7 echo Ensure
time is
set to
2012/11/01 12:34
8 echo use
- date -u 110112342012
9 echo hit
return when ready
11 for tld
in com org net
15 clica
-D "$idir" -p password
-B 1024 -I -N example.
$tld -F \
16 -C http
://crl.example.
$tld/latest.crl
-O http
://oscp
/example.
$tld/
18 clica
-D example.
$tld -p password
-s 101 -S server1.example.
$tld \
19 -8 alternatename.server1.example.
$tld,alternatename2.server1.example.
$tld,*.
test.ex
20 clica
-D example.
$tld -p password
-s 102 -S revoked1.example.
$tld
21 clica
-D example.
$tld -p password
-s 103 -S expired1.example.
$tld -m 1
22 clica
-D example.
$tld -p password
-s 201 -S server2.example.
$tld
23 clica
-D example.
$tld -p password
-s 202 -S revoked2.example.
$tld
24 clica
-D example.
$tld -p password
-s 203 -S expired2.example.
$tld -m 1
27 # openssl seems to generate a file (ca_chain.pam) in an order it
28 # cannot then use (the key applies to the first cert in the file?).
29 # Generate a shuffled one.
30 cd example.
$tld/server1.example.
$tld
31 openssl pkcs12
-in server1.example.
$tld.p12
-passin file:pwdfile
-cacerts -out cacerts.pem
-nokeys
32 cat server1.example.
$tld.pem cacerts.pem
> fullchain.pem
38 for tld
in com org net
41 #give ourselves an OSCP key to work with
42 pk12util
-o $CADIR/OCSP.p12
-n 'OCSP Signer' -d $CADIR -K password
-W password
43 openssl pkcs12
-in $CADIR/OCSP.p12
-passin pass
:password
-passout pass
:password
-nodes -nocerts -out $CADIR/OCSP.key
46 # create some index files for the ocsp responder to work with
47 cat >$CADIR/index.valid.txt
<<EOF
48 V 130110200751Z 65 unknown CN=server1.example.$tld
49 V 130110200751Z 66 unknown CN=revoked1.example.$tld
50 V 130110200751Z 67 unknown CN=expired1.example.$tld
51 V 130110200751Z c9 unknown CN=server2.example.$tld
52 V 130110200751Z ca unknown CN=revoked2.example.$tld
53 V 130110200751Z cb unknown CN=expired2.example.$tld
55 cat >$CADIR/index.revoked.txt
<<EOF
56 R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
57 R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
58 R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
59 R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
60 R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
61 R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
64 # Now create all the ocsp requests and responses
65 OGENCOMMON
="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
66 for server
in server1 revoked1 expired1 server2 revoked2 expired2
68 SPFX
=example.
$tld/$server.example.
$tld/$server.example.
$tld
69 openssl ocsp
-issuer $CADIR/Signer.pem
-cert $SPFX.pem
-reqout $SPFX.ocsp.req
70 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.good.resp
71 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.dated.resp
72 openssl ocsp
-index $CADIR/index.revoked.txt
$OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.revoked.resp
76 # and loop again to generate unlocked keys and client cert bundles
77 for tld
in com org net
79 for server
in server1 revoked1 expired1 server2 revoked2 expired2
81 SDIR
=example.
$tld/$server.example.
$tld
82 SPFX
=$SDIR/$server.example.
$tld
83 openssl rsa
-in $SPFX.key
-passin file:$SDIR/pwdfile
-out $SPFX.unlocked.key
84 cat $SPFX.pem example.
$tld/CA
/Signer.pem
>$SPFX.chain.pem
88 echo Please to
reset date to now.
89 echo 'service ntpdate start (not on a systemd though...)'
94 # Create CRL files in .der and .pem
95 # empty versions, and ones with the revoked servers
96 for tld
in com org net
99 CRLIN
=$CADIR/crl.empty.
in.txt
100 DATENOW
=`date -u +%Y%m%d%H%M%SZ`
101 echo "update=$DATENOW " >$CRLIN
102 crlutil
-G -d $CADIR -f $CADIR/pwdfile \
103 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
104 openssl crl
-in $CADIR/crl.empty
-inform der
-out $CADIR/crl.empty.pem
107 for tld
in com org net
109 CADIR
=example.
$tld/CA
110 CRLIN
=$CADIR/crl.v2.
in.txt
111 DATENOW
=`date -u +%Y%m%d%H%M%SZ`
112 echo "update=$DATENOW " >$CRLIN
113 echo "addcert 102 $DATENOW" >>$CRLIN
114 echo "addcert 202 $DATENOW" >>$CRLIN
115 crlutil
-G -d $CADIR -f $CADIR/pwdfile \
116 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
117 openssl crl
-in $CADIR/crl.v2
-inform der
-out $CADIR/crl.v2.pem
120 # Finally, a single certificate-directory
121 cd example.com
/server1.example.com
125 h
=`openssl x509 -hash -noout -in $f`
128 f
=..
/..
/CA
/Signer.pem
129 h
=`openssl x509 -hash -noout -in $f`
137 find example.
* -type d
-print0 |
xargs -0 chmod 755
138 find example.
* -type f
-print0 |
xargs -0 chmod 644
140 echo "CA, Certificate, CRL and OSCP Response generation complete"