[exim.git] / test / aux-fixed / exim-ca / genall

#!/bin/bash
#

set -e

# Debugging.  Set V for clica verbosity.
set -x
#V=
V='-v'

clica --help >/dev/null 2>&1

echo Ensure time is set to 2012/11/01 12:34
echo use -  date -u 110112342012
echo hit return when ready
read junk

# Main suite: RSA certs
for tld in com org net
do
    iname="example.$tld"
    idir=$iname

####
    # create CAs & server certs
    rm -fr "$idir"

    # create CA cert + templates
    # -D  dir to work in
    # -p  passwd for cert
    # -B  keysize in bits
    # -I  create CA cert
    # -N  org name
    # -F  create sub-signing cert
    # -C CRL
    # -O create OCSP responder cert
    clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/

    # create server certs
    # -m <months>
    clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
    clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
    clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1

    clica $V -D $idir -p password -s 201 -S  server2.$iname -m 301 \
	-3 'CN=clica CA rsa,O=example.com' -8 '*.test.ex'
    clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
    clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1

####

    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    for n in 1 2
    do
      cd $idir/server$n.$iname
        openssl pkcs12 -in server$n.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
        cat server$n.$iname.pem cacerts.pem > fullchain.pem
        rm cacerts.pem
      cd ../..
    done

####

    # generate unlocked keys and client cert bundles
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SDIR=$idir/$server.$iname
	SPFX=$SDIR/$server.$iname
	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
    done

####

    # create OCSP reqs & resps
    CADIR=$idir/CA

    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # also need variation from Signer
    pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key

    # ditto for CA
    # - the "-n names" here appear to be hardcoded in clica
    pk12util -o $CADIR/CA.p12 -n 'Certificate Authority rsa' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/CA.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/CA.key

    # create some index files for the ocsp responder to work with
# tab-sep, and fields can be empty
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique, in hex)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.$iname
V	130110200751Z		66	unknown	CN=revoked1.$iname
V	130110200751Z		67	unknown	CN=expired1.$iname
V	130110200751Z		c9	unknown	CN=server2.$iname
V	130110200751Z		ca	unknown	CN=revoked2.$iname
V	130110200751Z		cb	unknown	CN=expired2.$iname
V	130110200751Z		42	unknown	CN=clica Signing Cert rsa
V	130110200751Z		41	unknown	CN=clica CA rsa
EOF
    cat >$CADIR/index.revoked.txt <<EOF
R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.$iname
R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.$iname
R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.$iname
R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.$iname
R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.$iname
R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.$iname
R	130110200751Z	100201142709Z,superseded	42	unknown	CN=clica Signing Cert rsa
EOF

    # Now create all the ocsp requests and responses for the leaf certs
    IVALID="-index $CADIR/index.valid.txt"
    IREVOKED="-index $CADIR/index.revoked.txt"

    echo "unique_subject = yes" > $CADIR/index.valid.txt.attr
    echo "unique_subject = yes" > $CADIR/index.revoked.txt.attr

    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SPFX=$idir/$server.$iname/$server.$iname
	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	REQIN="-reqin $SPFX.ocsp.req"

	# These ones get used by the "traditional" testcases. OCSP resp signed by a cert which is
	# signed by the signer of the leaf-cert being attested to.
	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.signer.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp

	# These ones get used by the "LetsEncrypt mode" testcases. OCSP resp is signed directly by the
	# signer of the leaf-cert being attested to.
	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
	openssl ocsp $IVALID   $OGENCOMMON -ndays 30   $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
    done

    # convert one good leaf-resp to PEM
    server=server1
    RESP=$idir/$server.$iname/$server.$iname.ocsp.signernocert.good.resp
    ocsptool -S $RESP -j > $RESP.pem

    # Then, ocsp request and (valid, revoked) responses for the signer cert
    REQ=$CADIR/Signer.ocsp.req
    RESP=$CADIR/Signer.ocsp.signernocert.good.resp
    openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/Signer.pem -no_nonce -reqout $REQ
    openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \
	-ndays 3652 -reqin $REQ -respout $RESP
    ocsptool -S $RESP -j > $RESP.pem

