Skip to content

Instantly share code, notes, and snippets.

@joelverhagen

joelverhagen/.gitattributes

Last active May 2, 2018 20:57
Show Gist options
  • Save joelverhagen/0acace29e8341a4a954732b164cd4193 to your computer and use it in GitHub Desktop.
Save joelverhagen/0acace29e8341a4a954732b164cd4193 to your computer and use it in GitHub Desktop.
Download ZIP
Generate a test CA for NuGet package signing, props to @dtivel for initial implementation
Raw
.gitattributes
*.conf text eol=lf
*.config text eol=lf
*.sh text eol=lf
Raw
.gitignore
*.crl
*.crlnumber
*.crt
*.database*
*.old
*.pem
*.pfx
*.serialnumber*
*.txt
local.config
Raw
README.md

Generating a test CA for NuGet package signing

The script requires openssl and Linux. On Windows, the easiest way to do this is the Linux subsystem.

Just run create.sh to generate all of the certificates and start the OCSP responder.

Run clean.sh to remove all of the files generated by create.sh. Note that this nukes all of the private keys!

Run start-ocsp.sh to start the OCSP responder. This is called at the end of create.sh.

Certificates

The following certificates should be usable for package signing, assuming you have trusted the root.

  • leaf-1.pfx
  • leaf-2.pfx
  • leaf-with-oscp.pfx
  • leaf-with-no-eku.pfx

Set up revocation

Create a local.config file that looks something like this:

CA_BASE_URL=http://mystorageaccount.blob.core.windows.net/testca/
OCSP_PORT=42000

The CA_BASE_URL is the base URL which is prefixed to the CRL and intermediate certificate file names. This allows you to easily test online CRL checks. I normally use an Azure Blob Storage container containing all of the *.crt and .crl files generated by the create.sh script. Note that this assumes the CRL and CRT files are assumed to have the same base URL (which is not always the case in real life).

The OCSP_PORT is the local port that openssl's OCSP responder will be listening on. A couple of the generated certificates get an OCSP location baked into them instead of a CRL location. This OCSP location is hard-coded to localhost.

Trust

To play with this test CA on Windows, you'll need to install the root.crt as a trusted root on Windows. Instructions on how to do this are in Windows docs.

Clearing the cache

On Windows, you can run the following command to clear the CRL URL cache:

