X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/854586e1495b0a0f4be2a561c419ec4671009dbd..aded22555eeb31bc032f9bc58a83762981a58391:/test/aux-fixed/exim-ca/genall diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall index 8388cae43..a5e51e3e5 100755 --- a/test/aux-fixed/exim-ca/genall +++ b/test/aux-fixed/exim-ca/genall @@ -26,7 +26,7 @@ do rm -fr "$idir" # create CA cert + templates - clica $V -D "$idir" -p password -B 1024 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/ + clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/ # create server certs # -m @@ -160,7 +160,7 @@ do rm -fr "$idir" # create CA cert + templates - clica $V -D "$idir" -p password -B 1024 -I -N $iname -F \ + clica $V -D "$idir" -p password -B 2048 -I -N $iname -F \ -k ec -q nistp521 \ -C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/ @@ -189,9 +189,41 @@ do SDIR=$idir/$server.$iname SPFX=$SDIR/$server.$iname openssl ec -in $SPFX.key -passin file:$SDIR/pwdfile -out $SPFX.unlocked.key - cat $SPFX.pem example.$tld/CA/Signer.pem >$SPFX.chain.pem + cat $SPFX.pem $idir/CA/Signer.pem >$SPFX.chain.pem done +#### + # create OCSP reqs & resps + CADIR=$idir/CA + #give ourselves an OSCP key to work with + pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer ec' -d $CADIR -K password -W password + openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key + + # create some index files for the ocsp responder to work with +# tab-sep +# 0: Revoked/Expired/Valid letter +# 1: Expiry date (ASN1_UTCTIME) +# 2: Revocation date +# 3: Serial no. (unique) +# 4: file +# 5: DN, index + + cat >$CADIR/index.valid.txt <$CRLIN crlutil -G -d $CADIR -f $CADIR/pwdfile \ -n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.empty openssl crl -in $CADIR/crl.empty -inform der -out $CADIR/crl.empty.pem done sleep 2 +DATENOW=`date -u +%Y%m%d%H%M%SZ` for tld in com org net do CADIR=example.$tld/CA CRLIN=$CADIR/crl.v2.in.txt - DATENOW=`date -u +%Y%m%d%H%M%SZ` echo "update=$DATENOW " >$CRLIN echo "addcert 102 $DATENOW" >>$CRLIN echo "addcert 202 $DATENOW" >>$CRLIN crlutil -G -d $CADIR -f $CADIR/pwdfile \ -n 'Signing Cert rsa' -c $CRLIN -o $CADIR/crl.v2 openssl crl -in $CADIR/crl.v2 -inform der -out $CADIR/crl.v2.pem + + CRLIN=$CADIR/crl.Signer.in.txt + echo "update=$DATENOW " >$CRLIN + crlutil -G -d $CADIR -f $CADIR/pwdfile \ + -n 'Certificate Authority rsa' -c $CRLIN -o $CADIR/crl.Signer + openssl crl -in $CADIR/crl.Signer -inform der -out $CADIR/crl.Signer.pem + + cat $CADIR/crl.Signer.pem $CADIR/crl.v2.pem > $CADIR/crl.chain.pem done # Finally, a single certificate-directory