    RESP=$CADIR/Signer.ocsp.signernocert.revoked.resp
    openssl ocsp $IREVOKED -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \
	-ndays 3652 -reqin $REQ -respout $RESP
    ocsptool -S $RESP -j > $RESP.pem

    # Finally, a full-chain all-good request and response
    REQ=$idir/$server.$iname/fullchain.ocsp.req
    leafcert=$idir/$server.$iname/$server.$iname.pem
    signercert=$CADIR/Signer.pem
    cacert=$CADIR/CA.pem
    openssl ocsp -sha256 -no_nonce -reqout $REQ \
    	-issuer $signercert -cert $leafcert \
    	-issuer $cacert     -cert $CADIR/Signer.pem -cert $CADIR/CA.pem

    RESP=$idir/$server.$iname/fullchain.ocsp.resp
    authorities=$idir/$server.$iname/ca_chain.pem
    openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $authorities -resp_no_certs -noverify \
	-ndays 3652 -reqin $REQ -respout $RESP
    ocsptool -S $RESP -j > $RESP.pem

####
done

# Create one EC leaf cert in the RSA cert tree.  It will have an EC pubkey but be signed using its parent
# therefore its parent's algo, RSA.
clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
SDIR=example.com/server1_ec.example.com
SPFX=$SDIR/server1_ec.example.com
openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem


###############################################################################
# Limited suite: EC certs
# separate trust root & chain
# .com only, server1 good only, no ocsp
# with server1 in SAN of leaf

for tld in com
do
    iname="example_ec.$tld"
    idir=$iname

####
    # create CAs & server certs
    rm -fr "$idir"

    # create CA cert + templates
    clica $V -D "$idir" -p password -B 2048 -I -N $iname -F \
	-k ec -q nistp521 \
	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/

    # create server certs
    # -m <months>
    clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
	-k ec -q nistp521 \
	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex

####

    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd $idir/server1.$iname
        openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
        cat server1.$iname.pem cacerts.pem > fullchain.pem
        rm cacerts.pem
    cd ../..

####

    # generate unlocked keys and client cert bundles
    for server in server1
    do
	SDIR=$idir/$server.$iname
	SPFX=$SDIR/$server.$iname
	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem $idir/CA/Signer.pem >$SPFX.chain.pem
    done

####
    # create OCSP reqs & resps
    CADIR=$idir/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # create some index files for the ocsp responder to work with
# tab-sep
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		835	unknown	CN=server1.$iname
EOF

    # Now create all the ocsp requests and responses
    IVALID="-index $CADIR/index.valid.txt"
    for server in server1
    do
	SPFX=$idir/$server.$iname/$server.$iname
	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	REQIN="-reqin $SPFX.ocsp.req"

	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp $IVALID   $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
    done
####
done

###############################################################################

echo Please to reset date to now.
echo 'service ntpdate start (not on a systemd though...)'
echo 
echo Then hit return
read junk


# Create CRL files in .der and .pem
# empty versions, and ones with the revoked servers
DATENOW=`date -u +%Y%m%d%H%M%SZ`
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.empty.in.txt
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
    openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
done
sleep 2
DATENOW=`date -u +%Y%m%d%H%M%SZ`
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.v2.in.txt
    echo "update=$DATENOW " >$CRLIN
    echo "addcert 102 $DATENOW" >>$CRLIN
    echo "addcert 202 $DATENOW" >>$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
    openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem

    CRLIN=$CADIR/crl.Signer.in.txt
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Certificate Authority rsa' -c $CRLIN -o $CADIR/crl.Signer
    openssl crl -in $CADIR/crl.Signer -inform der -out $CADIR/crl.Signer.pem

    cat $CADIR/crl.Signer.pem $CADIR/crl.v2.pem > $CADIR/crl.chain.pem
done

# Finally, a single certificate-directory
cd example.com/server1.example.com
mkdir -p certdir
cd certdir
f=../../CA/CA.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
f=../../CA/Signer.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
cd ../../..

