Commit | Line | Data |
---|---|---|
f5d78688 JH |
1 | #!/bin/bash |
2 | # | |
3 | ||
f2f2c91b | 4 | set -e |
ba86e143 JH |
5 | |
6 | # Debugging. Set V for clica verbosity. | |
854586e1 JH |
7 | set -x |
8 | #V= | |
9 | V='-v' | |
f2f2c91b | 10 | |
74e2fb4b JH |
11 | clica --help >/dev/null 2>&1 |
12 | ||
f5d78688 JH |
13 | echo Ensure time is set to 2012/11/01 12:34 |
14 | echo use - date -u 110112342012 | |
15 | echo hit return when ready | |
16 | read junk | |
ba86e143 JH |
17 | |
18 | # Main suite: RSA certs | |
f5d78688 JH |
19 | for tld in com org net |
20 | do | |
ba86e143 JH |
21 | iname="example.$tld" |
22 | idir=$iname | |
23 | ||
24 | #### | |
25 | # create CAs & server certs | |
f2f2c91b | 26 | rm -fr "$idir" |
2b4a568d | 27 | |
ba86e143 | 28 | # create CA cert + templates |
e326959e JH |
29 | # -D dir to work in |
30 | # -p passwd for cert | |
31 | # -B keysize in bits | |
32 | # -I create CA cert | |
33 | # -N org name | |
34 | # -F create sub-signing cert | |
35 | # -C CRL | |
36 | # -O create OCSP responder cert | |
a7a1ad14 | 37 | clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/ |
ba86e143 JH |
38 | |
39 | # create server certs | |
73ef9378 | 40 | # -m <months> |
ba86e143 | 41 | clica $V -D $idir -p password -s 101 -S server1.$iname -m 301 \ |
f2f2c91b | 42 | -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex |
ba86e143 JH |
43 | clica $V -D $idir -p password -s 102 -S revoked1.$iname -m 301 |
44 | clica $V -D $idir -p password -s 103 -S expired1.$iname -m 1 | |
854586e1 JH |
45 | |
46 | clica $V -D $idir -p password -s 201 -S server2.$iname -m 301 \ | |
47 | -3 'CN=clica CA rsa,O=example.com' -8 '*.test.ex' | |
ba86e143 JH |
48 | clica $V -D $idir -p password -s 202 -S revoked2.$iname -m 301 |
49 | clica $V -D $idir -p password -s 203 -S expired2.$iname -m 1 | |
82525c6f | 50 | |
ba86e143 | 51 | #### |
82525c6f JH |
52 | |
53 | # openssl seems to generate a file (ca_chain.pam) in an order it | |
54 | # cannot then use (the key applies to the first cert in the file?). | |
55 | # Generate a shuffled one. | |
854586e1 JH |
56 | for n in 1 2 |
57 | do | |
58 | cd $idir/server$n.$iname | |
59 | openssl pkcs12 -in server$n.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys | |
60 | cat server$n.$iname.pem cacerts.pem > fullchain.pem | |
ba86e143 | 61 | rm cacerts.pem |
854586e1 JH |
62 | cd ../.. |
63 | done | |
f5d78688 | 64 | |
ba86e143 JH |
65 | #### |
66 | ||
67 | # generate unlocked keys and client cert bundles | |
68 | for server in server1 revoked1 expired1 server2 revoked2 expired2 | |
69 | do | |
70 | SDIR=$idir/$server.$iname | |
71 | SPFX=$SDIR/$server.$iname | |
72 | openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
73 | cat $SPFX.pem $iname/CA/Signer.pem >$SPFX.chain.pem | |
74 | done | |
75 | ||
76 | #### | |
77 | ||
e326959e JH |
78 | # so, for full-chain OCSP we sill want an OCSP resp for the Signer cert and also (?) one for the |
79 | # CA cert itself. The existing bits below only create for the leaf certs, next layer down. | |
80 | # | |
81 | # First test will be just adding OCSP for the Signer cert. Presumably we could use the CA cert | |
82 | # to sign that. | |
83 | ||
ba86e143 JH |
84 | # create OCSP reqs & resps |
85 | CADIR=$idir/CA | |
e326959e | 86 | |
f5d78688 | 87 | #give ourselves an OSCP key to work with |
ba86e143 | 88 | pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password |
f5d78688 JH |
89 | openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key |
90 | ||
74e2fb4b | 91 | # also need variation from Signer |
ba86e143 | 92 | pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password |
74e2fb4b | 93 | openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key |
f5d78688 | 94 | |
e326959e JH |
95 | # ditto for CA |
96 | # - the "-n names" here appear to be hardcoded in clica | |
