From 645bdd837a0345a04d01a32e89b94571228a864b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 27 May 2010 23:33:19 +0200 Subject: tests/certs/scripts: generate also CRL ... and make it possible to do so without any user interaction --- tests/certs/EdelCurlRoot-ca.cnf | 11 +++++++++++ tests/certs/scripts/genroot.sh | 7 +++++-- tests/certs/scripts/genserv.sh | 16 +++++++++++----- 3 files changed, 27 insertions(+), 7 deletions(-) create mode 100644 tests/certs/EdelCurlRoot-ca.cnf (limited to 'tests/certs') diff --git a/tests/certs/EdelCurlRoot-ca.cnf b/tests/certs/EdelCurlRoot-ca.cnf new file mode 100644 index 000000000..ba998817e --- /dev/null +++ b/tests/certs/EdelCurlRoot-ca.cnf @@ -0,0 +1,11 @@ +[ ca ] +default_ca = EdelCurlRoot + +[ EdelCurlRoot ] +database = EdelCurlRoot-ca.db +certificate = EdelCurlRoot-ca.crt +private_key = EdelCurlRoot-ca.key +crlnumber = EdelCurlRoot-ca.cnt +default_md = sha1 +default_days = 365 +default_crl_days = 30 diff --git a/tests/certs/scripts/genroot.sh b/tests/certs/scripts/genroot.sh index b463e2c6e..6ac138873 100755 --- a/tests/certs/scripts/genroot.sh +++ b/tests/certs/scripts/genroot.sh @@ -40,8 +40,11 @@ SERIAL=`/usr/bin/env perl -e "$GETSERIAL"` echo SERIAL=$SERIAL PREFIX=$PREFIX DURATION=$DURATION KEYSIZE=$KEYSIZE -echo "openssl req -config $PREFIX-ca.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-ca.key -out $PREFIX-ca.csr" -$OPENSSL req -config $PREFIX-ca.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-ca.key -out $PREFIX-ca.csr +echo "openssl genrsa -out $PREFIX-ca.key $KEYSIZE -passout XXX" +openssl genrsa -out $PREFIX-ca.key $KEYSIZE -passout pass:secret + +echo "openssl req -config $PREFIX-ca.prm -new -key $PREFIX-ca.key -out $PREFIX-ca.csr" +$OPENSSL req -config $PREFIX-ca.prm -new -key $PREFIX-ca.key -out $PREFIX-ca.csr -passin pass:secret echo "openssl x509 -set_serial $SERIAL -extfile $PREFIX-ca.prm -days $DURATION -req -signkey $PREFIX-ca.key -in $PREFIX-ca.csr -out $PREFIX-$SERIAL.ca-cacert -sha1 " diff --git a/tests/certs/scripts/genserv.sh b/tests/certs/scripts/genserv.sh index 61145d84b..a70da9c76 100755 --- a/tests/certs/scripts/genserv.sh +++ b/tests/certs/scripts/genserv.sh @@ -39,7 +39,7 @@ if [ ".$CAPREFIX" = . ] ; then NOTOK=1 else if [ ! -f $CAPREFIX-ca.cacert ] ; then - echo No CA certficate file $PREFIX-ca.caert + echo No CA certficate file $CAPREFIX-ca.caert NOTOK=1 fi if [ ! -f $CAPREFIX-ca.key ] ; then @@ -74,7 +74,6 @@ fi echo "openssl rsa -in $PREFIX-sv.key -out $PREFIX-sv.key" $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key -passin pass:secret echo pseudo secrets generated -read echo "openssl x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt -text -nameopt multiline -sha1" @@ -85,16 +84,23 @@ if [ "$P12." = YES. ] ; then echo "$OPENSSL pkcs12 -export -des3 -out $PREFIX-sv.p12 -caname $CAPREFIX -name $PREFIX -inkey $PREFIX-sv.key -in $PREFIX-sv.crt -certfile $CAPREFIX-ca.crt " $OPENSSL pkcs12 -export -des3 -out $PREFIX-sv.p12 -caname $CAPREFIX -name $PREFIX -inkey $PREFIX-sv.key -in $PREFIX-sv.crt -certfile $CAPREFIX-ca.crt - - read fi echo "openssl x509 -noout -text -hash -in $PREFIX-sv.selfcert -nameopt multiline" $OPENSSL x509 -noout -text -hash -in $PREFIX-sv.crt -nameopt multiline +# revoke server cert +touch $CAPREFIX-ca.db +echo 01 > $CAPREFIX-ca.cnt +echo "openssl ca -config $CAPREFIX-ca.cnf -revoke $PREFIX-sv.crt" +$OPENSSL ca -config $CAPREFIX-ca.cnf -revoke $PREFIX-sv.crt + +# issue CRL +echo "openssl ca -config $CAPREFIX-ca.cnf -gencrl -out $PREFIX-sv.crl" +$OPENSSL ca -config $CAPREFIX-ca.cnf -gencrl -out $PREFIX-sv.crl + echo "openssl x509 -in $PREFIX-sv.crt -outform der -out $PREFIX-sv.der " $OPENSSL x509 -in $PREFIX-sv.crt -outform der -out $PREFIX-sv.der -read # all together now touch $PREFIX-sv.dhp -- cgit v1.2.3