From 79b184fb4b65d501352a189ff102b509e14e62ca Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 9 Sep 2012 20:43:49 +0000 Subject: [PATCH] Extend certificate creation examples to include CRL generation and sample scripts running the test OCSP responder. --- demos/certs/ca.cnf | 19 ++++++++++++++- demos/certs/mkcerts.sh | 52 +++++++++++++++++++++++++++++++++++----- demos/certs/ocspquery.sh | 21 ++++++++++++++++ demos/certs/ocsprun.sh | 14 +++++++++++ 4 files changed, 99 insertions(+), 7 deletions(-) create mode 100644 demos/certs/ocspquery.sh create mode 100644 demos/certs/ocsprun.sh diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf index a1b6bd799e..c45fcfd61e 100644 --- a/demos/certs/ca.cnf +++ b/demos/certs/ca.cnf @@ -7,6 +7,7 @@ HOME = . RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" +default_ca = ca #################################################################### [ req ] @@ -41,6 +42,19 @@ nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid +# OCSP responder certificate +[ ocsp_cert ] + +basicConstraints=critical, CA:FALSE +keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +extendedKeyUsage=OCSPSigning [ dh_cert ] @@ -66,4 +80,7 @@ authorityKeyIdentifier=keyid:always basicConstraints = critical,CA:true keyUsage = critical, cRLSign, keyCertSign - +# Minimal CA entry to allow generation of CRLs. +[ca] +database=index.txt +crlnumber=crlnum.txt diff --git a/demos/certs/mkcerts.sh b/demos/certs/mkcerts.sh index 0d55e8f846..f1407cb402 100644 --- a/demos/certs/mkcerts.sh +++ b/demos/certs/mkcerts.sh @@ -7,18 +7,20 @@ export OPENSSL_CONF # Root CA: create certificate directly CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \ -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650 -# Server certificate: create request first -CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ - -keyout skey.pem -out req.pem -newkey rsa:1024 -# Sign request: end entity extensions -$OPENSSL x509 -req -in req.pem -CA root.pem -days 3600 \ - -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem # Intermediate CA: request first CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \ -keyout intkey.pem -out intreq.pem -newkey rsa:2048 # Sign request: CA extensions $OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \ -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem + +# Server certificate: create request first +CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ + -keyout skey.pem -out req.pem -newkey rsa:1024 +# Sign request: end entity extensions +$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem + # Client certificate: request first CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ -keyout ckey.pem -out creq.pem -newkey rsa:1024 @@ -26,6 +28,20 @@ CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem +# Revkoed certificate: request first +CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \ + -keyout revkey.pem -out rreq.pem -newkey rsa:1024 +# Sign using intermediate CA +$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem + +# OCSP responder certificate: request first +CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \ + -keyout respkey.pem -out respreq.pem -newkey rsa:1024 +# Sign using intermediate CA and responder extensions +$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ + -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem + # Example creating a PKCS#3 DH certificate. # First DH parameters @@ -54,3 +70,27 @@ CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \ $OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \ -force_pubkey dhcpub.pem \ -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem + +# Examples of CRL generation without the need to use 'ca' to issue +# certificates. +# Create zero length index file +>index.txt +# Create initial crl number file +echo 01 >crlnum.txt +# Add entries for server and client certs +$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \ + -config ca.cnf -md sha1 +$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \ + -config ca.cnf -md sha1 +$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \ + -config ca.cnf -md sha1 +# Generate a CRL. +$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ + -md sha1 -crldays 1 -out crl1.pem +# Revoke a certificate +openssl ca -revoke rev.pem -crl_reason superseded \ + -keyfile root.pem -cert root.pem -config ca.cnf -md sha1 +# Generate another CRL +$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ + -md sha1 -crldays 1 -out crl2.pem + diff --git a/demos/certs/ocspquery.sh b/demos/certs/ocspquery.sh new file mode 100644 index 0000000000..f664113305 --- /dev/null +++ b/demos/certs/ocspquery.sh @@ -0,0 +1,21 @@ +# Example querying OpenSSL test responder. Assumes ocsprun.sh has been +# called. + +OPENSSL=../../apps/openssl +OPENSSL_CONF=../../apps/openssl.cnf +export OPENSSL_CONF + +# Send responder queries for each certificate. + +echo "Requesting OCSP status for each certificate" +$OPENSSL ocsp -issuer intca.pem -cert client.pem -CAfile root.pem \ + -url http://127.0.0.1:8888/ +$OPENSSL ocsp -issuer intca.pem -cert server.pem -CAfile root.pem \ + -url http://127.0.0.1:8888/ +$OPENSSL ocsp -issuer intca.pem -cert rev.pem -CAfile root.pem \ + -url http://127.0.0.1:8888/ +# One query for all three certificates. +echo "Requesting OCSP status for three certificates in one request" +$OPENSSL ocsp -issuer intca.pem \ + -cert client.pem -cert server.pem -cert rev.pem \ + -CAfile root.pem -url http://127.0.0.1:8888/ diff --git a/demos/certs/ocsprun.sh b/demos/certs/ocsprun.sh new file mode 100644 index 0000000000..a65e5f2fd1 --- /dev/null +++ b/demos/certs/ocsprun.sh @@ -0,0 +1,14 @@ +# Example of running an querying OpenSSL test OCSP responder. +# This assumes "mkcerts.sh" or similar has been run to set up the +# necessary file structure. + +OPENSSL=../../apps/openssl +OPENSSL_CONF=../../apps/openssl.cnf +export OPENSSL_CONF + +# Run OCSP responder. + +PORT=8888 + +$OPENSSL ocsp -port $PORT -index index.txt -CA intca.pem \ + -rsigner resp.pem -rkey respkey.pem -rother intca.pem $* -- 2.25.1