test/aux-fixed/exim-ca/genall

   1 #!/bin/bash
   2 #
   3
   4 set -e
   5 set -x
   6
   7 clica --help >/dev/null 2>&1
   8
   9 echo Ensure time is set to 2012/11/01 12:34
  10 echo use -  date -u 110112342012
  11 echo hit return when ready
  12 read junk
  13 for tld in com org net
  14 do
  15     idir="example.$tld"
  16     rm -fr "$idir"
  17     clica -D "$idir" -p password -B 1024 -I -N example.$tld -F \
  18         -C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/
  19
  20     # -m <months>
  21     clica -D example.$tld -p password -s 101 -S server1.example.$tld -m 301 \
  22         -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
  23     clica -D example.$tld -p password -s 102 -S revoked1.example.$tld -m 301
  24     clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
  25     clica -D example.$tld -p password -s 201 -S  server2.example.$tld -m 301
  26     clica -D example.$tld -p password -s 202 -S revoked2.example.$tld -m 301
  27     clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
  28
  29
  30     # openssl seems to generate a file (ca_chain.pam) in an order it
  31     # cannot then use (the key applies to the first cert in the file?).
  32     # Generate a shuffled one.
  33     cd example.$tld/server1.example.$tld
  34     openssl pkcs12 -in server1.example.$tld.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
  35     cat server1.example.$tld.pem cacerts.pem > fullchain.pem
  36     rm cacerts.pem
  37     cd ../..
  38 done
  39
  40 # and loop again
  41 for tld in com org net
  42 do
  43     CADIR=example.$tld/CA
  44     #give ourselves an OSCP key to work with
  45     pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
  46     openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
  47
  48     # also need variation from Signer
  49     pk12util -o $CADIR/Signer.p12 -n 'Signing Cert' -d $CADIR -K password -W password
  50     openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key
  51
  52     # create some index files for the ocsp responder to work with
  53 # tab-sep
  54 # 0: Revoked/Expired/Valid letter
  55 # 1: Expiry date (ASN1_UTCTIME)
  56 # 2: Revocation date
  57 # 3: Serial no. (unique)
  58 # 4: file
  59 # 5: DN, index
  60
  61     cat >$CADIR/index.valid.txt <<EOF
  62 V       130110200751Z           65      unknown CN=server1.example.$tld
  63 V       130110200751Z           66      unknown CN=revoked1.example.$tld
  64 V       130110200751Z           67      unknown CN=expired1.example.$tld
  65 V       130110200751Z           c9      unknown CN=server2.example.$tld
  66 V       130110200751Z           ca      unknown CN=revoked2.example.$tld
  67 V       130110200751Z           cb      unknown CN=expired2.example.$tld
  68 EOF
  69     cat >$CADIR/index.revoked.txt <<EOF
  70 R       130110200751Z   100201142709Z,superseded        65      unknown CN=server1.example.$tld
  71 R       130110200751Z   100201142709Z,superseded        66      unknown CN=revoked1.example.$tld
  72 R       130110200751Z   100201142709Z,superseded        67      unknown CN=expired1.example.$tld
  73 R       130110200751Z   100201142709Z,superseded        c9      unknown CN=server2.example.$tld
  74 R       130110200751Z   100201142709Z,superseded        ca      unknown CN=revoked2.example.$tld
  75 R       130110200751Z   100201142709Z,superseded        cb      unknown CN=expired2.example.$tld
  76 EOF
  77
  78     # Now create all the ocsp requests and responses
  79     for server in server1 revoked1 expired1 server2 revoked2 expired2
  80     do
  81         SPFX=example.$tld/$server.example.$tld/$server.example.$tld
  82         openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -no_nonce -sha256 -reqout $SPFX.ocsp.req
  83
  84         OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
  85         openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
  86         openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
  87         openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
  88
  89         OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
  90         openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.good.resp
  91         openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.dated.resp
  92         openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.revoked.resp
  93
  94         OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
  95         openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.good.resp
  96         openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.dated.resp
  97         openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.revoked.resp
  98     done
  99 done
 100
 101 # and loop again to generate unlocked keys and client cert bundles
 102 for tld in com org net
 103 do
 104     for server in server1 revoked1 expired1 server2 revoked2 expired2
 105     do
 106         SDIR=example.$tld/$server.example.$tld
 107         SPFX=$SDIR/$server.example.$tld
 108         openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
 109         cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
 110     done
 111 done
 112
 113 echo Please to reset date to now.
 114 echo 'service ntpdate start (not on a systemd though...)'
 115 echo
 116 echo Then hit return
 117 read junk
 118
 119 # Create CRL files in .der and .pem
 120 # empty versions, and ones with the revoked servers
 121 for tld in com org net
 122 do
 123     CADIR=example.$tld/CA
 124     CRLIN=$CADIR/crl.empty.in.txt
 125     DATENOW=`date -u +%Y%m%d%H%M%SZ`
 126     echo "update=$DATENOW " >$CRLIN
 127     crlutil -G -d $CADIR -f $CADIR/pwdfile \
 128         -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
 129     openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
 130 done
 131 sleep 2
 132 for tld in com org net
 133 do
 134     CADIR=example.$tld/CA
 135     CRLIN=$CADIR/crl.v2.in.txt
 136     DATENOW=`date -u +%Y%m%d%H%M%SZ`
 137     echo "update=$DATENOW " >$CRLIN
 138     echo "addcert 102 $DATENOW" >>$CRLIN
 139     echo "addcert 202 $DATENOW" >>$CRLIN
 140     crlutil -G -d $CADIR -f $CADIR/pwdfile \
 141         -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
 142     openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
 143 done
 144
 145 # Finally, a single certificate-directory
 146 cd example.com/server1.example.com
 147 mkdir -p certdir
 148 cd certdir
 149 f=../../CA/CA.pem
 150 h=`openssl x509 -hash -noout -in $f`
 151 rm -f $h.0
 152 ln -s $f $h.0
 153 f=../../CA/Signer.pem
 154 h=`openssl x509 -hash -noout -in $f`
 155 rm -f $h.0
 156 ln -s $f $h.0
 157 cd ../../..
 158
 159 pwd
 160 ls -l
 161
 162 find example.* -type d -print0 | xargs -0 chmod 755
 163 find example.* -type f -print0 | xargs -0 chmod 644
 164
 165 echo "CA, Certificate, CRL and OSCP Response generation complete"