	23	clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
	24	clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
82525c6f JH	25
	26
	27	# openssl seems to generate a file (ca_chain.pam) in an order it
	28	# cannot then use (the key applies to the first cert in the file?).
	29	# Generate a shuffled one.
	30	cd example.$tld/server1.example.$tld
bfe645c1 JH	31	openssl pkcs12 -in server1.example.$tld.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
bfe645c1 JH	32	cat server1.example.$tld.pem cacerts.pem > fullchain.pem
82525c6f JH	33	rm cacerts.pem
82525c6f JH	34	cd ../..
f5d78688 JH	35	done
	36
	37	# and loop again
	38	for tld in com org net
	39	do
	40	CADIR=example.$tld/CA
	41	#give ourselves an OSCP key to work with
	42	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
	43	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
	44
	45
	46	# create some index files for the ocsp responder to work with
	47	cat >$CADIR/index.valid.txt <<EOF
	48	V 130110200751Z 65 unknown CN=server1.example.$tld
	49	V 130110200751Z 66 unknown CN=revoked1.example.$tld
	50	V 130110200751Z 67 unknown CN=expired1.example.$tld
	51	V 130110200751Z c9 unknown CN=server2.example.$tld
	52	V 130110200751Z ca unknown CN=revoked2.example.$tld
	53	V 130110200751Z cb unknown CN=expired2.example.$tld
	54	EOF
	55	cat >$CADIR/index.revoked.txt <<EOF
	56	R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
	57	R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
	58	R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
	59	R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
	60	R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
	61	R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
	62	EOF
	63
	64	# Now create all the ocsp requests and responses
	65	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	66	for server in server1 revoked1 expired1 server2 revoked2 expired2
	67	do
	68	SPFX=example.$tld/$server.example.$tld/$server.example.$tld
	69	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
2b4a568d JH	70	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
	71	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
	72	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
f5d78688 JH	73	done
	74	done
	75
	76	# and loop again to generate unlocked keys and client cert bundles
	77	for tld in com org net
	78	do
89f2a269 JH	79	for server in server1 revoked1 expired1 server2 revoked2 expired2
89f2a269 JH	80	do
f5d78688 JH	81	SDIR=example.$tld/$server.example.$tld
	82	SPFX=$SDIR/$server.example.$tld
	83	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	84	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
	85	done
	86	done
	87
	88	echo Please to reset date to now.
bfe645c1	89	echo 'service ntpdate start (not on a systemd though...)'
f5d78688 JH	90	echo
	91	echo Then hit return
	92	read junk
	93
	94	# Create CRL files in .der and .pem
	95	# empty versions, and ones with the revoked servers
	96	for tld in com org net
	97	do
	98	CADIR=example.$tld/CA
	99	CRLIN=$CADIR/crl.empty.in.txt
	100	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	101	echo "update=$DATENOW " >$CRLIN
	102	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	103	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
	104	openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
	105	done
	106	sleep 2
	107	for tld in com org net
	108	do
	109	CADIR=example.$tld/CA
	110	CRLIN=$CADIR/crl.v2.in.txt
	111	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	112	echo "update=$DATENOW " >$CRLIN
	113	echo "addcert 102 $DATENOW" >>$CRLIN
	114	echo "addcert 202 $DATENOW" >>$CRLIN
	115	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	116	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
	117	openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
	118	done
	119
a7fec7a7 JH	120	# Finally, a single certificate-directory
a7fec7a7 JH	121	cd example.com/server1.example.com
bfe645c1	122	mkdir -p certdir
a7fec7a7 JH	123	cd certdir
	124	f=../../CA/CA.pem
	125	h=`openssl x509 -hash -noout -in $f`
bfe645c1	126	rm -f $h.0
a7fec7a7 JH	127	ln -s $f $h.0
	128	f=../../CA/Signer.pem
	129	h=`openssl x509 -hash -noout -in $f`
bfe645c1	130	rm -f $h.0
a7fec7a7	131	ln -s $f $h.0
bfe645c1 JH	132	cd ../../..
	133
	134	pwd
	135	ls -l
a7fec7a7	136
89f2a269 JH	137	find example.* -type d -print0 \| xargs -0 chmod 755
	138	find example.* -type f -print0 \| xargs -0 chmod 644
	139
f5d78688	140	echo "CA, Certificate, CRL and OSCP Response generation complete"