X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/d4fd1b83a197d73cbac114fe53f3448d8b5c7cc2..30795c5e77e21e90f3c695e6274bc9b4a9b68900:/test/aux-fixed/exim-ca/genall diff --git a/test/aux-fixed/exim-ca/genall b/test/aux-fixed/exim-ca/genall index e81e2f385..6998108b0 100755 --- a/test/aux-fixed/exim-ca/genall +++ b/test/aux-fixed/exim-ca/genall @@ -26,7 +26,15 @@ do rm -fr "$idir" # create CA cert + templates - clica $V -D "$idir" -p password -B 1024 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/ + # -D dir to work in + # -p passwd for cert + # -B keysize in bits + # -I create CA cert + # -N org name + # -F create sub-signing cert + # -C CRL + # -O create OCSP responder cert + clica $V -D "$idir" -p password -B 2048 -I -N $iname -F -C http://crl.$iname/latest.crl -O http://oscp.$iname/ # create server certs # -m @@ -69,6 +77,7 @@ do # create OCSP reqs & resps CADIR=$idir/CA + #give ourselves an OSCP key to work with pk12util -o $CADIR/OCSP.p12 -n 'OCSP Signer rsa' -d $CADIR -K password -W password openssl pkcs12 -in $CADIR/OCSP.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/OCSP.key @@ -77,12 +86,17 @@ do pk12util -o $CADIR/Signer.p12 -n 'Signing Cert rsa' -d $CADIR -K password -W password openssl pkcs12 -in $CADIR/Signer.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/Signer.key + # ditto for CA + # - the "-n names" here appear to be hardcoded in clica + pk12util -o $CADIR/CA.p12 -n 'Certificate Authority rsa' -d $CADIR -K password -W password + openssl pkcs12 -in $CADIR/CA.p12 -passin pass:password -passout pass:password -nodes -nocerts -out $CADIR/CA.key + # create some index files for the ocsp responder to work with -# tab-sep +# tab-sep, and fields can be empty # 0: Revoked/Expired/Valid letter # 1: Expiry date (ASN1_UTCTIME) # 2: Revocation date -# 3: Serial no. (unique) +# 3: Serial no. (unique, in hex) # 4: file # 5: DN, index @@ -93,6 +107,8 @@ V 130110200751Z 67 unknown CN=expired1.$iname V 130110200751Z c9 unknown CN=server2.$iname V 130110200751Z ca unknown CN=revoked2.$iname V 130110200751Z cb unknown CN=expired2.$iname +V 130110200751Z 42 unknown CN=clica Signing Cert rsa +V 130110200751Z 41 unknown CN=clica CA rsa EOF cat >$CADIR/index.revoked.txt < $RESP.pem + + # Then, ocsp request and (valid, revoked) responses for the signer cert + REQ=$CADIR/Signer.ocsp.req + RESP=$CADIR/Signer.ocsp.signernocert.good.resp + openssl ocsp -issuer $CADIR/CA.pem -sha256 -cert $CADIR/Signer.pem -no_nonce -reqout $REQ + openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ + -ndays 3652 -reqin $REQ -respout $RESP + ocsptool -S $RESP -j > $RESP.pem + + RESP=$CADIR/Signer.ocsp.signernocert.revoked.resp + openssl ocsp $IREVOKED -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $CADIR/CA.pem -resp_no_certs -noverify \ + -ndays 3652 -reqin $REQ -respout $RESP + ocsptool -S $RESP -j > $RESP.pem + + # Finally, a full-chain all-good request and response + REQ=$idir/$server.$iname/fullchain.ocsp.req + leafcert=$idir/$server.$iname/$server.$iname.pem + signercert=$CADIR/Signer.pem + cacert=$CADIR/CA.pem + openssl ocsp -sha256 -no_nonce -reqout $REQ \ + -issuer $signercert -cert $leafcert \ + -issuer $cacert -cert $CADIR/Signer.pem -cert $CADIR/CA.pem + + RESP=$idir/$server.$iname/fullchain.ocsp.resp + authorities=$idir/$server.$iname/ca_chain.pem + openssl ocsp $IVALID -rsigner $CADIR/CA.pem -rkey $CADIR/CA.key -CA $authorities -resp_no_certs -noverify \ + -ndays 3652 -reqin $REQ -respout $RESP + ocsptool -S $RESP -j > $RESP.pem + #### done @@ -160,7 +215,7 @@ do rm -fr "$idir" # create CA cert + templates - clica $V -D "$idir" -p password -B 1024 -I -N $iname -F \ + clica $V -D "$idir" -p password -B 2048 -I -N $iname -F \ -k ec -q nistp521 \ -C http://crl.example.$tld/latest.crl -O http://oscp.example.$tld/ @@ -209,7 +264,7 @@ do # 5: DN, index cat >$CADIR/index.valid.txt <