[exim.git] / test / aux-fixed / exim-ca / README


The three directories each contain a complete CA with server signing
certificate, OCSP signing certificate and a selection of server
certificates under each domain. The "server1" certificates have
a CRL distribution point extension; the "server2" ones instead have
a Authority Key extension/

For each directory there are a number of subdirectories.

    CA	- The main certificate signing directory.

	    Within this directory the primary file sof interest
	    will be the two CRL files,  crl.empty and crl.v2
	    These are valid CRLs; the "v2" containing the two
	    revoked certs.

    BLANK - a template usable for client-only machines
	    for clients of this private CA.

    *.example.* - individual server certificates.

The six certificate subdirs each contain a cert for a machine
by that name; those in the "expired" ones are out-of-date (the
rest expire in 2038).  The "1" and "2" systems/certs have
equivalent properties.

In each certificate subdir: the ".db" files are NSS version of the cert,
the ".pem", ".key" and ".unlocked.key" are usable by OpenSSL (the
ca_chain.pem being a copy of the CA public information and signer
public information).

The ".p12" file rolls up the CA, Signer and cert info. Both the ".p12"
and NSS info are passworded using the "pwdfile".
The ocsp request file is one a client would send to an OCSP responder.
The ocsp response files are those gotten that way. in .der format;
"good" being all well, "dated" meaning the response (not the cert)
is out-of-date, and "revoked" meaning the cert has been revoked.


The files were created using the "genall" script which utilises a
combination of tools,

    openssl
    nss-tools
    clica

of these the only unfamiliar one is likely to be clica, a command
line CA tool which can be found at

    http://people.redhat.com/mpoole/clica/

NOTE:
 During running of "genall" you need to manipulate the system
 date/time.  Shutdown ntpd service before doing this, and restart
 after.
Commit	Line	Data
f5d78688 JH	1
	2	The three directories each contain a complete CA with server signing
	3	certificate, OCSP signing certificate and a selection of server
854586e1 JH	4	certificates under each domain. The "server1" certificates have
	5	a CRL distribution point extension; the "server2" ones instead have
	6	a Authority Key extension/
f5d78688 JH	7
	8	For each directory there are a number of subdirectories.
	9
	10	CA - The main certificate signing directory.
	11
	12	Within this directory the primary file sof interest
	13	will be the two CRL files, crl.empty and crl.v2
	14	These are valid CRLs; the "v2" containing the two
	15	revoked certs.
	16
	17	BLANK - a template usable for client-only machines
	18	for clients of this private CA.
	19
	20	.example. - individual server certificates.
	21
	22	The six certificate subdirs each contain a cert for a machine
	23	by that name; those in the "expired" ones are out-of-date (the
	24	rest expire in 2038). The "1" and "2" systems/certs have
	25	equivalent properties.
	26
aded2255	27	In each certificate subdir: the ".db" files are NSS version of the cert,
f5d78688 JH	28	the ".pem", ".key" and ".unlocked.key" are usable by OpenSSL (the
	29	ca_chain.pem being a copy of the CA public information and signer
	30	public information).
	31
	32	The ".p12" file rolls up the CA, Signer and cert info. Both the ".p12"
	33	and NSS info are passworded using the "pwdfile".
	34	The ocsp request file is one a client would send to an OCSP responder.
	35	The ocsp response files are those gotten that way. in .der format;
	36	"good" being all well, "dated" meaning the response (not the cert)
	37	is out-of-date, and "revoked" meaning the cert has been revoked.
	38
	39
2b4a568d	40	The files were created using the "genall" script which utilises a
f5d78688 JH	41	combination of tools,
	42
	43	openssl
	44	nss-tools
	45	clica
	46
	47	of these the only unfamiliar one is likely to be clica, a command
	48	line CA tool which can be found at
	49
	50	http://people.redhat.com/mpoole/clica/
	51
2b4a568d JH	52	NOTE:
	53	During running of "genall" you need to manipulate the system
	54	date/time. Shutdown ntpd service before doing this, and restart
	55	after.
f5d78688 JH	56
f5d78688 JH	57