4 echo Ensure
time is
set to
2012/11/01 12:34
5 echo use
- date -u 110112342012
6 echo hit
return when ready
10 clica
-D example.
$tld -p password
-B 1024 -I -N example.
$tld -F -C http
://crl.example.
$tld/latest.crl
-O http
://oscp
/example.
$tld/
11 clica
-D example.
$tld -p password
-s 101 -S server1.example.
$tld
12 clica
-D example.
$tld -p password
-s 102 -S revoked1.example.
$tld
13 clica
-D example.
$tld -p password
-s 103 -S expired1.example.
$tld -m 1
14 clica
-D example.
$tld -p password
-s 201 -S server2.example.
$tld
15 clica
-D example.
$tld -p password
-s 202 -S revoked2.example.
$tld
16 clica
-D example.
$tld -p password
-s 203 -S expired2.example.
$tld -m 1
20 for tld
in com org net
23 #give ourselves an OSCP key to work with
24 pk12util
-o $CADIR/OCSP.p12
-n 'OCSP Signer' -d $CADIR -K password
-W password
25 openssl pkcs12
-in $CADIR/OCSP.p12
-passin pass
:password
-passout pass
:password
-nodes -nocerts -out $CADIR/OCSP.key
28 # create some index files for the ocsp responder to work with
29 cat >$CADIR/index.valid.txt
<<EOF
30 V 130110200751Z 65 unknown CN=server1.example.$tld
31 V 130110200751Z 66 unknown CN=revoked1.example.$tld
32 V 130110200751Z 67 unknown CN=expired1.example.$tld
33 V 130110200751Z c9 unknown CN=server2.example.$tld
34 V 130110200751Z ca unknown CN=revoked2.example.$tld
35 V 130110200751Z cb unknown CN=expired2.example.$tld
37 cat >$CADIR/index.revoked.txt
<<EOF
38 R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
39 R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
40 R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
41 R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
42 R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
43 R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
46 # Now create all the ocsp requests and responses
47 OGENCOMMON
="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
48 for server
in server1 revoked1 expired1 server2 revoked2 expired2
50 SPFX
=example.
$tld/$server.example.
$tld/$server.example.
$tld
51 openssl ocsp
-issuer $CADIR/Signer.pem
-cert $SPFX.pem
-reqout $SPFX.ocsp.req
52 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.good.resp
53 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.dated.resp
54 openssl ocsp
-index $CADIR/index.revoked.txt
$OGENCOMMON -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.revoked.resp
58 # and loop again to generate unlocked keys and client cert bundles
59 for tld
in com org net
61 for server
in server1 revoked1 expired1 server2 revoked2 expired2
63 SDIR
=example.
$tld/$server.example.
$tld
64 SPFX
=$SDIR/$server.example.
$tld
65 openssl rsa
-in $SPFX.key
-passin file:$SDIR/pwdfile
-out $SPFX.unlocked.key
66 cat $SPFX.pem example.
$tld/CA
/Signer.pem
>$SPFX.chain.pem
70 echo Please to
reset date to now.
71 echo service ntpdate start
76 # Create CRL files in .der and .pem
77 # empty versions, and ones with the revoked servers
78 for tld
in com org net
81 CRLIN
=$CADIR/crl.empty.
in.txt
82 DATENOW
=`date -u +%Y%m%d%H%M%SZ`
83 echo "update=$DATENOW " >$CRLIN
84 crlutil
-G -d $CADIR -f $CADIR/pwdfile \
85 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
86 openssl crl
-in $CADIR/crl.empty
-inform der
-out $CADIR/crl.empty.pem
89 for tld
in com org net
92 CRLIN
=$CADIR/crl.v2.
in.txt
93 DATENOW
=`date -u +%Y%m%d%H%M%SZ`
94 echo "update=$DATENOW " >$CRLIN
95 echo "addcert 102 $DATENOW" >>$CRLIN
96 echo "addcert 202 $DATENOW" >>$CRLIN
97 crlutil
-G -d $CADIR -f $CADIR/pwdfile \
98 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
99 openssl crl
-in $CADIR/crl.v2
-inform der
-out $CADIR/crl.v2.pem
102 find example.
* -type d
-print0 |
xargs -0 chmod 755
103 find example.
* -type f
-print0 |
xargs -0 chmod 644
105 echo "CA, Certificate, CRL and OSCP Response generation complete"