[exim.git] / test / aux-fixed / exim-ca / genall

#!/bin/bash
#

set -e
set -x

clica --help >/dev/null 2>&1

echo Ensure time is set to 2012/11/01 12:34
echo use -  date -u 110112342012
echo hit return when ready
read junk
for tld in com org net
do
    idir="example.$tld"
    rm -fr "$idir"
    clica -D "$idir" -p password -B 1024 -I -N example.$tld -F \
	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/

    clica -D example.$tld -p password -s 101 -S server1.example.$tld \
	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
    clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
    clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
    clica -D example.$tld -p password -s 201 -S server2.example.$tld
    clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
    clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1


    # openssl seems to generate a file (ca_chain.pam) in an order it
    # cannot then use (the key applies to the first cert in the file?).
    # Generate a shuffled one.
    cd example.$tld/server1.example.$tld
    openssl pkcs12 -in server1.example.$tld.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
    cat server1.example.$tld.pem cacerts.pem > fullchain.pem
    rm cacerts.pem
    cd ../..
done

# and loop again
for tld in com org net
do
    CADIR=example.$tld/CA
    #give ourselves an OSCP key to work with
    pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key

    # also need variation from Signer
    pk12util -o $CADIR/Signer.p12 -n 'Signing Cert' -d $CADIR -K password -W password
    openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key

    # create some index files for the ocsp responder to work with
# tab-sep
# 0: Revoked/Expired/Valid letter
# 1: Expiry date (ASN1_UTCTIME)
# 2: Revocation date
# 3: Serial no. (unique)
# 4: file
# 5: DN, index

    cat >$CADIR/index.valid.txt <<EOF
V	130110200751Z		65	unknown	CN=server1.example.$tld
V	130110200751Z		66	unknown	CN=revoked1.example.$tld
V	130110200751Z		67	unknown	CN=expired1.example.$tld
V	130110200751Z		c9	unknown	CN=server2.example.$tld
V	130110200751Z		ca	unknown	CN=revoked2.example.$tld
V	130110200751Z		cb	unknown	CN=expired2.example.$tld
EOF
    cat >$CADIR/index.revoked.txt <<EOF
R	130110200751Z	100201142709Z,superseded	65	unknown	CN=server1.example.$tld
R	130110200751Z	100201142709Z,superseded	66	unknown	CN=revoked1.example.$tld
R	130110200751Z	100201142709Z,superseded	67	unknown	CN=expired1.example.$tld
R	130110200751Z	100201142709Z,superseded	c9	unknown	CN=server2.example.$tld
R	130110200751Z	100201142709Z,superseded	ca	unknown	CN=revoked2.example.$tld
R	130110200751Z	100201142709Z,superseded	cb	unknown	CN=expired2.example.$tld
EOF

    # Now create all the ocsp requests and responses
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SPFX=example.$tld/$server.example.$tld/$server.example.$tld
	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -no_nonce -sha256 -reqout $SPFX.ocsp.req

	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.good.resp
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.dated.resp
	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.revoked.resp

	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.good.resp
	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.dated.resp
	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.revoked.resp
    done
done

# and loop again to generate unlocked keys and client cert bundles
for tld in com org net
do
    for server in server1 revoked1 expired1 server2 revoked2 expired2
    do
	SDIR=example.$tld/$server.example.$tld
	SPFX=$SDIR/$server.example.$tld
	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
    done
done

echo Please to reset date to now.
echo 'service ntpdate start (not on a systemd though...)'
echo 
echo Then hit return
read junk

# Create CRL files in .der and .pem
# empty versions, and ones with the revoked servers
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.empty.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
    openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
done
sleep 2
for tld in com org net
do
    CADIR=example.$tld/CA
    CRLIN=$CADIR/crl.v2.in.txt
    DATENOW=`date -u +%Y%m%d%H%M%SZ`
    echo "update=$DATENOW " >$CRLIN
    echo "addcert 102 $DATENOW" >>$CRLIN
    echo "addcert 202 $DATENOW" >>$CRLIN
    crlutil -G -d $CADIR -f $CADIR/pwdfile \
	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
    openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
done

# Finally, a single certificate-directory
cd example.com/server1.example.com
mkdir -p certdir
cd certdir
f=../../CA/CA.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
f=../../CA/Signer.pem
h=`openssl x509 -hash -noout -in $f`
rm -f $h.0
ln -s $f $h.0
cd ../../..

pwd
ls -l

find example.* -type d -print0 | xargs -0 chmod 755
find example.* -type f -print0 | xargs -0 chmod 644

