projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix $body_linecount for empty lines
[exim.git] / test / aux-fixed / exim-ca / genall
1 #!/bin/bash
2 #
3
4 set -e
5 set -x
6
7 echo Ensure time is set to 2012/11/01 12:34
8 echo use - date -u 110112342012
9 echo hit return when ready
10 read junk
11 for tld in com org net
12 do
13 idir="example.$tld"
14 rm -fr "$idir"
15 clica -D "$idir" -p password -B 1024 -I -N example.$tld -F \
16 -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/
17
18 clica -D example.$tld -p password -s 101 -S server1.example.$tld \
19 -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld,*.test.ex
20 clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
21 clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
22 clica -D example.$tld -p password -s 201 -S server2.example.$tld
23 clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
24 clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
25
26
27 # openssl seems to generate a file (ca_chain.pam) in an order it
28 # cannot then use (the key applies to the first cert in the file?).
29 # Generate a shuffled one.
30 cd example.$tld/server1.example.$tld
31 openssl pkcs12 -in server1.example.$tld.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
32 cat server1.example.$tld.pem cacerts.pem > fullchain.pem
33 rm cacerts.pem
34 cd ../..
35 done
36
37 # and loop again
38 for tld in com org net
39 do
40 CADIR=example.$tld/CA
41 #give ourselves an OSCP key to work with
42 pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
43 openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
44
45
46 # create some index files for the ocsp responder to work with
47 cat >$CADIR/index.valid.txt <<EOF
48 V 130110200751Z 65 unknown CN=server1.example.$tld
49 V 130110200751Z 66 unknown CN=revoked1.example.$tld
50 V 130110200751Z 67 unknown CN=expired1.example.$tld
51 V 130110200751Z c9 unknown CN=server2.example.$tld
52 V 130110200751Z ca unknown CN=revoked2.example.$tld
53 V 130110200751Z cb unknown CN=expired2.example.$tld
54 EOF
55 cat >$CADIR/index.revoked.txt <<EOF
56 R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
57 R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
58 R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
59 R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
60 R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
61 R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
62 EOF
63
64 # Now create all the ocsp requests and responses
65 OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
66 for server in server1 revoked1 expired1 server2 revoked2 expired2
67 do
68 SPFX=example.$tld/$server.example.$tld/$server.example.$tld
69 openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
70 openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
71 openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
72 openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
73 done
74 done
75
76 # and loop again to generate unlocked keys and client cert bundles
77 for tld in com org net
78 do
79 for server in server1 revoked1 expired1 server2 revoked2 expired2
80 do
81 SDIR=example.$tld/$server.example.$tld
82 SPFX=$SDIR/$server.example.$tld
83 openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
84 cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
85 done
86 done
87
88 echo Please to reset date to now.
89 echo 'service ntpdate start (not on a systemd though...)'
90 echo
91 echo Then hit return
92 read junk
93
94 # Create CRL files in .der and .pem
95 # empty versions, and ones with the revoked servers
96 for tld in com org net
97 do
98 CADIR=example.$tld/CA
99 CRLIN=$CADIR/crl.empty.in.txt
100 DATENOW=`date -u +%Y%m%d%H%M%SZ`
101 echo "update=$DATENOW " >$CRLIN
102 crlutil -G -d $CADIR -f $CADIR/pwdfile \
103 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
104 openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
105 done
106 sleep 2
107 for tld in com org net
108 do
109 CADIR=example.$tld/CA
110 CRLIN=$CADIR/crl.v2.in.txt
111 DATENOW=`date -u +%Y%m%d%H%M%SZ`
112 echo "update=$DATENOW " >$CRLIN
113 echo "addcert 102 $DATENOW" >>$CRLIN
114 echo "addcert 202 $DATENOW" >>$CRLIN
115 crlutil -G -d $CADIR -f $CADIR/pwdfile \
116 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
117 openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
118 done
119
120 # Finally, a single certificate-directory
121 cd example.com/server1.example.com
122 mkdir -p certdir
123 cd certdir
124 f=../../CA/CA.pem
125 h=`openssl x509 -hash -noout -in $f`
126 rm -f $h.0
127 ln -s $f $h.0
128 f=../../CA/Signer.pem
129 h=`openssl x509 -hash -noout -in $f`
130 rm -f $h.0
131 ln -s $f $h.0
132 cd ../../..
133
134 pwd
135 ls -l
136
137 find example.* -type d -print0 | xargs -0 chmod 755
138 find example.* -type f -print0 | xargs -0 chmod 644
139
140 echo "CA, Certificate, CRL and OSCP Response generation complete"
Unnamed repository; edit this file 'description' to name the repository.