4 echo Ensure time is set to 2012/11/01 12:34
5 echo use - date -u 110112342012
6 echo hit return when ready
10 clica -D example.$tld -p password -B 512 -I -N example.$tld -F -C http://crl.example.$tld/latest.crl -O http://oscp/example.$tld/
11 clica -D example.$tld -p password -s 101 -S server1.example.$tld
12 clica -D example.$tld -p password -s 102 -S revoked1.example.$tld
13 clica -D example.$tld -p password -s 103 -S expired1.example.$tld -m 1
14 clica -D example.$tld -p password -s 201 -S server2.example.$tld
15 clica -D example.$tld -p password -s 202 -S revoked2.example.$tld
16 clica -D example.$tld -p password -s 203 -S expired2.example.$tld -m 1
20 for tld in com org net
23 #give ourselves an OSCP key to work with
24 pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer' -d $CADIR -K password -W password
25 openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key
28 # create some index files for the ocsp responder to work with
29 cat >$CADIR/index.valid.txt <<EOF
30 V 130110200751Z 65 unknown CN=server1.example.$tld
31 V 130110200751Z 66 unknown CN=revoked1.example.$tld
32 V 130110200751Z 67 unknown CN=expired1.example.$tld
33 V 130110200751Z c9 unknown CN=server2.example.$tld
34 V 130110200751Z ca unknown CN=revoked2.example.$tld
35 V 130110200751Z cb unknown CN=expired2.example.$tld
37 cat >$CADIR/index.revoked.txt <<EOF
38 R 130110200751Z 100201142709Z,superseded 65 unknown CN=server1.example.$tld
39 R 130110200751Z 100201142709Z,superseded 66 unknown CN=revoked1.example.$tld
40 R 130110200751Z 100201142709Z,superseded 67 unknown CN=expired1.example.$tld
41 R 130110200751Z 100201142709Z,superseded c9 unknown CN=server2.example.$tld
42 R 130110200751Z 100201142709Z,superseded ca unknown CN=revoked2.example.$tld
43 R 130110200751Z 100201142709Z,superseded cb unknown CN=expired2.example.$tld
46 # Now create all the ocsp requests and responses
47 OGENCOMMON="-rsigner $CADIR/OCSP.pem -rkey $CADIR/OCSP.key -CA $CADIR/Signer.pem -noverify"
48 for server in server1 revoked1 expired1 server2 revoked2 expired2
50 SPFX=example.$tld/$server.example.$tld/$server.example.$tld
51 openssl ocsp -issuer $CADIR/Signer.pem -cert $SPFX.pem -reqout $SPFX.ocsp.req
52 openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.good.resp
53 openssl ocsp -index $CADIR/index.valid.txt $OGENCOMMON -ndays 30 -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.dated.resp
54 openssl ocsp -index $CADIR/index.revoked.txt $OGENCOMMON -reqin $SPFX.ocsp.req -respout $SPFX.ocsp.revoked.resp
58 # and loop again to generate unlocked keys and client cert bundles
59 for tld in com org net
61 for server in server1 revoked1 expired1 server2 revoked2 expired2 do
62 SDIR=example.$tld/$server.example.$tld
63 SPFX=$SDIR/$server.example.$tld
64 openssl rsa -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key
65 cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem
69 echo Please to reset date to now.
70 echo service ntpdate start
75 # Create CRL files in .der and .pem
76 # empty versions, and ones with the revoked servers
77 for tld in com org net
80 CRLIN=$CADIR/crl.empty.in.txt
81 DATENOW=`date -u +%Y%m%d%H%M%SZ`
82 echo "update=$DATENOW " >$CRLIN
83 crlutil -G -d $CADIR -f $CADIR/pwdfile \
84 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.empty
85 openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem
88 for tld in com org net
91 CRLIN=$CADIR/crl.v2.in.txt
92 DATENOW=`date -u +%Y%m%d%H%M%SZ`
93 echo "update=$DATENOW " >$CRLIN
94 echo "addcert 102 $DATENOW" >>$CRLIN
95 echo "addcert 202 $DATENOW" >>$CRLIN
96 crlutil -G -d $CADIR -f $CADIR/pwdfile \
97 -n 'Signing Cert' -c $CRLIN -o $CADIR/crl.v2
98 openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem
101 echo "CA, Certificate, CRL and OSCP Response generation complete"