certutil -urlcache * delete
Raw
clean.sh
#!/bin/bash
rm -f ./*.crl
rm -f ./*.crlnumber
rm -f ./*.crt
rm -f ./*.database*
rm -f ./*.old
rm -f ./*.pem
rm -f ./*.pfx
rm -f ./*.serialnumber*
rm -f ./*.txt
rm -rf ./certs
rm -rf ./online
Raw
create.sh
#!/bin/bash
BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
source ${BASEDIR}/vars.sh
function issueCertificate() {
export ID="${1}"
export ISSUER_ID="${2}"
export COMMON_NAME="NUGET_DO_NOT_TRUST.${ID}.test.test"
local REQUEST_EXTENSIONS="${3}"
local EXTENSIONS="${4}"
local KEY_LENGTH_IN_BITS="${5}"
local START_DATE="${6}"
local END_DATE="${7}"
local SIGNATURE_ALGORITHM="${8:-sha256}"
local CERTIFICATE_CRT_FILE_PATH="./${ID}.crt"
local CERTIFICATE_PEM_FILE_PATH="./${ID}.pem"
local CERTIFICATE_PFX_FILE_PATH="./${ID}.pfx"
local CERTIFICATE_REQUEST_FILE_PATH="./${ID}.csr.pem"
export ISSUER_CERTIFICATE_PEM_FILE_PATH="./${ISSUER_ID}.pem"
export ISSUER_CRL_FILE_PATH="./${ID}.crl"
export ISSUER_CRL_NUMBER_FILE_PATH="./${ID}.crlnumber"
export ISSUER_DATABASE_FILE_PATH="./${ISSUER_ID}.database"
export ISSUER_PRIVATE_KEY_FILE_PATH="./${ISSUER_ID}.key.pem"
export ISSUER_RANDOM_SEED_FILE_PATH="./${ID}.randomseed"
export ISSUER_SERIAL_NUMBER_FILE_PATH="./${ISSUER_ID}.serialnumber"
local PRIVATE_KEY_FILE_PATH="./${ID}.key.pem"
echo ""
echo "===================================================================="
echo "ISSUING ${ID}..."
echo "===================================================================="
echo ""
rm -f ./${ID}.*
rm -f ./${ID}*.pem
rm -f ./${ID}.serialnumber*
openssl genrsa -out ${PRIVATE_KEY_FILE_PATH} ${KEY_LENGTH_IN_BITS}
if [[ ${EXTENSIONS} == *ca_certificate ]]
then
touch ./${ID}.database
touch ./${ID}.database.attr
echo 1000 > ./${ID}.crlnumber
echo 01 > ./${ID}.serialnumber
fi
if [ -z ${REQUEST_EXTENSIONS} ]
then
openssl req \
-new \
-key ${PRIVATE_KEY_FILE_PATH} \
-out ${CERTIFICATE_REQUEST_FILE_PATH} \
-config ${CONFIG_FILE_PATH}
else
openssl req \
-new \
-key ${PRIVATE_KEY_FILE_PATH} \
-out ${CERTIFICATE_REQUEST_FILE_PATH} \
-reqexts ${REQUEST_EXTENSIONS} \
-config ${CONFIG_FILE_PATH}
fi
local selfsign=""
if [ "${ID}" == "${ISSUER_ID}" ]
then
selfsign="-selfsign"
fi
openssl ca \
-batch \
-in ${CERTIFICATE_REQUEST_FILE_PATH} \
-out ${CERTIFICATE_PEM_FILE_PATH} \
${selfsign} \
-startdate ${START_DATE} \
-enddate ${END_DATE} \
-md ${SIGNATURE_ALGORITHM} \
-extensions ${EXTENSIONS} \
-extfile ${CONFIG_FILE_PATH} \
-config ${CONFIG_FILE_PATH} \
-notext
openssl pkcs12 \
-export \
-in ${CERTIFICATE_PEM_FILE_PATH} \
-inkey ${PRIVATE_KEY_FILE_PATH} \
-out ${CERTIFICATE_PFX_FILE_PATH} \
-passout pass:
openssl x509 \
-in ${CERTIFICATE_PEM_FILE_PATH} \
-out ${CERTIFICATE_CRT_FILE_PATH}\
-outform der
}
function revokeCertificate() {
export ID="${1}"
export ISSUER_ID="${2}"
local CRL_REASON="${3}"
local COMPROMISE_TIME="${4}"
local CERTIFICATE_PEM_FILE_PATH="./${ID}.pem"
export ISSUER_CERTIFICATE_PEM_FILE_PATH="./${ISSUER_ID}.pem"
export ISSUER_CRL_NUMBER_FILE_PATH="./${ISSUER_ID}.crl"
export ISSUER_CRL_NUMBER_FILE_PATH="./${ISSUER_ID}.crlnumber"
export ISSUER_DATABASE_FILE_PATH="./${ISSUER_ID}.database"
export ISSUER_PRIVATE_KEY_FILE_PATH="./${ISSUER_ID}.key.pem"
export ISSUER_RANDOM_SEED_FILE_PATH="./${ISSUER_ID}.randomseed"
export ISSUER_SERIAL_NUMBER_FILE_PATH="./${ISSUER_ID}.serialnumber"
echo ""
echo "===================================================================="
echo "REVOKING ${ID}..."
echo "===================================================================="
echo ""
if [ ${CRL_REASON} == "caCompromise" ]
then
openssl ca \
-revoke ${CERTIFICATE_PEM_FILE_PATH} \
-crl_CA_compromise ${COMPROMISE_TIME} \
-config ${CONFIG_FILE_PATH}
elif [ ${CRL_REASON} == "keyCompromise" ]
then
openssl ca \
-revoke ${CERTIFICATE_PEM_FILE_PATH} \
-crl_compromise ${COMPROMISE_TIME} \
-config ${CONFIG_FILE_PATH}
else
openssl ca \
-revoke ${CERTIFICATE_PEM_FILE_PATH} \
-crl_reason ${CRL_REASON} \
-config ${CONFIG_FILE_PATH}
fi
issueCrl "${ISSUER_ID}"
}
function issueCrl() {
export ID="${1}"
export ISSUER_CERTIFICATE_PEM_FILE_PATH="./${ID}.pem"
export ISSUER_CRL_FILE_PATH="./${ID}.crl"
export ISSUER_CRL_NUMBER_FILE_PATH="./${ID}.crlnumber"
export ISSUER_DATABASE_FILE_PATH="./${ID}.database"
export ISSUER_PRIVATE_KEY_FILE_PATH="./${ID}.key.pem"
export ISSUER_RANDOM_SEED_FILE_PATH="./${ID}.randomseed"
export ISSUER_SERIAL_NUMBER_FILE_PATH="./${ID}.serialnumber"
openssl ca \
-gencrl \
-out ${ISSUER_CRL_FILE_PATH}.pem \