pwd
ls -l

find example* -type d -print0 | xargs -0 chmod 755
find example* -type f -print0 | xargs -0 chmod 644

echo "CA, Certificate, CRL and OSCP Response generation complete"
Commit	Line	Data
	1	#!/bin/bash
	2	#
	3
	4	set -e
	5
	6	# Debugging. Set V for clica verbosity.
	7	set -x
	8	#V=
	9	V='-v'
	10
	11	clica --help >/dev/null 2>&1
	12
	13	echo Ensure time is set to 2012/11/01 12:34
	14	echo use - date -u 110112342012
	15	echo hit return when ready
	16	read junk
	17
	18	# Main suite: RSA certs
	19	for tld in com org net
	20	do
	21	iname="example.$tld"
	22	idir=$iname
	23
	24	####
	25	# create CAs & server certs
	26	rm -fr "$idir"
	27
	28	# create CA cert + templates
	29	# -D dir to work in
	30	# -p passwd for cert
	31	# -B keysize in bits
	32	# -I create CA cert
	33	# -N org name
	34	# -F create sub-signing cert
	35	# -C CRL
	36	# -O create OCSP responder cert
	37	clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/
	38
	39	# create server certs
	40	# -m <months>
	41	clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \
	42	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
	43	clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301
	44	clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1
	45
	46	clica $V -D $idir -p password -s 201 -S server2.$iname -m 301 \
	47	-3 'CN=clica CA rsa,O=example.com' -8 '*.test.ex'
	48	clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301
	49	clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1
	50
	51	####
	52
	53	# openssl seems to generate a file (ca_chain.pam) in an order it
	54	# cannot then use (the key applies to the first cert in the file?).
	55	# Generate a shuffled one.
	56	for n in 1 2
	57	do
	58	cd $idir/server$n.$iname
	59	openssl pkcs12 -in server$n.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	60	cat server$n.$iname.pem cacerts.pem > fullchain.pem
	61	rm cacerts.pem
	62	cd ../..
	63	done
	64
	65	####
	66
	67	# generate unlocked keys and client cert bundles
	68	for server in server1 revoked1 expired1 server2 revoked2 expired2
	69	do
	70	SDIR=$idir/$server.$iname
	71	SPFX=$SDIR/$server.$iname
	72	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	73	cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem
	74	done
	75
	76	####
	77
	78	# create OCSP reqs & resps
	79	CADIR=$idir/CA
	80
	81	#give ourselves an OSCP key to work with
	82	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password
	83	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
	84
	85	# also need variation from Signer
	86	pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password
	87	openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key
	88
	89	# ditto for CA
	90	# - the "-n names" here appear to be hardcoded in clica
	91	pk12util -o $CADIR/CA.p12 -n 'Certificate Authority rsa' -d $CADIR -K password -W password
	92	openssl pkcs12 -in $CADIR/CA.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/CA.key
	93
	94	# create some index files for the ocsp responder to work with
	95	# tab-sep, and fields can be empty
	96	# 0: Revoked/Expired/Valid letter
	97	# 1: Expiry date (ASN1_UTCTIME)
	98	# 2: Revocation date
	99	# 3: Serial no. (unique, in hex)
	100	# 4: file
	101	# 5: DN, index
	102
	103	cat >$CADIR/index.valid.txt <<EOF
	104	V 130110200751Z 65 unknown CN=server1.$iname
	105	V 130110200751Z 66 unknown CN=revoked1.$iname
	106	V 130110200751Z 67 unknown CN=expired1.$iname
	107	V 130110200751Z c9 unknown CN=server2.$iname
	108	V 130110200751Z ca unknown CN=revoked2.$iname
	109	V 130110200751Z cb unknown CN=expired2.$iname
	110	V 130110200751Z 42 unknown CN=clica Signing Cert rsa
	111	V 130110200751Z 41 unknown CN=clica CA rsa
	112	EOF
	113	cat >$CADIR/index.revoked.txt <<EOF
	114	R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.$iname
	115	R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.$iname
	116	R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.$iname
	117	R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.$iname
	118	R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.$iname
	119	R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.$iname