97 | pk12util -o $CADIR/CA.p12 -n 'Certificate Authority rsa' -d $CADIR -K password -W password | |
98 | openssl pkcs12 -in $CADIR/CA.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/CA.key | |
99 | ||
f5d78688 | 100 | # create some index files for the ocsp responder to work with |
e326959e | 101 | # tab-sep, and fields can be empty |
74e2fb4b JH |
102 | # 0: Revoked/Expired/Valid letter |
103 | # 1: Expiry date (ASN1_UTCTIME) | |
104 | # 2: Revocation date | |
e326959e | 105 | # 3: Serial no. (unique, in hex) |
74e2fb4b JH |
106 | # 4: file |
107 | # 5: DN, index | |
108 | ||
f5d78688 | 109 | cat >$CADIR/index.valid.txt <<EOF |
ba86e143 JH |
110 | V 130110200751Z 65 unknown CN=server1.$iname |
111 | V 130110200751Z 66 unknown CN=revoked1.$iname | |
112 | V 130110200751Z 67 unknown CN=expired1.$iname | |
113 | V 130110200751Z c9 unknown CN=server2.$iname | |
114 | V 130110200751Z ca unknown CN=revoked2.$iname | |
115 | V 130110200751Z cb unknown CN=expired2.$iname | |
e326959e JH |
116 | V 130110200751Z 42 unknown CN=clica Signing Cert rsa |
117 | V 130110200751Z 41 unknown CN=clica CA rsa | |
f5d78688 JH |
118 | EOF |
119 | cat >$CADIR/index.revoked.txt <<EOF | |
ba86e143 JH |
120 | R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.$iname |
121 | R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.$iname | |
122 | R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.$iname | |
123 | R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.$iname | |
124 | R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.$iname | |
125 | R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.$iname | |
e326959e | 126 | R 130110200751Z 100201142709Z,superseded 42 unknown CN=clica Signing Cert rsa |
f5d78688 JH |
127 | EOF |
128 | ||
e326959e | 129 | # Now create all the ocsp requests and responses for the leaf certs |
ba86e143 JH |
130 | IVALID="-index $CADIR/index.valid.txt" |
131 | IREVOKED="-index $CADIR/index.revoked.txt" | |
4e0c20cb JH |
132 | |
133 | echo "unique_subject = yes" > $CADIR/index.valid.txt.attr | |
134 | echo "unique_subject = yes" > $CADIR/index.revoked.txt.attr | |
135 | ||
f5d78688 JH |
136 | for server in server1 revoked1 expired1 server2 revoked2 expired2 |
137 | do | |
ba86e143 | 138 | SPFX=$idir/$server.$iname/$server.$iname |
4e0c20cb | 139 | openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req |
ba86e143 | 140 | REQIN="-reqin $SPFX.ocsp.req" |
74e2fb4b | 141 | |
e326959e JH |
142 | # These ones get used by the "traditional" testcases. OCSP resp signed by a cert which is |
143 | # signed by the signer of the leaf-cert being attested to. | |
74e2fb4b | 144 | OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify" |
4e0c20cb JH |
145 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp |
146 | openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.dated.resp | |
147 | openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.revoked.resp | |
74e2fb4b JH |
148 | |
149 | OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify" | |
4e0c20cb JH |
150 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.good.resp |
151 | openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signer.dated.resp | |
152 | openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signer.revoked.resp | |
74e2fb4b | 153 | |
e326959e JH |
154 | # These ones get used by the "LetsEncrypt mode" testcases. OCSP resp is signed directly by the |
155 | # signer of the leaf-cert being attested to. | |
74e2fb4b | 156 | OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify" |
4e0c20cb JH |
157 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.good.resp |
158 | openssl ocsp $IVALID $OGENCOMMON -ndays 30 $REQIN -respout $SPFX.ocsp.signernocert.dated.resp | |
159 | openssl ocsp $IREVOKED $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.signernocert.revoked.resp | |
f5d78688 | 160 | done |
e326959e JH |
161 | |
162 | # convert one good leaf-resp to PEM | |
