| 1 | #!/bin/bash |
| 2 | # |
| 3 | |
| 4 | echo Ensure time is set to 2012/11/01 12:34 |
| 5 | echo use - date -u 110112342012 |
| 6 | echo hit return when ready |
| 7 | read junk |
| 8 | for tld in com org net |
| 9 | do |
| 10 | clica -D example.$tld -p password -B 1024 -I -N example.$tld -F \ |
| 11 | -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/ |
| 12 | |
| 13 | clica -D example.$tld -p password -s 101 -S server1.example.$tld \ |
| 14 | -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld |
| 15 | clica -D example.$tld -p password -s 102 -S revoked1.example.$tld |
| 16 | clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1 |
| 17 | clica -D example.$tld -p password -s 201 -S server2.example.$tld |
| 18 | clica -D example.$tld -p password -s 202 -S revoked2.example.$tld |
| 19 | clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1 |
| 20 | |
| 21 | |
| 22 | # openssl seems to generate a file (ca_chain.pam) in an order it |
| 23 | # cannot then use (the key applies to the first cert in the file?). |
| 24 | # Generate a shuffled one. |
| 25 | cd example.$tld/server1.example.$tld |
| 26 | openssl pkcs12 -in server1.example.com.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys |
| 27 | cat server1.example.com.pem cacerts.pem > fullchain.pem |
| 28 | rm cacerts.pem |
| 29 | cd ../.. |
| 30 | done |
| 31 | |
| 32 | # and loop again |
| 33 | for tld in com org net |
| 34 | do |
| 35 | CADIR=example.$tld/CA |
| 36 | #give ourselves an OSCP key to work with |
| 37 | pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password |
| 38 | openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key |
| 39 | |
| 40 | |
| 41 | # create some index files for the ocsp responder to work with |
| 42 | cat >$CADIR/index.valid.txt <<EOF |
| 43 | V 130110200751Z 65 unknown CN=server1.example.$tld |
| 44 | V 130110200751Z 66 unknown CN=revoked1.example.$tld |
| 45 | V 130110200751Z 67 unknown CN=expired1.example.$tld |
| 46 | V 130110200751Z c9 unknown CN=server2.example.$tld |
| 47 | V 130110200751Z ca unknown CN=revoked2.example.$tld |
| 48 | V 130110200751Z cb unknown CN=expired2.example.$tld |
| 49 | EOF |
| 50 | cat >$CADIR/index.revoked.txt <<EOF |
| 51 | R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld |
| 52 | R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld |
| 53 | R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld |
| 54 | R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld |
| 55 | R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld |
| 56 | R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld |
| 57 | EOF |
| 58 | |
| 59 | # Now create all the ocsp requests and responses |
| 60 | OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify" |
| 61 | for server in server1 revoked1 expired1 server2 revoked2 expired2 |
| 62 | do |
| 63 | SPFX=example.$tld/$server.example.$tld/$server.example.$tld |
| 64 | openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req |
| 65 | openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp |
| 66 | openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp |
| 67 | openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp |
| 68 | done |
| 69 | done |
| 70 | |
| 71 | # and loop again to generate unlocked keys and client cert bundles |
| 72 | for tld in com org net |
| 73 | do |
| 74 | for server in server1 revoked1 expired1 server2 revoked2 expired2 |
| 75 | do |
| 76 | SDIR=example.$tld/$server.example.$tld |
| 77 | SPFX=$SDIR/$server.example.$tld |
| 78 | openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key |
| 79 | cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem |
| 80 | done |
| 81 | done |
| 82 | |
| 83 | echo Please to reset date to now. |
| 84 | echo service ntpdate start |
| 85 | echo |
| 86 | echo Then hit return |
| 87 | read junk |
| 88 | |
| 89 | # Create CRL files in .der and .pem |
| 90 | # empty versions, and ones with the revoked servers |
| 91 | for tld in com org net |
| 92 | do |
| 93 | CADIR=example.$tld/CA |
| 94 | CRLIN=$CADIR/crl.empty.in.txt |
| 95 | DATENOW=`date -u +%Y%m%d%H%M%SZ` |
| 96 | echo "update=$DATENOW " >$CRLIN |
| 97 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ |
| 98 | -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty |
| 99 | openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem |
| 100 | done |
| 101 | sleep 2 |
| 102 | for tld in com org net |
| 103 | do |
| 104 | CADIR=example.$tld/CA |
| 105 | CRLIN=$CADIR/crl.v2.in.txt |
| 106 | DATENOW=`date -u +%Y%m%d%H%M%SZ` |
| 107 | echo "update=$DATENOW " >$CRLIN |
| 108 | echo "addcert 102 $DATENOW" >>$CRLIN |
| 109 | echo "addcert 202 $DATENOW" >>$CRLIN |
| 110 | crlutil -G -d $CADIR -f $CADIR/pwdfile \ |
| 111 | -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2 |
| 112 | openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem |
| 113 | done |
| 114 | |
| 115 | find example.* -type d -print0 | xargs -0 chmod 755 |
| 116 | find example.* -type f -print0 | xargs -0 chmod 644 |
| 117 | |
| 118 | echo "CA, Certificate, CRL and OSCP Response generation complete" |