Extend certificate creation examples to include CRL generation and sample
authorDr. Stephen Henson <steve@openssl.org>
Sun, 9 Sep 2012 20:43:49 +0000 (20:43 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sun, 9 Sep 2012 20:43:49 +0000 (20:43 +0000)
scripts running the test OCSP responder.

demos/certs/ca.cnf
demos/certs/mkcerts.sh
demos/certs/ocspquery.sh [new file with mode: 0644]
demos/certs/ocsprun.sh [new file with mode: 0644]

index a1b6bd799e87124d9530ac243d02d2fe5f69d6dc..c45fcfd61ecd65cf30095d32248e7f0fb8370062 100644 (file)
@@ -7,6 +7,7 @@
 HOME                   = .
 RANDFILE               = $ENV::HOME/.rnd
 CN                     = "Not Defined"
+default_ca             = ca
 
 ####################################################################
 [ req ]
@@ -41,6 +42,19 @@ nsComment                    = "OpenSSL Generated Certificate"
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
+# OCSP responder certificate
+[ ocsp_cert ]
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                      = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+extendedKeyUsage=OCSPSigning
 
 [ dh_cert ]
 
@@ -66,4 +80,7 @@ authorityKeyIdentifier=keyid:always
 basicConstraints = critical,CA:true
 keyUsage = critical, cRLSign, keyCertSign
 
-
+# Minimal CA entry to allow generation of CRLs.
+[ca]
+database=index.txt
+crlnumber=crlnum.txt
index 0d55e8f846e6e6ad587179dc97ba8b247722aa4a..f1407cb4029b3837263a974c2b4923b7c1b38fa5 100644 (file)
@@ -7,18 +7,20 @@ export OPENSSL_CONF
 # Root CA: create certificate directly
 CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \
        -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
-# Server certificate: create request first
-CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \
-       -keyout skey.pem -out req.pem -newkey rsa:1024
-# Sign request: end entity extensions
-$OPENSSL x509 -req -in req.pem -CA root.pem -days 3600 \
-       -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
 # Intermediate CA: request first
 CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \
        -keyout intkey.pem -out intreq.pem -newkey rsa:2048
 # Sign request: CA extensions
 $OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \
        -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
+
+# Server certificate: create request first
+CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \
+       -keyout skey.pem -out req.pem -newkey rsa:1024
+# Sign request: end entity extensions
+$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
+       -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
+
 # Client certificate: request first
 CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \
        -keyout ckey.pem -out creq.pem -newkey rsa:1024
@@ -26,6 +28,20 @@ CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \
 $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
        -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
 
+# Revkoed certificate: request first
+CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \
+       -keyout revkey.pem -out rreq.pem -newkey rsa:1024
+# Sign using intermediate CA
+$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
+       -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
+
+# OCSP responder certificate: request first
+CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \
+       -keyout respkey.pem -out respreq.pem -newkey rsa:1024
+# Sign using intermediate CA and responder extensions
+$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
+       -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
+
 # Example creating a PKCS#3 DH certificate. 
 
 # First DH parameters
@@ -54,3 +70,27 @@ CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \
 $OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
        -force_pubkey dhcpub.pem \
        -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
+
+# Examples of CRL generation without the need to use 'ca' to issue
+# certificates.
+# Create zero length index file
+>index.txt
+# Create initial crl number file
+echo 01 >crlnum.txt
+# Add entries for server and client certs
+$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \
+               -config ca.cnf -md sha1
+$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \
+               -config ca.cnf -md sha1
+$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \
+               -config ca.cnf -md sha1
+# Generate a CRL.
+$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
+               -md sha1 -crldays 1 -out crl1.pem
+# Revoke a certificate
+openssl ca -revoke rev.pem -crl_reason superseded \
+               -keyfile root.pem -cert root.pem -config ca.cnf -md sha1
+# Generate another CRL
+$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
+               -md sha1 -crldays 1 -out crl2.pem
+
diff --git a/demos/certs/ocspquery.sh b/demos/certs/ocspquery.sh
new file mode 100644 (file)
index 0000000..f664113
--- /dev/null
@@ -0,0 +1,21 @@
+# Example querying OpenSSL test responder. Assumes ocsprun.sh has been
+# called.
+
+OPENSSL=../../apps/openssl
+OPENSSL_CONF=../../apps/openssl.cnf
+export OPENSSL_CONF
+
+# Send responder queries for each certificate.
+
+echo "Requesting OCSP status for each certificate"
+$OPENSSL ocsp -issuer intca.pem -cert client.pem -CAfile root.pem \
+                       -url http://127.0.0.1:8888/
+$OPENSSL ocsp -issuer intca.pem -cert server.pem -CAfile root.pem \
+                       -url http://127.0.0.1:8888/
+$OPENSSL ocsp -issuer intca.pem -cert rev.pem -CAfile root.pem \
+                       -url http://127.0.0.1:8888/
+# One query for all three certificates.
+echo "Requesting OCSP status for three certificates in one request"
+$OPENSSL ocsp -issuer intca.pem \
+       -cert client.pem -cert server.pem -cert rev.pem \
+       -CAfile root.pem -url http://127.0.0.1:8888/
diff --git a/demos/certs/ocsprun.sh b/demos/certs/ocsprun.sh
new file mode 100644 (file)
index 0000000..a65e5f2
--- /dev/null
@@ -0,0 +1,14 @@
+# Example of running an querying OpenSSL test OCSP responder.
+# This assumes "mkcerts.sh" or similar has been run to set up the
+# necessary file structure.
+
+OPENSSL=../../apps/openssl
+OPENSSL_CONF=../../apps/openssl.cnf
+export OPENSSL_CONF
+
+# Run OCSP responder.
+
+PORT=8888
+
+$OPENSSL ocsp -port $PORT -index index.txt -CA intca.pem \
+       -rsigner resp.pem -rkey respkey.pem -rother intca.pem $*