-config ${CONFIG_FILE_PATH}
openssl crl \
-in ${ISSUER_CRL_FILE_PATH}.pem \
-inform pem \
-out ${ISSUER_CRL_FILE_PATH} \
-outform der
}
rm -rf ./certs
mkdir ./certs
rm -rf ./online
mkdir ./online
###############################################################################
# Create a root certificate authority.
issueCertificate \
"root" `# ID` \
"root" `# issuer ID` \
"" `# CSR extensions` \
"root_ca_certificate" `# extension` \
2048 `# key length in bits` \
`date -u --date='1 year ago' +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='20 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a valid intermediate certificate authority.
issueCertificate \
"intermediate" `# ID` \
"root" `# issuer ID` \
"" `# CSR extensions` \
"intermediate_ca_certificate" `# extension` \
2048 `# key length in bits` \
`date -u --date='1 month ago' +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='11 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a valid intermediate certificate authority only using OCSP
issueCertificate \
"intermediate-ocsp" `# ID` \
"root" `# issuer ID` \
"" `# CSR extensions` \
"intermediate_ca_certificate" `# extension` \
2048 `# key length in bits` \
`date -u --date='1 month ago' +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='11 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a valid OCSP certificate for the intermediate certificate authority.
issueCertificate \
"intermediate-ocsp-signer" `# ID` \
"intermediate-ocsp" `# issuer ID` \
"" `# CSR extensions` \
"intermediate_ocsp_certificate" `# extension` \
2048 `# key length in bits` \
`date -u --date='1 month ago' +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='11 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a valid leaf certificate (#1).
issueCertificate \
"leaf-1" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a valid leaf certificate (#2).
issueCertificate \
"leaf-2" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a valid leaf certificate with no EKU at all (meaning all EKUs).
issueCertificate \
"leaf-with-no-eku" `# ID` \
"intermediate" `# issuer ID` \
"" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a valid leaf certificate with OCSP and no CRL.
issueCertificate \
"leaf-with-ocsp" `# ID` \
"intermediate-ocsp" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_using_ocsp_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create and revoke a leaf certificate with reason unspecified.
issueCertificate \
"leaf-with-ocsp-revoked-unspecified" `# ID` \
"intermediate-ocsp" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_using_ocsp_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
revokeCertificate \
"leaf-with-ocsp-revoked-unspecified" `# ID` \
"intermediate-ocsp" `# issuer ID` \
"unspecified" `# CRL reason`
###############################################################################
# Create an expired leaf certificate.
issueCertificate \
"leaf-expired" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u --date='2 hours ago' +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='1 hour ago' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a not-yet-valid leaf certificate.
issueCertificate \
"leaf-not-yet-valid" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u --date='9 years' +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a leaf certificate with an RSA 1024-bit key.
issueCertificate \
"leaf-1024-bit-key-length" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
1024 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a leaf certificate with a SHA-1 signature algorithm.
issueCertificate \
"leaf-sha-1" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date` \
"sha1" `# signature algorithm`
###############################################################################
# Create a leaf certificate without a code signing EKU.
issueCertificate \
"leaf-not-code-signing" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_not_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a leaf certificate without a CRL distribution point.
issueCertificate \
"leaf-no-crl-distribution-point" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_no_crl_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a valid intermediate certificate authority.
issueCertificate \
"intermediate-404-crl" `# ID` \
"root" `# issuer ID` \
"" `# CSR extensions` \
"intermediate_ca_certificate" `# extension` \
2048 `# key length in bits` \