163 | $server=server1 | |
164 | RESP=$idir/$server.$iname/$server.$iname.ocsp.signernocert.good.resp | |
165 | ocsptool -S $RESP -j > $RESP.pem | |
166 | ||
167 | # Then, ocsp request and responses for the signer cert | |
168 | REQ=$CADIR/Signer.ocsp.req | |
169 | RESP=$CADIR/Signer.ocsp.signernocert.good.resp | |
170 | openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/Signer.pem -no_nonce -reqout $REQ | |
171 | openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ | |
172 | -ndays 3652 -reqin $REQ -respout $RESP | |
173 | ocsptool -S $RESP -j > $RESP.pem | |
174 | ||
175 | RESP=$CADIR/Signer.ocsp.signernocert.revoked.resp | |
176 | openssl ocsp $IREVOKED -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ | |
177 | -ndays 3652 -reqin $REQ -respout $RESP | |
178 | ocsptool -S $RESP -j > $RESP.pem | |
179 | ||
180 | # Then, ocsp request and response for the CA cert | |
181 | REQ=$CADIR/CA.ocsp.req | |
182 | RESP=$CADIR/CA.ocsp.signernocert.good.resp | |
183 | openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/CA.pem -no_nonce -reqout $REQ | |
184 | openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ | |
185 | -ndays 3652 -reqin $REQ -respout $RESP | |
186 | ocsptool -S $RESP -j > $RESP.pem | |
187 | ||
ba86e143 | 188 | #### |
f5d78688 JH |
189 | done |
190 | ||
ba86e143 JH |
191 | # Create one EC leaf cert in the RSA cert tree. It will have an EC pubkey but be signed using its parent |
192 | # therefore its parent's algo, RSA. | |
193 | clica $V -D example.com -p password -k ec -q nistp521 -s 1101 -S server1_ec.example.com -m 301 -8 'server1.example.com,*.test.ex' | |
194 | SDIR=example.com/server1_ec.example.com | |
195 | SPFX=$SDIR/server1_ec.example.com | |
196 | openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
197 | cat $SPFX.pem example.com/CA/Signer.pem >$SPFX.chain.pem | |
198 | ||
199 | ||
200 | ||
201 | ############################################################################### | |
202 | # Limited suite: EC certs | |
203 | # separate trust root & chain | |
204 | # .com only, server1 good only, no ocsp | |
205 | # with server1 in SAN of leaf | |
206 | ||
207 | for tld in com | |
f5d78688 | 208 | do |
ba86e143 JH |
209 | iname="example_ec.$tld" |
210 | idir=$iname | |
211 | ||
212 | #### | |
213 | # create CAs & server certs | |
214 | rm -fr "$idir" | |
215 | ||
216 | # create CA cert + templates | |
a7a1ad14 | 217 | clica $V -D "$idir" -p password -B 2048 -I -N $iname -F \ |
ba86e143 JH |
218 | -k ec -q nistp521 \ |
219 | -C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/ | |
220 | ||
221 | # create server certs | |
222 | # -m <months> | |
223 | clica $V -D $idir -p password -s 2101 -S server1.$iname -m 301 \ | |
224 | -k ec -q nistp521 \ | |
225 | -8 server1.example.$tld,alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex | |
226 | ||
227 | #### | |
228 | ||
229 | # openssl seems to generate a file (ca_chain.pam) in an order it | |
230 | # cannot then use (the key applies to the first cert in the file?). | |
231 | # Generate a shuffled one. | |
232 | cd $idir/server1.$iname | |
233 | openssl pkcs12 -in server1.$iname.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys | |
234 | cat server1.$iname.pem cacerts.pem > fullchain.pem | |
235 | rm cacerts.pem | |
236 | cd ../.. | |
237 | ||
238 | #### | |
239 | ||
240 | # generate unlocked keys and client cert bundles | |
241 | for server in server1 | |
89f2a269 | 242 | do |
ba86e143 JH |
243 | SDIR=$idir/$server.$iname |
244 | SPFX=$SDIR/$server.$iname | |
245 | openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
dc9c8f8b | 246 | cat $SPFX.pem $idir/CA/Signer.pem >$SPFX.chain.pem |
f5d78688 | 247 | done |
ba86e143 | 248 | |
b66afe22 JH |
249 | #### |
250 | # create OCSP reqs & resps | |
251 | CADIR=$idir/CA | |
252 | #give ourselves an OSCP key to work with | |