	120	R 130110200751Z 100201142709Z,superseded 42 unknown CN=clica Signing Cert rsa
	121	EOF
	122
	123	# Now create all the ocsp requests and responses for the leaf certs
	124	IVALID="-index $CADIR/index.valid.txt"
	125	IREVOKED="-index $CADIR/index.revoked.txt"
	126
	127	echo "unique_subject = yes" > $CADIR/index.valid.txt.attr
	128	echo "unique_subject = yes" > $CADIR/index.revoked.txt.attr
	129
	130	for server in server1 revoked1 expired1 server2 revoked2 expired2
	131	do
	132	SPFX=$idir/$server.$iname/$server.$iname
	133	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	134	REQIN="-reqin $SPFX.ocsp.req"
	135
	136	# These ones get used by the "traditional" testcases. OCSP resp signed by a cert which is
	137	# signed by the signer of the leaf-cert being attested to.
	138	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	139	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	140	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.dated.resp
	141	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.revoked.resp
	142
	143	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
	144	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.good.resp
	145	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signer.dated.resp
	146	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp
	147
	148	# These ones get used by the "LetsEncrypt mode" testcases. OCSP resp is signed directly by the
	149	# signer of the leaf-cert being attested to.
	150	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
	151	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp
	152	openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp
	153	openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp
	154	done
	155
	156	# convert one good leaf-resp to PEM
	157	server=server1
	158	RESP=$idir/$server.$iname/$server.$iname.ocsp.signernocert.good.resp
	159	ocsptool -S $RESP -j > $RESP.pem
	160
	161	# Then, ocsp request and (valid, revoked) responses for the signer cert
	162	REQ=$CADIR/Signer.ocsp.req
	163	RESP=$CADIR/Signer.ocsp.signernocert.good.resp
	164	openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/Signer.pem -no_nonce -reqout $REQ
	165	openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \
	166	-ndays 3652 -reqin $REQ -respout $RESP
	167	ocsptool -S $RESP -j > $RESP.pem
	168
	169	RESP=$CADIR/Signer.ocsp.signernocert.revoked.resp
	170	openssl ocsp $IREVOKED -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \
	171	-ndays 3652 -reqin $REQ -respout $RESP
	172	ocsptool -S $RESP -j > $RESP.pem
	173
	174	# Finally, a full-chain all-good request and response
	175	REQ=$idir/$server.$iname/fullchain.ocsp.req
	176	leafcert=$idir/$server.$iname/$server.$iname.pem
	177	signercert=$CADIR/Signer.pem
	178	cacert=$CADIR/CA.pem
	179	openssl ocsp -sha256 -no_nonce -reqout $REQ \
	180	-issuer $signercert -cert $leafcert \
	181	-issuer $cacert -cert $CADIR/Signer.pem -cert $CADIR/CA.pem
	182
	183	RESP=$idir/$server.$iname/fullchain.ocsp.resp
	184	authorities=$idir/$server.$iname/ca_chain.pem
	185	openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $authorities -resp_no_certs -noverify \
	186	-ndays 3652 -reqin $REQ -respout $RESP
	187	ocsptool -S $RESP -j > $RESP.pem
	188
	189	####
	190	done
	191
	192	# Create one EC leaf cert in the RSA cert tree. It will have an EC pubkey but be signed using its parent
	193	# therefore its parent's algo, RSA.
	194	clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex'
	195	SDIR=example.com/server1_ec.example.com
	196	SPFX=$SDIR/server1_ec.example.com
	197	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	198	cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem
	199
	200
	201
	202	###############################################################################
	203	# Limited suite: EC certs
	204	# separate trust root & chain
	205	# .com only, server1 good only, no ocsp
	206	# with server1 in SAN of leaf
	207
	208	for tld in com
	209	do
	210	iname="example_ec.$tld"
	211	idir=$iname
	212
	213	####
	214	# create CAs & server certs
	215	rm -fr "$idir"
	216
	217	# create CA cert + templates
	218	clica $V -D "$idir" -p password -B 2048 -I -N $iname -F \
	219	-k ec -q nistp521 \
