4 echo Ensure
time is
set to
2012/11/01 12:34
5 echo use
- date -u 110112342012
6 echo hit
return when ready
10 clica
-D example.
$tld -p password
-B 1024 -I -N example.
$tld -F \
11 -C http
://crl.example.
$tld/latest.crl
-O http
://oscp
/example.
$tld/
13 clica
-D example.
$tld -p password
-s 101 -S server1.example.
$tld \
14 -8 alternatename.server1.example.
$tld,alternatename2.server1.example.
$tld
15 clica
-D example.
$tld -p password
-s 102 -S revoked1.example.
$tld
16 clica
-D example.
$tld -p password
-s 103 -S expired1.example.
$tld -m 1
17 clica
-D example.
$tld -p password
-s 201 -S server2.example.
$tld
18 clica
-D example.
$tld -p password
-s 202 -S revoked2.example.
$tld
19 clica
-D example.
$tld -p password
-s 203 -S expired2.example.
$tld -m 1
22 # openssl seems to generate a file (ca_chain.pam) in an order it
23 # cannot then use (the key applies to the first cert in the file?).
24 # Generate a shuffled one.
25 cd example.
$tld/server1.example.
$tld
26 openssl pkcs12
-in server1.example.com.p12
-passin file:pwdfile
-cacerts -out cacerts.pem
-nokeys
27 cat server1.example.com.pem cacerts.pem
> fullchain.pem
33 for tld
in com org net
36 #give ourselves an OSCP key to work with
37 pk12util
-o $CADIR/OCSP.p12
-n 'OCSP Signer' -d $CADIR -K password
-W password
38 openssl pkcs12
-in $CADIR/OCSP.p12
-passin pass
:password
-passout pass
:password
-nodes -nocerts -out $CADIR/OCSP.key
41 # create some index files for the ocsp responder to work with
42 cat >$CADIR/index.valid.txt
<<EOF
43 V 130110200751Z 65 unknown CN=server1.example.$tld
44 V 130110200751Z 66 unknown CN=revoked1.example.$tld
45 V 130110200751Z 67 unknown CN=expired1.example.$tld
46 V 130110200751Z c9 unknown CN=server2.example.$tld
47 V 130110200751Z ca unknown CN=revoked2.example.$tld
48 V 130110200751Z cb unknown CN=expired2.example.$tld
50 cat >$CADIR/index.revoked.txt
<<EOF
51 R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
52 R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
53 R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
54 R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
55 R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
56 R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
59 # Now create all the ocsp requests and responses
60 OGENCOMMON
="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
61 for server
in server1 revoked1 expired1 server2 revoked2 expired2
63 SPFX
=example.
$tld/$server.example.
$tld/$server.example.
$tld
64 openssl ocsp
-issuer $CADIR/Signer.pem
-cert $SPFX.pem
-reqout $SPFX.ocsp.req
65 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.good.resp
66 openssl ocsp
-index $CADIR/index.valid.txt
$OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.dated.resp
67 openssl ocsp
-index $CADIR/index.revoked.txt
$OGENCOMMON -ndays 3652 -reqin $SPFX.ocsp.req
-respout $SPFX.ocsp.revoked.resp
71 # and loop again to generate unlocked keys and client cert bundles
72 for tld
in com org net
74 for server
in server1 revoked1 expired1 server2 revoked2 expired2
76 SDIR
=example.
$tld/$server.example.
$tld
77 SPFX
=$SDIR/$server.example.
$tld
78 openssl rsa
-in $SPFX.key
-passin file:$SDIR/pwdfile
-out $SPFX.unlocked.key
79 cat $SPFX.pem example.
$tld/CA
/Signer.pem
>$SPFX.chain.pem
83 echo Please to
reset date to now.
84 echo service ntpdate start
89 # Create CRL files in .der and .pem
90 # empty versions, and ones with the revoked servers
91 for tld
in com org net
94 CRLIN
=$CADIR/crl.empty.
in.txt
95 DATENOW
=`date -u +%Y%m%d%H%M%SZ`
96 echo "update=$DATENOW " >$CRLIN
97 crlutil
-G -d $CADIR -f $CADIR/pwdfile \
98 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
99 openssl crl
-in $CADIR/crl.empty
-inform der
-out $CADIR/crl.empty.pem
102 for tld
in com org net
104 CADIR
=example.
$tld/CA
105 CRLIN
=$CADIR/crl.v2.
in.txt
106 DATENOW
=`date -u +%Y%m%d%H%M%SZ`
107 echo "update=$DATENOW " >$CRLIN
108 echo "addcert 102 $DATENOW" >>$CRLIN
109 echo "addcert 202 $DATENOW" >>$CRLIN
110 crlutil
-G -d $CADIR -f $CADIR/pwdfile \
111 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
112 openssl crl
-in $CADIR/crl.v2
-inform der
-out $CADIR/crl.v2.pem
115 # Finally, a single certificate-directory
116 cd example.com
/server1.example.com
120 h
=`openssl x509 -hash -noout -in $f`
122 f
=..
/..
/CA
/Signer.pem
123 h
=`openssl x509 -hash -noout -in $f`
127 find example.
* -type d
-print0 |
xargs -0 chmod 755
128 find example.
* -type f
-print0 |
xargs -0 chmod 644
130 echo "CA, Certificate, CRL and OSCP Response generation complete"