`date -u --date='1 month ago' +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='11 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create a leaf certificate with a broken (404) a CRL distribution point.
issueCertificate \
"leaf-404-crl" `# ID` \
"intermediate-404-crl" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_broken_crl_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
###############################################################################
# Create and revoke a leaf certificate with reason unspecified.
issueCertificate \
"leaf-revoked-unspecified" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
revokeCertificate \
"leaf-revoked-unspecified" `# ID` \
"intermediate" `# issuer ID` \
"unspecified" `# CRL reason`
###############################################################################
# Create and revoke a leaf certificate with reason keyCompromise.
issueCertificate \
"leaf-revoked-keyCompromise" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
revokeCertificate \
"leaf-revoked-keyCompromise" `# ID` \
"intermediate" `# issuer ID` \
"keyCompromise" `# CRL reason` \
`date -u +%Y%m%d%H%M%SZ` `# compromise date`
###############################################################################
# Create and revoke a leaf certificate with reason caCompromise.
issueCertificate \
"leaf-revoked-caCompromise" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
revokeCertificate \
"leaf-revoked-caCompromise" `# ID` \
"intermediate" `# issuer ID` \
"caCompromise" `# CRL reason` \
`date -u +%Y%m%d%H%M%SZ` `# compromise date`
###############################################################################
# Create and revoke a leaf certificate with reason affiliationChanged.
issueCertificate \
"leaf-revoked-affiliationChanged" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
revokeCertificate \
"leaf-revoked-affiliationChanged" `# ID` \
"intermediate" `# issuer ID` \
"affiliationChanged" `# CRL reason`
###############################################################################
# Create and revoke a leaf certificate with reason superseded.
issueCertificate \
"leaf-revoked-superseded" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
revokeCertificate \
"leaf-revoked-superseded" `# ID` \
"intermediate" `# issuer ID` \
"superseded" `# CRL reason`
###############################################################################
# Create and revoke a leaf certificate with reason cessationOfOperation.
issueCertificate \
"leaf-revoked-cessationOfOperation" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
revokeCertificate \
"leaf-revoked-cessationOfOperation" `# ID` \
"intermediate" `# issuer ID` \
"cessationOfOperation" `# CRL reason`
###############################################################################
# Create and revoke a leaf certificate with reason certificateHold.
issueCertificate \
"leaf-revoked-certificateHold" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
revokeCertificate \
"leaf-revoked-certificateHold" `# ID` \
"intermediate" `# issuer ID` \
"certificateHold" `# CRL reason`
###############################################################################
# Create and revoke a leaf certificate with reason removeFromCRL.
issueCertificate \
"leaf-revoked-removeFromCRL" `# ID` \
"intermediate" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='10 years' +%y%m%d%H%M%SZ` `# end date`
revokeCertificate \
"leaf-revoked-removeFromCRL" `# ID` \
"intermediate" `# issuer ID` \
"removeFromCRL" `# CRL reason`
###############################################################################
# Create a valid intermediate certificate authority.
# Issue a valid leaf certificate.
# Then revoke the intermediate certificate authority with reason caCompromise.
issueCertificate \
"intermediate-revoked-caCompromise" `# ID` \
"root" `# issuer ID` \
"" `# CSR extensions` \
"intermediate_ca_certificate" `# extension` \
2048 `# key length in bits` \
`date -u --date='2 minutes ago' +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='11 years' +%y%m%d%H%M%SZ` `# end date`
# Create a valid leaf certificate.
issueCertificate \
"leaf-before-intermediate-revoked" `# ID` \
"intermediate-revoked-caCompromise" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='1 hour' +%y%m%d%H%M%SZ` `# end date`
# Create a valid leaf certificate.
issueCertificate \
"leaf-during-intermediate-revoked" `# ID` \