253 | pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password | |
254 | openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key | |
255 | ||
256 | # create some index files for the ocsp responder to work with | |
257 | # tab-sep | |
258 | # 0: Revoked/Expired/Valid letter | |
259 | # 1: Expiry date (ASN1_UTCTIME) | |
260 | # 2: Revocation date | |
261 | # 3: Serial no. (unique) | |
262 | # 4: file | |
263 | # 5: DN, index | |
264 | ||
265 | cat >$CADIR/index.valid.txt <<EOF | |
5b2fd993 | 266 | V 130110200751Z 835 unknown CN=server1.$iname |
b66afe22 JH |
267 | EOF |
268 | ||
269 | # Now create all the ocsp requests and responses | |
270 | IVALID="-index $CADIR/index.valid.txt" | |
271 | for server in server1 | |
272 | do | |
273 | SPFX=$idir/$server.$iname/$server.$iname | |
274 | openssl ocsp -issuer $CADIR/Signer.pem -sha256 -cert $SPFX.pem -no_nonce -reqout $SPFX.ocsp.req | |
275 | REQIN="-reqin $SPFX.ocsp.req" | |
276 | ||
277 | OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify" | |
278 | openssl ocsp $IVALID $OGENCOMMON -ndays 3652 $REQIN -respout $SPFX.ocsp.good.resp | |
279 | done | |
280 | #### | |
f5d78688 JH |
281 | done |
282 | ||
ba86e143 JH |
283 | ############################################################################### |
284 | ||
f5d78688 | 285 | echo Please to reset date to now. |
f2f2c91b | 286 | echo 'service ntpdate start (not on a systemd though...)' |
f5d78688 JH |
287 | echo |
288 | echo Then hit return | |
289 | read junk | |
290 | ||
ba86e143 JH |
291 | |
292 | ||
f5d78688 JH |
293 | # Create CRL files in .der and .pem |
294 | # empty versions, and ones with the revoked servers | |
dc9c8f8b | 295 | DATENOW=`date -u +%Y%m%d%H%M%SZ` |
f5d78688 JH |
296 | for tld in com org net |
297 | do | |
298 | CADIR=example.$tld/CA | |
299 | CRLIN=$CADIR/crl.empty.in.txt | |
f5d78688 JH |
300 | echo "update=$DATENOW " >$CRLIN |
301 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
ba86e143 | 302 | -n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty |
f5d78688 JH |
303 | openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem |
304 | done | |
305 | sleep 2 | |
dc9c8f8b | 306 | DATENOW=`date -u +%Y%m%d%H%M%SZ` |
f5d78688 JH |
307 | for tld in com org net |
308 | do | |
309 | CADIR=example.$tld/CA | |
310 | CRLIN=$CADIR/crl.v2.in.txt | |
f5d78688 JH |
311 | echo "update=$DATENOW " >$CRLIN |
312 | echo "addcert 102 $DATENOW" >>$CRLIN | |
313 | echo "addcert 202 $DATENOW" >>$CRLIN | |
314 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
ba86e143 | 315 | -n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2 |
f5d78688 | 316 | openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem |
dc9c8f8b JH |
317 | |
318 | CRLIN=$CADIR/crl.Signer.in.txt | |
319 | echo "update=$DATENOW " >$CRLIN | |
320 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
321 | -n 'Certificate Authority rsa' -c $CRLIN -o $CADIR/crl.Signer | |
322 | openssl crl -in $CADIR/crl.Signer -inform der -out $CADIR/crl.Signer.pem | |
323 | ||
324 | cat $CADIR/crl.Signer.pem $CADIR/crl.v2.pem > $CADIR/crl.chain.pem | |
f5d78688 JH |
325 | done |
326 | ||
a7fec7a7 JH |
327 | # Finally, a single certificate-directory |
328 | cd example.com/server1.example.com | |
f2f2c91b | 329 | mkdir -p certdir |
a7fec7a7 JH |
330 | cd certdir |
331 | f=../../CA/CA.pem | |
332 | h=`openssl x509 -hash -noout -in $f` | |
f2f2c91b | 333 | rm -f $h.0 |
a7fec7a7 JH |
334 | ln -s $f $h.0 |
335 | f=../../CA/Signer.pem | |
336 | h=`openssl x509 -hash -noout -in $f` | |
f2f2c91b | 337 | rm -f $h.0 |
a7fec7a7 | 338 | ln -s $f $h.0 |
f2f2c91b JH |
339 | cd ../../.. |
340 | ||
341 | pwd | |
342 | ls -l | |
a7fec7a7 | 343 | |
ba86e143 JH |
344 | find example* -type d -print0 | xargs -0 chmod 755 |
345 | find example* -type f -print0 | xargs -0 chmod 644 | |
89f2a269 | 346 | |
f5d78688 | 347 | echo "CA, Certificate, CRL and OSCP Response generation complete" |