7 clica
--help >/dev
/null
2>&1
9 echo Ensure
time is
set to
2012/11/01 12:34
10 echo use
- date -u 110112342012
11 echo hit
return when ready
13 for tld
in com org net
17 clica
-D "$idir" -p password
-B 1024 -I -N example.
$tld -F \
18 -C http
://crl.example.
$tld/latest.crl
-O http
://oscp.example.
$tld/
20 clica
-D example.
$tld -p password
-s 101 -S server1.example.
$tld \
21 -8 alternatename.server1.example.
$tld,alternatename2.server1.example.
$tld,*.
test.ex
22 clica
-D example.
$tld -p password
-s 102 -S revoked1.example.
$tld
23 clica
-D example.
$tld -p password
-s 103 -S expired1.example.
$tld -m 1
24 clica
-D example.
$tld -p password
-s 201 -S server2.example.
$tld
25 clica
-D example.
$tld -p password
-s 202 -S revoked2.example.
$tld
26 clica
-D example.
$tld -p password
-s 203 -S expired2.example.
$tld -m 1
29 # openssl seems to generate a file (ca_chain.pam) in an order it
30 # cannot then use (the key applies to the first cert in the file?).
31 # Generate a shuffled one.
32 cd example.
$tld/server1.example.
$tld
33 openssl pkcs12
-in server1.example.
$tld.p12
-passin file:pwdfile
-cacerts -out cacerts.pem
-nokeys
34 cat server1.example.
$tld.pem cacerts.pem
> fullchain.pem
40 for tld
in com org net
43 #give ourselves an OSCP key to work with
44 pk12util
-o $CADIR/OCSP.p12
-n 'OCSP Signer' -d $CADIR -K password
-W password
45 openssl pkcs12
-in $CADIR/OCSP.p12
-passin pass
:password
-passout pass
:password
-nodes -nocerts -out $CADIR/OCSP.key
47 # also need variation from Signer
48 pk12util
-o $CADIR/Signer.p12
-n 'Signing Cert' -d $CADIR -K password
-W password
49 openssl pkcs12
-in $CADIR/Signer.p12
-passin pass
:password
-passout pass
:password
-nodes -nocerts -out $CADIR/Signer.key
51 # create some index files for the ocsp responder to work with
53 # 0: Revoked/Expired/Valid letter
54 # 1: Expiry date (ASN1_UTCTIME)
56 # 3: Serial no. (unique)
60 cat >$CADIR/index.valid.txt
<<EOF
61 V 130110200751Z 65 unknown CN=server1.example.$tld
62 V 130110200751Z 66 unknown CN=revoked1.example.$tld
63 V 130110200751Z 67 unknown CN=expired1.example.$tld
64 V 130110200751Z c9 unknown CN=server2.example.$tld
65 V 130110200751Z ca unknown CN=revoked2.example.$tld
66 V 130110200751Z cb unknown CN=expired2.example.$tld
68 cat >$CADIR/index.revoked.txt
<<EOF
69 R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
70 R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
71 R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
72 R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
73 R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
74 R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
77 # Now create all the ocsp requests and responses
78 for server
in server1 revoked1 expired1 server2 revoked2 expired2
80 SPFX
=example.
$tld/$server.example.
$tld/$server.example.
$tld
81 openssl ocsp
-issuer $CADIR/Signer.pem
-cert $SPFX.pem
-no_nonce -sha256 -reqout $SPFX.ocsp.req
83 OGENCOMMON
="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
84 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.good.resp
85 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.dated.resp
86 openssl ocsp
-index $CADIR/index.revoked.txt
$OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.revoked.resp
88 OGENCOMMON
="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
89 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.signer.good.resp
90 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.signer.dated.resp
91 openssl ocsp
-index $CADIR/index.revoked.txt
$OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.signer.revoked.resp
93 OGENCOMMON
="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
94 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.signernocert.good.resp
95 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.signernocert.dated.resp
96 openssl ocsp
-index $CADIR/index.revoked.txt
$OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.signernocert.revoked.resp
100 # and loop again to generate unlocked keys and client cert bundles
101 for tld
in com org net
103 for server
in server1 revoked1 expired1 server2 revoked2 expired2
105 SDIR
=example.
$tld/$server.example.
$tld
106 SPFX
=$SDIR/$server.example.
$tld
107 openssl rsa
-in $SPFX.key
-passin file:$SDIR/pwdfile
-out $SPFX.unlocked.key
108 cat $SPFX.pem example.
$tld/CA
/Signer.pem
>$SPFX.chain.pem
112 echo Please to
reset date to now.
113 echo 'service ntpdate start (not on a systemd though...)'
118 # Create CRL files in .der and .pem
119 # empty versions, and ones with the revoked servers
120 for tld
in com org net
122 CADIR
=example.
$tld/CA
123 CRLIN
=$CADIR/crl.empty.
in.txt
124 DATENOW
=`date -u +%Y%m%d%H%M%SZ`
125 echo "update=$DATENOW " >$CRLIN
126 crlutil
-G -d $CADIR -f $CADIR/pwdfile \
127 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
128 openssl crl
-in $CADIR/crl.empty
-inform der
-out $CADIR/crl.empty.pem
131 for tld
in com org net
133 CADIR
=example.
$tld/CA
134 CRLIN
=$CADIR/crl.v2.
in.txt
135 DATENOW
=`date -u +%Y%m%d%H%M%SZ`
136 echo "update=$DATENOW " >$CRLIN
137 echo "addcert 102 $DATENOW" >>$CRLIN
138 echo "addcert 202 $DATENOW" >>$CRLIN
139 crlutil
-G -d $CADIR -f $CADIR/pwdfile \
140 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
141 openssl crl
-in $CADIR/crl.v2
-inform der
-out $CADIR/crl.v2.pem
144 # Finally, a single certificate-directory
145 cd example.com
/server1.example.com
149 h
=`openssl x509 -hash -noout -in $f`
152 f
=..
/..
/CA
/Signer.pem
153 h
=`openssl x509 -hash -noout -in $f`
161 find example.
* -type d
-print0 |
xargs -0 chmod 755
162 find example.
* -type f
-print0 |
xargs -0 chmod 644
164 echo "CA, Certificate, CRL and OSCP Response generation complete"