"intermediate-revoked-caCompromise" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u --date='1 hour' +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='3 hours' +%y%m%d%H%M%SZ` `# end date`
# Create a valid leaf certificate.
issueCertificate \
"leaf-after-intermediate-revoked" `# ID` \
"intermediate-revoked-caCompromise" `# issuer ID` \
"x509v3_code_signing" `# CSR extensions` \
"leaf_certificate" `# extension` \
2048 `# key length in bits` \
`date -u --date='3 hours' +%y%m%d%H%M%SZ` `# start date` \
`date -u --date='4 hours' +%y%m%d%H%M%SZ` `# end date`
revokeCertificate \
"intermediate-revoked-caCompromise" `# ID` \
"root" `# issuer ID` \
"caCompromise" `# CRL reason` \
`date -u --date='2 hours' +%Y%m%d%H%M%SZ` `# compromise date`
###############################################################################
# Generate CRL's.
echo ""
echo "===================================================================="
echo "GENERATING CLRS"
echo "===================================================================="
echo ""
issueCrl "root"
issueCrl "intermediate"
issueCrl "intermediate-ocsp"
issueCrl "intermediate-404-crl"
issueCrl "intermediate-revoked-caCompromise"
###############################################################################
# Copy all *.crt and *.crl files into the online directory (to upload somewhere)
echo ""
echo "===================================================================="
echo "COLLECTING ONLINE ARTIFACTS"
echo "===================================================================="
echo ""
cp --verbose *.crt ./online
cp --verbose *.crl ./online
rm ./online/intermediate-ocsp.crl
###############################################################################
# Verify certificate chains.
echo ""
echo "===================================================================="
echo "VERIFY CERTIFICATE CHAINS"
echo "===================================================================="
echo ""
cat ./root.pem ./intermediate-ocsp.pem ./root.crl.pem > ./intermediate-ocsp.chain.pem
cat ./root.pem ./intermediate-ocsp.pem ./leaf-with-ocsp.pem ./root.crl.pem ./intermediate-ocsp.crl.pem > ./leaf-with-ocsp.chain.pem
cat ./root.pem ./intermediate-ocsp.pem ./leaf-with-ocsp-revoked-unspecified.pem ./root.crl.pem ./intermediate-ocsp.crl.pem > ./leaf-with-ocsp-revoked-unspecified.chain.pem
openssl verify -crl_check -CAfile intermediate-ocsp.chain.pem intermediate-ocsp.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-with-ocsp.chain.pem leaf-with-ocsp.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-with-ocsp-revoked-unspecified.chain.pem leaf-with-ocsp-revoked-unspecified.pem
echo "--------------------------------------------------------------------"
cat ./root.pem ./intermediate-404-crl.pem ./root.crl.pem > ./intermediate-404-crl.chain.pem
cat ./root.pem ./intermediate-404-crl.pem ./leaf-404-crl.pem ./root.crl.pem ./intermediate-404-crl.crl.pem > ./leaf-404-crl.chain.pem
openssl verify -crl_check -CAfile intermediate-404-crl.chain.pem intermediate-404-crl.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-404-crl.chain.pem leaf-404-crl.pem
echo "--------------------------------------------------------------------"
cat ./root.pem ./intermediate.pem ./root.crl.pem > ./intermediate.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-1.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-1.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-2.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-2.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-with-no-eku.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-with-no-eku.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-expired.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-expired.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-not-yet-valid.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-not-yet-valid.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-1024-bit-key-length.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-1024-bit-key-length.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-sha-1.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-sha-1.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-not-code-signing.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-not-code-signing.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-no-crl-distribution-point.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-no-crl-distribution-point.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-revoked-unspecified.