	220	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/
	221
	222	# create server certs
	223	# -m <months>
	224	clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \
	225	-k ec -q nistp521 \
	226	-8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
	227
	228	####
	229
	230	# openssl seems to generate a file (ca_chain.pam) in an order it
	231	# cannot then use (the key applies to the first cert in the file?).
	232	# Generate a shuffled one.
	233	cd $idir/server1.$iname
	234	openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
	235	cat server1.$iname.pem cacerts.pem > fullchain.pem
	236	rm cacerts.pem
	237	cd ../..
	238
	239	####
	240
	241	# generate unlocked keys and client cert bundles
	242	for server in server1
	243	do
	244	SDIR=$idir/$server.$iname
	245	SPFX=$SDIR/$server.$iname
	246	openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	247	cat $SPFX.pem $idir/CA/Signer.pem >$SPFX.chain.pem
	248	done
	249
	250	####
	251	# create OCSP reqs & resps
	252	CADIR=$idir/CA
	253	#give ourselves an OSCP key to work with
	254	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password
	255	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
	256
	257	# create some index files for the ocsp responder to work with
	258	# tab-sep
	259	# 0: Revoked/Expired/Valid letter
	260	# 1: Expiry date (ASN1_UTCTIME)
	261	# 2: Revocation date
	262	# 3: Serial no. (unique)
	263	# 4: file
	264	# 5: DN, index
	265
	266	cat >$CADIR/index.valid.txt <<EOF
	267	V 130110200751Z 835 unknown CN=server1.$iname
	268	EOF
	269
	270	# Now create all the ocsp requests and responses
	271	IVALID="-index $CADIR/index.valid.txt"
	272	for server in server1
	273	do
	274	SPFX=$idir/$server.$iname/$server.$iname
	275	openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req
	276	REQIN="-reqin $SPFX.ocsp.req"
	277
	278	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	279	openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp
	280	done
	281	####
	282	done
	283
	284	###############################################################################
	285
	286	echo Please to reset date to now.
	287	echo 'service ntpdate start (not on a systemd though...)'
	288	echo
	289	echo Then hit return
	290	read junk
	291
	292
	293
	294	# Create CRL files in .der and .pem
	295	# empty versions, and ones with the revoked servers
	296	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	297	for tld in com org net
	298	do
	299	CADIR=example.$tld/CA
	300	CRLIN=$CADIR/crl.empty.in.txt
	301	echo "update=$DATENOW " >$CRLIN
	302	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	303	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty
	304	openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
	305	done
	306	sleep 2
	307	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	308	for tld in com org net
	309	do
	310	CADIR=example.$tld/CA
	311	CRLIN=$CADIR/crl.v2.in.txt
	312	echo "update=$DATENOW " >$CRLIN
	313	echo "addcert 102 $DATENOW" >>$CRLIN
	314	echo "addcert 202 $DATENOW" >>$CRLIN
	315	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	316	-n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2
	317	openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
	318
	319	CRLIN=$CADIR/crl.Signer.in.txt
	320	echo "update=$DATENOW " >$CRLIN
	321	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	322	-n 'Certificate Authority rsa' -c $CRLIN -o $CADIR/crl.Signer
	323	openssl crl -in $CADIR/crl.Signer -inform der -out $CADIR/crl.Signer.pem
	324
	325	cat $CADIR/crl.Signer.pem $CADIR/crl.v2.pem > $CADIR/crl.chain.pem
	326	done
	327
	328	# Finally, a single certificate-directory
	329	cd example.com/server1.example.com
	330	mkdir -p certdir
	331	cd certdir
	332	f=../../CA/CA.pem
	333	h=`openssl x509 -hash -noout -in $f`
	334	rm -f $h.0
	335	ln -s $f $h.0
	336	f=../../CA/Signer.pem
	337	h=`openssl x509 -hash -noout -in $f`
	338	rm -f $h.0
	339	ln -s $f $h.0
	340	cd ../../..
	341
	342	pwd
	343	ls -l
	344
	345	find example* -type d -print0 \| xargs -0 chmod 755
	346	find example* -type f -print0 \| xargs -0 chmod 644
	347
	348	echo "CA, Certificate, CRL and OSCP Response generation complete"