Commit | Line | Data |
---|---|---|
f5d78688 JH |
1 | #!/bin/bash |
2 | # | |
3 | ||
f2f2c91b JH |
4 | set -e |
5 | set -x | |
6 | ||
74e2fb4b JH |
7 | clica --help >/dev/null 2>&1 |
8 | ||
f5d78688 JH |
9 | echo Ensure time is set to 2012/11/01 12:34 |
10 | echo use - date -u 110112342012 | |
11 | echo hit return when ready | |
12 | read junk | |
13 | for tld in com org net | |
14 | do | |
f2f2c91b JH |
15 | idir="example.$tld" |
16 | rm -fr "$idir" | |
17 | clica -D "$idir" -p password -B 1024 -I -N example.$tld -F \ | |
74e2fb4b | 18 | -C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/ |
2b4a568d | 19 | |
73ef9378 JH |
20 | # -m <months> |
21 | clica -D example.$tld -p password -s 101 -S server1.example.$tld -m 301 \ | |
f2f2c91b | 22 | -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex |
73ef9378 | 23 | clica -D example.$tld -p password -s 102 -S revoked1.example.$tld -m 301 |
f5d78688 | 24 | clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1 |
73ef9378 JH |
25 | clica -D example.$tld -p password -s 201 -S server2.example.$tld -m 301 |
26 | clica -D example.$tld -p password -s 202 -S revoked2.example.$tld -m 301 | |
f5d78688 | 27 | clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1 |
82525c6f JH |
28 | |
29 | ||
30 | # openssl seems to generate a file (ca_chain.pam) in an order it | |
31 | # cannot then use (the key applies to the first cert in the file?). | |
32 | # Generate a shuffled one. | |
33 | cd example.$tld/server1.example.$tld | |
f2f2c91b JH |
34 | openssl pkcs12 -in server1.example.$tld.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys |
35 | cat server1.example.$tld.pem cacerts.pem > fullchain.pem | |
82525c6f JH |
36 | rm cacerts.pem |
37 | cd ../.. | |
f5d78688 JH |
38 | done |
39 | ||
40 | # and loop again | |
41 | for tld in com org net | |
42 | do | |
43 | CADIR=example.$tld/CA | |
44 | #give ourselves an OSCP key to work with | |
45 | pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password | |
46 | openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key | |
47 | ||
74e2fb4b JH |
48 | # also need variation from Signer |
49 | pk12util -o $CADIR/Signer.p12 -n 'Signing Cert' -d $CADIR -K password -W password | |
50 | openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key | |
f5d78688 JH |
51 | |
52 | # create some index files for the ocsp responder to work with | |
74e2fb4b JH |
53 | # tab-sep |
54 | # 0: Revoked/Expired/Valid letter | |
55 | # 1: Expiry date (ASN1_UTCTIME) | |
56 | # 2: Revocation date | |
57 | # 3: Serial no. (unique) | |
58 | # 4: file | |
59 | # 5: DN, index | |
60 | ||
f5d78688 JH |
61 | cat >$CADIR/index.valid.txt <<EOF |
62 | V 130110200751Z 65 unknown CN=server1.example.$tld | |
63 | V 130110200751Z 66 unknown CN=revoked1.example.$tld | |
64 | V 130110200751Z 67 unknown CN=expired1.example.$tld | |
65 | V 130110200751Z c9 unknown CN=server2.example.$tld | |
66 | V 130110200751Z ca unknown CN=revoked2.example.$tld | |
67 | V 130110200751Z cb unknown CN=expired2.example.$tld | |
68 | EOF | |
69 | cat >$CADIR/index.revoked.txt <<EOF | |
70 | R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld | |
71 | R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld | |
72 | R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld | |
73 | R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld | |
74 | R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld | |
75 | R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld | |
76 | EOF | |
77 | ||
78 | # Now create all the ocsp requests and responses | |
f5d78688 JH |
79 | for server in server1 revoked1 expired1 server2 revoked2 expired2 |
80 | do | |
81 | SPFX=example.$tld/$server.example.$tld/$server.example.$tld | |
74e2fb4b JH |
82 | openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -no_nonce -sha256 -reqout $SPFX.ocsp.req |
83 | ||
84 | OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify" | |
85 | openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp | |
86 | openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp | |
87 | openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp | |
88 | ||
89 | OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify" | |
90 | openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.good.resp | |
91 | openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.dated.resp | |
92 | openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.revoked.resp | |
93 | ||
94 | OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify" | |
95 | openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.good.resp | |
96 | openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.dated.resp | |
97 | openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.revoked.resp | |
f5d78688 JH |
98 | done |
99 | done | |
100 | ||
101 | # and loop again to generate unlocked keys and client cert bundles | |
102 | for tld in com org net | |
103 | do | |
89f2a269 JH |
104 | for server in server1 revoked1 expired1 server2 revoked2 expired2 |
105 | do | |
f5d78688 JH |
106 | SDIR=example.$tld/$server.example.$tld |
107 | SPFX=$SDIR/$server.example.$tld | |
108 | openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key | |
109 | cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem | |
110 | done | |
111 | done | |
112 | ||
113 | echo Please to reset date to now. | |
f2f2c91b | 114 | echo 'service ntpdate start (not on a systemd though...)' |
f5d78688 JH |
115 | echo |
116 | echo Then hit return | |
117 | read junk | |
118 | ||
119 | # Create CRL files in .der and .pem | |
120 | # empty versions, and ones with the revoked servers | |
121 | for tld in com org net | |
122 | do | |
123 | CADIR=example.$tld/CA | |
124 | CRLIN=$CADIR/crl.empty.in.txt | |
125 | DATENOW=`date -u +%Y%m%d%H%M%SZ` | |
126 | echo "update=$DATENOW " >$CRLIN | |
127 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
128 | -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty | |
129 | openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem | |
130 | done | |
131 | sleep 2 | |
132 | for tld in com org net | |
133 | do | |
134 | CADIR=example.$tld/CA | |
135 | CRLIN=$CADIR/crl.v2.in.txt | |
136 | DATENOW=`date -u +%Y%m%d%H%M%SZ` | |
137 | echo "update=$DATENOW " >$CRLIN | |
138 | echo "addcert 102 $DATENOW" >>$CRLIN | |
139 | echo "addcert 202 $DATENOW" >>$CRLIN | |
140 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ | |
141 | -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2 | |
142 | openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem | |
143 | done | |
144 | ||
a7fec7a7 JH |
145 | # Finally, a single certificate-directory |
146 | cd example.com/server1.example.com | |
f2f2c91b | 147 | mkdir -p certdir |
a7fec7a7 JH |
148 | cd certdir |
149 | f=../../CA/CA.pem | |
150 | h=`openssl x509 -hash -noout -in $f` | |
f2f2c91b | 151 | rm -f $h.0 |
a7fec7a7 JH |
152 | ln -s $f $h.0 |
153 | f=../../CA/Signer.pem | |
154 | h=`openssl x509 -hash -noout -in $f` | |
f2f2c91b | 155 | rm -f $h.0 |
a7fec7a7 | 156 | ln -s $f $h.0 |
f2f2c91b JH |
157 | cd ../../.. |
158 | ||
159 | pwd | |
160 | ls -l | |
a7fec7a7 | 161 | |
89f2a269 JH |
162 | find example.* -type d -print0 | xargs -0 chmod 755 |
163 | find example.* -type f -print0 | xargs -0 chmod 644 | |
164 | ||
f5d78688 | 165 | echo "CA, Certificate, CRL and OSCP Response generation complete" |