renewcerts.sh 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
  1. #!/bin/sh
  2. check_result(){
  3. if [ $1 -ne 0 ]; then
  4. if [ -n "$2" ]; then
  5. echo "Step Failed, Abort"
  6. else
  7. echo "$2 Failed, Abort"
  8. fi
  9. exit 1
  10. else
  11. echo "Step Succeeded"
  12. fi
  13. }
  14. echo "OCSP renew certs Step 1"
  15. openssl req \
  16. -new \
  17. -key root-ca-key.pem \
  18. -out root-ca-cert.csr \
  19. -config ../renewcerts/wolfssl.cnf \
  20. -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com"
  21. check_result $? ""
  22. echo "OCSP renew certs Step 2"
  23. openssl x509 \
  24. -req -in root-ca-cert.csr \
  25. -extfile openssl.cnf \
  26. -extensions v3_ca \
  27. -days 1000 \
  28. -signkey root-ca-key.pem \
  29. -set_serial 99 \
  30. -out root-ca-cert.pem
  31. check_result $? ""
  32. rm root-ca-cert.csr
  33. echo "OCSP renew certs Step 3"
  34. openssl x509 -in root-ca-cert.pem -text > tmp.pem
  35. check_result $? ""
  36. mv tmp.pem root-ca-cert.pem
  37. # $1 cert, $2 name, $3 ca, $4 extensions, $5 serial
  38. update_cert() {
  39. echo "Updating certificate \"$1-cert.pem\""
  40. openssl req \
  41. -new \
  42. -key "$1"-key.pem \
  43. -out "$1"-cert.csr \
  44. -config ../renewcerts/wolfssl.cnf \
  45. -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=$2/emailAddress=info@wolfssl.com"
  46. check_result $? "Step 1"
  47. openssl x509 \
  48. -req -in "$1"-cert.csr \
  49. -extfile openssl.cnf \
  50. -extensions "$4" \
  51. -days 1000 \
  52. -CA "$3"-cert.pem \
  53. -CAkey "$3"-key.pem \
  54. -set_serial "$5" \
  55. -out "$1"-cert.pem
  56. check_result $? "Step 2"
  57. rm "$1"-cert.csr
  58. openssl x509 -in "$1"-cert.pem -text > "$1"_tmp.pem
  59. check_result $? "Step 3"
  60. mv "$1"_tmp.pem "$1"-cert.pem
  61. cat "$3"-cert.pem >> "$1"-cert.pem
  62. }
  63. update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01
  64. update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02
  65. update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED
  66. update_cert ocsp-responder "wolfSSL OCSP Responder" root-ca v3_ocsp 04
  67. update_cert server1 "www1.wolfssl.com" intermediate1-ca v3_req1 05
  68. update_cert server2 "www2.wolfssl.com" intermediate1-ca v3_req1 06 # REVOKED
  69. update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07
  70. update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED
  71. update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09
  72. # Create response DER buffer for test
  73. openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -partial_chain &
  74. PID=$!
  75. sleep 1 # Make sure server is ready
  76. openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify
  77. openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify
  78. openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -cert ./intermediate2-ca-cert.pem -url http://localhost:22221/ -respout test-multi-response.der -noverify
  79. kill $PID
  80. wait $PID
  81. # now start up a responder that signs using rsa-pss
  82. openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss &
  83. PID=$!
  84. sleep 1 # Make sure server is ready
  85. openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der -noverify
  86. # can verify with the following command
  87. # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem
  88. kill $PID
  89. wait $PID
  90. exit 0