4 echo Ensure
time is
set to
2012/11/01 12:34
5 echo use
- date -u 110112342012
6 echo hit
return when ready
10 clica
-D example.
$tld -p password
-B 1024 -I -N example.
$tld -F \
11 -C http
://crl.example.
$tld/latest.crl
-O http
://oscp
/example.
$tld/
13 clica
-D example.
$tld -p password
-s 101 -S server1.example.
$tld \
14 -8 alternatename.server1.example.
$tld,alternatename2.server1.example.
$tld
15 clica
-D example.
$tld -p password
-s 102 -S revoked1.example.
$tld
16 clica
-D example.
$tld -p password
-s 103 -S expired1.example.
$tld -m 1
17 clica
-D example.
$tld -p password
-s 201 -S server2.example.
$tld
18 clica
-D example.
$tld -p password
-s 202 -S revoked2.example.
$tld
19 clica
-D example.
$tld -p password
-s 203 -S expired2.example.
$tld -m 1
23 for tld
in com org net
26 #give ourselves an OSCP key to work with
27 pk12util
-o $CADIR/OCSP.p12
-n 'OCSP Signer' -d $CADIR -K password
-W password
28 openssl pkcs12
-in $CADIR/OCSP.p12
-passin pass
:password
-passout pass
:password
-nodes -nocerts -out $CADIR/OCSP.key
31 # create some index files for the ocsp responder to work with
32 cat >$CADIR/index.valid.txt
<<EOF
33 V 130110200751Z 65 unknown CN=server1.example.$tld
34 V 130110200751Z 66 unknown CN=revoked1.example.$tld
35 V 130110200751Z 67 unknown CN=expired1.example.$tld
36 V 130110200751Z c9 unknown CN=server2.example.$tld
37 V 130110200751Z ca unknown CN=revoked2.example.$tld
38 V 130110200751Z cb unknown CN=expired2.example.$tld
40 cat >$CADIR/index.revoked.txt
<<EOF
41 R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
42 R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
43 R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
44 R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
45 R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
46 R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
49 # Now create all the ocsp requests and responses
50 OGENCOMMON
="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
51 for server
in server1 revoked1 expired1 server2 revoked2 expired2
53 SPFX
=example.
$tld/$server.example.
$tld/$server.example.
$tld
54 openssl ocsp
-issuer $CADIR/Signer.pem
-cert $SPFX.pem
-reqout $SPFX.ocsp.req
55 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.good.resp
56 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.dated.resp
57 openssl ocsp
-index $CADIR/index.revoked.txt
$OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.revoked.resp
61 # and loop again to generate unlocked keys and client cert bundles
62 for tld
in com org net
64 for server
in server1 revoked1 expired1 server2 revoked2 expired2
66 SDIR
=example.
$tld/$server.example.
$tld
67 SPFX
=$SDIR/$server.example.
$tld
68 openssl rsa
-in $SPFX.key
-passin file:$SDIR/pwdfile
-out $SPFX.unlocked.key
69 cat $SPFX.pem example.
$tld/CA
/Signer.pem
>$SPFX.chain.pem
73 echo Please to
reset date to now.
74 echo service ntpdate start
79 # Create CRL files in .der and .pem
80 # empty versions, and ones with the revoked servers
81 for tld
in com org net
84 CRLIN
=$CADIR/crl.empty.
in.txt
85 DATENOW
=`date -u +%Y%m%d%H%M%SZ`
86 echo "update=$DATENOW " >$CRLIN
87 crlutil
-G -d $CADIR -f $CADIR/pwdfile \
88 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
89 openssl crl
-in $CADIR/crl.empty
-inform der
-out $CADIR/crl.empty.pem
92 for tld
in com org net
95 CRLIN
=$CADIR/crl.v2.
in.txt
96 DATENOW
=`date -u +%Y%m%d%H%M%SZ`
97 echo "update=$DATENOW " >$CRLIN
98 echo "addcert 102 $DATENOW" >>$CRLIN
99 echo "addcert 202 $DATENOW" >>$CRLIN
100 crlutil
-G -d $CADIR -f $CADIR/pwdfile \
101 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
102 openssl crl
-in $CADIR/crl.v2
-inform der
-out $CADIR/crl.v2.pem
105 find example.
* -type d
-print0 |
xargs -0 chmod 755
106 find example.
* -type f
-print0 |
xargs -0 chmod 644
108 echo "CA, Certificate, CRL and OSCP Response generation complete"