echo "CA, Certificate, CRL and OSCP Response generation complete"
Commit	Line	Data
f5d78688 JH	1	#!/bin/bash
	2	#
	3
f2f2c91b JH	4	set -e
	5	set -x
	6
74e2fb4b JH	7	clica --help >/dev/null 2>&1
74e2fb4b JH	8
f5d78688 JH	9	echo Ensure time is set to 2012/11/01 12:34
	10	echo use - date -u 110112342012
	11	echo hit return when ready
	12	read junk
	13	for tld in com org net
	14	do
f2f2c91b JH	15	idir="example.$tld"
	16	rm -fr "$idir"
	17	clica -D "$idir" -p password -B 1024 -I -N example.$tld -F \
74e2fb4b	18	-C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/
2b4a568d JH	19
2b4a568d JH	20	clica -D example.$tld -p password -s 101 -S server1.example.$tld \
f2f2c91b	21	-8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
f5d78688 JH	22	clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
	23	clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
	24	clica -D example.$tld -p password -s 201 -S server2.example.$tld
	25	clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
	26	clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
82525c6f JH	27
	28
	29	# openssl seems to generate a file (ca_chain.pam) in an order it
	30	# cannot then use (the key applies to the first cert in the file?).
	31	# Generate a shuffled one.
	32	cd example.$tld/server1.example.$tld
f2f2c91b JH	33	openssl pkcs12 -in server1.example.$tld.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
f2f2c91b JH	34	cat server1.example.$tld.pem cacerts.pem > fullchain.pem
82525c6f JH	35	rm cacerts.pem
82525c6f JH	36	cd ../..
f5d78688 JH	37	done
	38
	39	# and loop again
	40	for tld in com org net
	41	do
	42	CADIR=example.$tld/CA
	43	#give ourselves an OSCP key to work with
	44	pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
	45	openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
	46
74e2fb4b JH	47	# also need variation from Signer
	48	pk12util -o $CADIR/Signer.p12 -n 'Signing Cert' -d $CADIR -K password -W password
	49	openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key
f5d78688 JH	50
f5d78688 JH	51	# create some index files for the ocsp responder to work with
74e2fb4b JH	52	# tab-sep
	53	# 0: Revoked/Expired/Valid letter
	54	# 1: Expiry date (ASN1_UTCTIME)
	55	# 2: Revocation date
	56	# 3: Serial no. (unique)
	57	# 4: file
	58	# 5: DN, index
	59
f5d78688 JH	60	cat >$CADIR/index.valid.txt <<EOF
	61	V 130110200751Z 65 unknown CN=server1.example.$tld
	62	V 130110200751Z 66 unknown CN=revoked1.example.$tld
	63	V 130110200751Z 67 unknown CN=expired1.example.$tld
	64	V 130110200751Z c9 unknown CN=server2.example.$tld
	65	V 130110200751Z ca unknown CN=revoked2.example.$tld
	66	V 130110200751Z cb unknown CN=expired2.example.$tld
	67	EOF
	68	cat >$CADIR/index.revoked.txt <<EOF
	69	R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
	70	R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
	71	R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
	72	R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
	73	R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
	74	R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
	75	EOF
	76
	77	# Now create all the ocsp requests and responses
f5d78688 JH	78	for server in server1 revoked1 expired1 server2 revoked2 expired2
	79	do
	80	SPFX=example.$tld/$server.example.$tld/$server.example.$tld
74e2fb4b JH	81	openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -no_nonce -sha256 -reqout $SPFX.ocsp.req
	82
	83	OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
	84	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
	85	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
	86	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
	87
	88	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -noverify"
	89	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.good.resp
	90	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.dated.resp
	91	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signer.revoked.resp
	92
	93	OGENCOMMON="-rsigner $CADIR/Signer.pem -rkey $CADIR/Signer.key -CA $CADIR/Signer.pem -resp_no_certs -noverify"
	94	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.good.resp
	95	openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.dated.resp
	96	openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -sha256 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.signernocert.revoked.resp
f5d78688 JH	97	done
	98	done
	99
	100	# and loop again to generate unlocked keys and client cert bundles
	101	for tld in com org net
	102	do
89f2a269 JH	103	for server in server1 revoked1 expired1 server2 revoked2 expired2
89f2a269 JH	104	do
f5d78688 JH	105	SDIR=example.$tld/$server.example.$tld
	106	SPFX=$SDIR/$server.example.$tld
	107	openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
	108	cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
	109	done
	110	done
	111
	112	echo Please to reset date to now.
f2f2c91b	113	echo 'service ntpdate start (not on a systemd though...)'
f5d78688 JH	114	echo
	115	echo Then hit return
	116	read junk
	117
	118	# Create CRL files in .der and .pem
	119	# empty versions, and ones with the revoked servers
	120	for tld in com org net
	121	do
	122	CADIR=example.$tld/CA
	123	CRLIN=$CADIR/crl.empty.in.txt
	124	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	125	echo "update=$DATENOW " >$CRLIN
	126	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	127	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
	128	openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
	129	done
	130	sleep 2
	131	for tld in com org net
	132	do
	133	CADIR=example.$tld/CA
	134	CRLIN=$CADIR/crl.v2.in.txt
	135	DATENOW=`date -u +%Y%m%d%H%M%SZ`
	136	echo "update=$DATENOW " >$CRLIN
	137	echo "addcert 102 $DATENOW" >>$CRLIN
	138	echo "addcert 202 $DATENOW" >>$CRLIN
	139	crlutil -G -d $CADIR -f $CADIR/pwdfile \
	140	-n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
	141	openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
	142	done
	143
a7fec7a7 JH	144	# Finally, a single certificate-directory
a7fec7a7 JH	145	cd example.com/server1.example.com
f2f2c91b	146	mkdir -p certdir
a7fec7a7 JH	147	cd certdir
	148	f=../../CA/CA.pem
	149	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	150	rm -f $h.0
a7fec7a7 JH	151	ln -s $f $h.0
	152	f=../../CA/Signer.pem
	153	h=`openssl x509 -hash -noout -in $f`
f2f2c91b	154	rm -f $h.0
a7fec7a7	155	ln -s $f $h.0
f2f2c91b JH	156	cd ../../..
	157
	158	pwd
	159	ls -l
a7fec7a7	160
89f2a269 JH	161	find example.* -type d -print0 \| xargs -0 chmod 755
	162	find example.* -type f -print0 \| xargs -0 chmod 644
	163
f5d78688	164	echo "CA, Certificate, CRL and OSCP Response generation complete"