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-revoked-unspecified.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-revoked-keyCompromise.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-revoked-keyCompromise.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-revoked-caCompromise.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-revoked-caCompromise.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-revoked-affiliationChanged.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-revoked-affiliationChanged.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-revoked-superseded.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-revoked-superseded.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-revoked-cessationOfOperation.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-revoked-cessationOfOperation.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-revoked-certificateHold.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-revoked-certificateHold.chain.pem
cat ./root.pem ./intermediate.pem ./leaf-revoked-removeFromCRL.pem ./root.crl.pem ./intermediate.crl.pem > ./leaf-revoked-removeFromCRL.chain.pem
openssl verify -crl_check -CAfile intermediate.chain.pem intermediate.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-1.chain.pem leaf-1.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-2.chain.pem leaf-2.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-with-no-eku.chain.pem leaf-with-no-eku.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-expired.chain.pem leaf-expired.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-not-yet-valid.chain.pem leaf-not-yet-valid.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-1024-bit-key-length.chain.pem leaf-1024-bit-key-length.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-sha-1.chain.pem leaf-sha-1.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-not-code-signing.chain.pem leaf-not-code-signing.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-no-crl-distribution-point.chain.pem leaf-no-crl-distribution-point.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-revoked-unspecified.chain.pem leaf-revoked-unspecified.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-revoked-caCompromise.chain.pem leaf-revoked-caCompromise.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-revoked-affiliationChanged.chain.pem leaf-revoked-affiliationChanged.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-revoked-superseded.chain.pem leaf-revoked-superseded.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-revoked-cessationOfOperation.chain.pem leaf-revoked-cessationOfOperation.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-revoked-certificateHold.chain.pem leaf-revoked-certificateHold.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-revoked-removeFromCRL.chain.pem leaf-revoked-removeFromCRL.pem
echo "--------------------------------------------------------------------"
cat ./root.pem ./intermediate-revoked-caCompromise.pem ./root.crl.pem > ./intermediate-revoked-caCompromise.chain.pem
cat ./root.pem ./intermediate-revoked-caCompromise.pem ./leaf-before-intermediate-revoked.pem ./root.crl.pem ./intermediate-revoked-caCompromise.crl.pem > ./leaf-before-intermediate-revoked.chain.pem
cat ./root.pem ./intermediate-revoked-caCompromise.pem ./leaf-during-intermediate-revoked.pem ./root.crl.pem ./intermediate-revoked-caCompromise.crl.pem > ./leaf-during-intermediate-revoked.chain.pem
cat ./root.pem ./intermediate-revoked-caCompromise.pem ./leaf-after-intermediate-revoked.pem ./root.crl.pem ./intermediate-revoked-caCompromise.crl.pem > ./leaf-after-intermediate-revoked.chain.pem
openssl verify -crl_check -CAfile intermediate-revoked-caCompromise.chain.pem intermediate-revoked-caCompromise.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-before-intermediate-revoked.chain.pem leaf-before-intermediate-revoked.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-during-intermediate-revoked.chain.pem leaf-during-intermediate-revoked.pem
echo "--------------------------------------------------------------------"
openssl verify -crl_check -CAfile leaf-after-intermediate-revoked.chain.pem leaf-after-intermediate-revoked.pem
${BASEDIR}/start-ocsp.sh
Raw
openssl.conf
ID=""
ISSUER_ID=""
ISSUER_CERTIFICATE_PEM_FILE_PATH=""
ISSUER_CRL_FILE_PATH=""
ISSUER_CRL_NUMBER_FILE_PATH=""
ISSUER_DATABASE_FILE_PATH=""
