test/aux-fixed/exim-ca/genall

   1 #!/bin/bash
   2 #
   3
   4 echo Ensure time is set to 2012/11/01 12:34
   5 echo use -  date -u 110112342012
   6 echo hit return when ready
   7 read junk
   8 for tld in com org net
   9 do
  10     clica -D example.$tld -p password -B 1024 -I -N example.$tld -F \
  11         -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/
  12
  13     clica -D example.$tld -p password -s 101 -S server1.example.$tld \
  14         -8 alternatename.server1.example.$tld,alternatename2.server1.example.$tld
  15     clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
  16     clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
  17     clica -D example.$tld -p password -s 201 -S server2.example.$tld
  18     clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
  19     clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
  20
  21
  22     # openssl seems to generate a file (ca_chain.pam) in an order it
  23     # cannot then use (the key applies to the first cert in the file?).
  24     # Generate a shuffled one.
  25     cd example.$tld/server1.example.$tld
  26     openssl pkcs12 -in server1.example.com.p12 -passin file:pwdfile -cacerts -out cacerts.pem -nokeys
  27     cat server1.example.com.pem cacerts.pem > fullchain.pem
  28     rm cacerts.pem
  29     cd ../..
  30 done
  31
  32 # and loop again
  33 for tld in com org net
  34 do
  35     CADIR=example.$tld/CA
  36     #give ourselves an OSCP key to work with
  37     pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
  38     openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
  39
  40
  41     # create some index files for the ocsp responder to work with
  42     cat >$CADIR/index.valid.txt <<EOF
  43 V       130110200751Z           65      unknown CN=server1.example.$tld
  44 V       130110200751Z           66      unknown CN=revoked1.example.$tld
  45 V       130110200751Z           67      unknown CN=expired1.example.$tld
  46 V       130110200751Z           c9      unknown CN=server2.example.$tld
  47 V       130110200751Z           ca      unknown CN=revoked2.example.$tld
  48 V       130110200751Z           cb      unknown CN=expired2.example.$tld
  49 EOF
  50     cat >$CADIR/index.revoked.txt <<EOF
  51 R       130110200751Z   100201142709Z,superseded        65      unknown CN=server1.example.$tld
  52 R       130110200751Z   100201142709Z,superseded        66      unknown CN=revoked1.example.$tld
  53 R       130110200751Z   100201142709Z,superseded        67      unknown CN=expired1.example.$tld
  54 R       130110200751Z   100201142709Z,superseded        c9      unknown CN=server2.example.$tld
  55 R       130110200751Z   100201142709Z,superseded        ca      unknown CN=revoked2.example.$tld
  56 R       130110200751Z   100201142709Z,superseded        cb      unknown CN=expired2.example.$tld
  57 EOF
  58
  59     # Now create all the ocsp requests and responses
  60     OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
  61     for server in server1 revoked1 expired1 server2 revoked2 expired2
  62     do
  63         SPFX=example.$tld/$server.example.$tld/$server.example.$tld
  64         openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
  65         openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
  66         openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON   -ndays 30   -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
  67         openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
  68     done
  69 done
  70
  71 # and loop again to generate unlocked keys and client cert bundles
  72 for tld in com org net
  73 do
  74     for server in server1 revoked1 expired1 server2 revoked2 expired2
  75     do
  76         SDIR=example.$tld/$server.example.$tld
  77         SPFX=$SDIR/$server.example.$tld
  78         openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
  79         cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
  80     done
  81 done
  82
  83 echo Please to reset date to now.
  84 echo service ntpdate start
  85 echo
  86 echo Then hit return
  87 read junk
  88
  89 # Create CRL files in .der and .pem
  90 # empty versions, and ones with the revoked servers
  91 for tld in com org net
  92 do
  93     CADIR=example.$tld/CA
  94     CRLIN=$CADIR/crl.empty.in.txt
  95     DATENOW=`date -u +%Y%m%d%H%M%SZ`
  96     echo "update=$DATENOW " >$CRLIN
  97     crlutil -G -d $CADIR -f $CADIR/pwdfile \
  98         -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
  99     openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
 100 done
 101 sleep 2
 102 for tld in com org net
 103 do
 104     CADIR=example.$tld/CA
 105     CRLIN=$CADIR/crl.v2.in.txt
 106     DATENOW=`date -u +%Y%m%d%H%M%SZ`
 107     echo "update=$DATENOW " >$CRLIN
 108     echo "addcert 102 $DATENOW" >>$CRLIN
 109     echo "addcert 202 $DATENOW" >>$CRLIN
 110     crlutil -G -d $CADIR -f $CADIR/pwdfile \
 111         -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
 112     openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
 113 done
 114
 115 # Finally, a single certificate-directory
 116 cd example.com/server1.example.com
 117 mkdir -f certdir
 118 cd certdir
 119 f=../../CA/CA.pem
 120 h=`openssl x509 -hash -noout -in $f`
 121 ln -s $f $h.0
 122 f=../../CA/Signer.pem
 123 h=`openssl x509 -hash -noout -in $f`
 124 ln -s $f $h.0
 125 cd ../..
 126
 127 find example.* -type d -print0 | xargs -0 chmod 755
 128 find example.* -type f -print0 | xargs -0 chmod 644
 129
 130 echo "CA, Certificate, CRL and OSCP Response generation complete"