ISSUER_PRIVATE_KEY_FILE_PATH=""
ISSUER_RANDOM_SEED_FILE_PATH=""
ISSUER_SERIAL_NUMBER_FILE_PATH=""
###############################################################################
# Sections for creating root and intermediate certificate authorities
[ca]
default_ca = ca_default
[ca_default]
new_certs_dir = ./certs
database = ${ENV::ISSUER_DATABASE_FILE_PATH}
certificate = ${ENV::ISSUER_CERTIFICATE_PEM_FILE_PATH}
private_key = ${ENV::ISSUER_PRIVATE_KEY_FILE_PATH}
serial = ${ENV::ISSUER_SERIAL_NUMBER_FILE_PATH}
RANDFILE = ${ENV::ISSUER_RANDOM_SEED_FILE_PATH}
crlnumber = ${ENV::ISSUER_CRL_NUMBER_FILE_PATH}
crl = ${ENV::ISSUER_CRL_FILE_PATH}
copy_extensions = copy
policy = policy_default
name_opt = ca_default
cert_opt = ca_default
crl_extensions = crl_ext
default_days = 3650
default_crl_days = 30
default_md = sha256
preserve = no
[policy_default]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
###############################################################################
# Certificate signing request (CSR) configuration
[req]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
[x509v3_code_signing]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
[x509v3_not_code_signing]
keyUsage = digitalSignature,keyEncipherment,nonRepudiation
extendedKeyUsage = clientAuth,emailProtection
###############################################################################
# CSR distinguished name info
[req_distinguished_name]
countryName = US
stateOrProvinceName = WA
localityName = Redmond
0.organizationName = Test Organization Name
organizationalUnitName = Test Organizational Unit Name
commonName = ${ENV::COMMON_NAME}
###############################################################################
# CRL extensions
[crl_ext]
authorityKeyIdentifier = keyid:always
###############################################################################
# Certificate templates
[root_ca_certificate]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[intermediate_ca_certificate]
authorityInfoAccess = caIssuers;URI.0:${ENV::CA_BASE_URL}${ENV::ISSUER_ID}.crt
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
crlDistributionPoints = URI:${ENV::CA_BASE_URL}${ENV::ISSUER_ID}.crl
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[leaf_certificate]
authorityInfoAccess = caIssuers;URI.0:${ENV::CA_BASE_URL}${ENV::ISSUER_ID}.crt
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:false
crlDistributionPoints = URI:${ENV::CA_BASE_URL}${ENV::ISSUER_ID}.crl
subjectKeyIdentifier = hash
[leaf_no_crl_certificate]
authorityInfoAccess = caIssuers;URI.0:${ENV::CA_BASE_URL}${ENV::ISSUER_ID}.crt
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:false
subjectKeyIdentifier = hash
[leaf_broken_crl_certificate]
authorityInfoAccess = caIssuers;URI.0:${ENV::CA_BASE_URL}${ENV::ISSUER_ID}.crt
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:false
crlDistributionPoints = URI:${ENV::CA_BASE_URL}invalid-crl-location.crl
subjectKeyIdentifier = hash
[leaf_using_ocsp_certificate]
authorityInfoAccess = @leaf_ocsp_aia
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:false
subjectKeyIdentifier = hash
[leaf_ocsp_aia]
caIssuers;URI.0 = ${ENV::CA_BASE_URL}${ENV::ISSUER_ID}.crt
OCSP;URI.1 = http://localhost:${ENV::OCSP_PORT}
[intermediate_ocsp_certificate]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
Raw
start-ocsp.sh
#!/bin/bash
BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
source ${BASEDIR}/vars.sh
echo ""
echo "===================================================================="
echo "STARTING OCSP RESPONDER"
echo "===================================================================="
echo ""
openssl ocsp \
-index intermediate-ocsp.database \
-port ${OCSP_PORT} \
-rsigner intermediate-ocsp-signer.pem \
-rkey intermediate-ocsp-signer.key.pem \
-CA intermediate-ocsp.pem \
-text \
-out log.txt \
-ignore_err
Raw
vars.sh
#!/bin/bash
BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
CONFIG_FILE_PATH=${BASEDIR}/openssl.conf
SCRIPT_CONFIG_FILE_PATH=./local.config
if test -f "${SCRIPT_CONFIG_FILE_PATH}"
then
source "${SCRIPT_CONFIG_FILE_PATH}"
fi
if [ -z "${CA_BASE_URL}" ]; then CA_BASE_URL=http://localhost/testca; fi
if [ -z "${OCSP_PORT}" ]; then OCSP_PORT=42000; fi
export CONFIG_FILE_PATH="${CONFIG_FILE_PATH}"
export CA_BASE_URL="$(sed -e 's/[[:space:]]*$//' <<<${CA_BASE_URL})"
export OCSP_PORT="$(sed -e 's/[[:space:]]*$//' <<<${OCSP_PORT})"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment