function create_cert {
filebase=$1
- ##export CN="$VERSION "$2
- export CN=$2
flags=$3
validity=$4
bits=${5:-1024}
+ dn="/C=UG/L=Tropic/O=Utopia/OU=Relaxation/CN=$2"
+
echo "Creating a cert for '$CN' in files named $filebase.(cert|priv)"
echo " with $flags flags and $validity days validity time"
return
fi
- if [ $flags == "bigclient" ]; then
- flags="client"
- fi
+ castring=""
# if we are in a state where we are generating proxies (${CA_DIR}/serial_proxy.txt exists)
# then let's transfer the serial number of the last proxy to the serial.txt file for the
# next new certificate...
-
+ CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE -subj \"$dn\" -passout pass:$PASSWORD"
case $flags in
clientserial)
echo serial cert $flags
flags="client"
- CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE_SERIAL"
- echo $CMD; $CMD;
+ CMD="$CMD -subj \"$dn/serialNumber=12341\""
;;
clientemail)
echo email cert $flags
flags="client"
- CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE_EMAIL"
- echo $CMD; $CMD;
+ CMD="$CMD -subj \"$dn/emailAddress=john.doe@foo.bar\""
;;
clientuid)
echo UID cert $flags
flags="client"
- CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE_UID"
- echo $CMD; $CMD;
+ CMD="$CMD -subj \"$dn/UID=haahaa\""
;;
+ clientbaddn)
+ echo bad DN cert $flags
+ flags="client"
+ CMD="$CMD -subj \"`echo $dn | sed 's/Relaxation/Chilling/'`\""
+ ;;
+ hostbaddn)
+ echo bad DN cert $flags
+ flags="server"
+ CMD="$CMD -subj \"`echo $dn | sed 's/Relaxation/Chilling/'`\""
+ ;;
+ clientfuture)
+ echo bad DN cert $flags
+ flags="client"
+ CMD="$CMD "
+ castring=" -startdate 350101000000Z"
+ ;;
*)
echo normal cert $flags
- CMD="openssl req -out $filebase.req -newkey rsa:$bits -new -keyout $filebase.priv -config $REQ_CONFIG_FILE"
- echo $CMD; $CMD;
+ CMD="$CMD -subj \"$dn\""
esac
+
+ echo $CMD;eval $CMD;
+ if [ $? != 0 ]; then
+ echo Certification request generation failed!
+ exit 1
+ fi
case $flags in
client|server|clientserver|fclient|none|altname)
echo "Generating a $flags certificate"
echo $CA_DIR
+ echo PDW=`pwd`
CMD="openssl ca -in $filebase.req -out $filebase.cert -outdir $tmpdir \
- -md md5 -config $CA_CONF -batch -extensions ca_$flags -days $validity"
- echo $CMD; $CMD
+ -md md5 -config $REQ_CONFIG_FILE -batch -preserveDN -extensions ca_$flags -passin pass:$PASSWORD -days $validity $castring"
;;
*)
echo "Unknown flags: $flags"
echo "No certificate is generated."
+ exit 1
esac
+ # save the index and serial for the possible proxy to be generated next
+ echo save the index and serial
+ cp $CA_DIR/index.txt $CA_DIR/index_proxy.txt
+ cp $CA_DIR/serial.txt $CA_DIR/serial_proxy.txt
+
+ echo $CMD; eval $CMD
+ if [ $? != 0 ]; then
+ echo Certificate signing failed!
+ exit 1
+ fi
+
# Get the serial number of the certificate that will eventually sign the proxy.
# Put it into a temporary file to be read by the ca command later.
- SERIAL=$(openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//')
- echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt
+# SERIAL=$(openssl x509 -in ${filebase}.cert -noout -serial | sed 's/^serial=//')
+# echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt
# cat ${CA_DIR}/serial_proxy.txt
# some minor cleanup
echo "create_cert_proxy Start"
filebase=$1
- export FILEBASE=${filebase}
- export CN=$2
ident=$3
- export PROXYNAME=$4
validity=$5
-
-# create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy "proxy" 1
-# create_cert_proxy $CERT_DIR/${catype}_client "$catype client" proxy_exp "expired proxy" -1
-
ending="grid_proxy"
# This really depends on if we make a proxy or a proxy-proxy
X509_PROX_KEY=${filebase}.${ident}.priv
X509_PROX_REQ=${filebase}.${ident}.req
X509_PROX_GRID=${filebase}.${ident}.${ending}
+
+ dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'`/CN=$4"
echo "Creating a proxy cert ${X509_PROX_CERT} for '$CN/CN=$PROXYNAME'"
echo " in files named $filebase.(cert|priv)"
# Have to 'edit' the ca database to remove the entry for the signing certificate.
# maybe no need... make a dummy database, touch and then delete afterwards...
- touch ${CA_DIR}/index_proxy.txt
+# touch ${CA_DIR}/index_proxy.txt
+ # instead save the ones for real certs and copy the ones saved before and use them and later switch back
+ cp ${CA_DIR}/index.txt ${CA_DIR}/index_cert_save.txt
+ cp ${CA_DIR}/serial.txt ${CA_DIR}/serial_cert_save.txt
+ cp ${CA_DIR}/index_proxy.txt ${CA_DIR}/index.txt
+ cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt
+
CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${PROXY_BITS}; chmod 400 ${filebase}.proxy.priv"
echo $CMD; $CMD
+ if [ $? != 0 ]; then
+ echo Private key generation for proxy failed!
+ exit 1
+ fi
# Create the certificate request.
CMD="openssl req -new -out ${X509_PROX_REQ} \
-key ${X509_PROX_KEY} \
- -config ${REQ_PROXY_CONFIG_FILE}"
- echo $CMD; $CMD
+ -config ${REQ_CONFIG_FILE} -subj \"$dn\""
+ echo $CMD; eval $CMD
+
+ if [ $? != 0 ]; then
+ echo Certificate generation for proxy failed!
+ exit 1
+ fi
# Sign the cert request with the user cert and key. Set the serial number here!
- CMD="openssl ca -in ${X509_PROX_REQ} \
+ CMD="openssl ca -verbose -in ${X509_PROX_REQ} \
-cert ${X509_SIGNING_CERT} \
-keyfile ${X509_SIGNING_KEY} \
-out ${X509_PROX_CERT} \
-outdir $tmpdir \
- -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \
- -passin pass:${PASSWORD} -notext \
- -extensions proxy_none "
+ -preserveDN \
+ -config ${REQ_CONFIG_FILE} -md md5 -days ${validity} -batch \
+ -passin pass:${PASSWORD} -notext"
echo $CMD; $CMD
+ if [ $? != 0 ]; then
+ echo Proxy certificate signing failed!
+ exit 1
+ fi
+
# Add the user and proxy certs and the proxy private key to the keystore
- openssl pkcs12 -in ${X509_PROX_CERT} \
+ CMD="openssl pkcs12 -in ${X509_PROX_CERT} \
-out ${filebase}.proxy.p12 -export \
-inkey ${X509_PROX_KEY} \
-passin pass:${PASSWORD} -passout pass:${PASSWORD} \
- -name "${catype} proxy certificate" -certfile ${filebase}.cert
+ -name \"${catype} proxy certificate\" -certfile ${filebase}.cert"
+
+ echo $CMD; eval $CMD
# Create a grid proxy file...
# Copy the proxy cert to the grid proxy file.
cp ${X509_PROX_CERT} ${X509_PROX_GRID}
+ if [ $? != 0 ]; then
+ echo Proxy file generation failed!
+ exit 1
+ fi
+
# Now add the proxy private key to the grid proxy file.
openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID}
+ if [ $? != 0 ]; then
+ echo Proxy file generation failed!
+ exit 1
+ fi
+
# Now add the original certificate used to sign the request to the proxy file.
# This should be the certificate issued by the CA to the 'user'.
openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID}
+
+ if [ $? != 0 ]; then
+ echo Proxy file generation failed!
+ exit 1
+ fi
+
chmod 600 ${X509_PROX_GRID}
- cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt
+ # copy the normal cert files back
+ cp ${CA_DIR}/index_cert_save.txt ${CA_DIR}/index.txt
+ cp ${CA_DIR}/serial_cert_save.txt ${CA_DIR}/serial.txt
# Clean up stuff
# rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt
export FILEBASE=${filebase}
export CN=$2
ident=$3
- export PROXYNAME=$4
- export PROXYPROXYNAME=$4
validity=$5
signing_pair=$6
X509_PROX_REQ=${filebase}.${ident}.proxy.req
X509_PROX_GRID=${filebase}.${ident}.${ending}
+ dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'`/CN=$4"
+
if [ -r "${X509_PROX_CERT}" ]; then
echo "There already exists a file named ${X509_PROX_CERT}"
echo "file. Proxy-proxy certificate is not generated for '$CN'"
- return
+ return 0
fi
# Get the serial number of the certificate that will eventually sign the proxy.
# Have to 'edit' the ca database to remove the entry for the signing certificate.
# maybe no need... make a dummy database, touch and then delete afterwards...
- touch ${CA_DIR}/index_proxy.txt
+ #touch ${CA_DIR}/index_proxy.txt
+ # instead save the ones for real certs and copy the ones saved before and use them and later switch back
+ cp ${CA_DIR}/index.txt ${CA_DIR}/index_cert_save.txt
+ cp ${CA_DIR}/serial.txt ${CA_DIR}/serial_cert_save.txt
+ cp ${CA_DIR}/index_proxy.txt ${CA_DIR}/index.txt
+ cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt
+
CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${PROXY_BITS}; chmod 400 ${X509_PROX_KEY}"
echo $CMD; $CMD
+ if [ $? != 0 ]; then
+ echo Private key generation for proxy failed!
+ exit 1
+ fi
# Create the certificate request.
CMD="openssl req -new -out ${X509_PROX_REQ} \
-key ${X509_PROX_KEY} \
- -config ${REQ_PROXY_PROXY_CONFIG_FILE}"
- echo $CMD; $CMD
+ -config ${REQ_CONFIG_FILE} -subj \"$dn\""
+ echo $CMD; eval $CMD
+
+ if [ $? != 0 ]; then
+ echo Certificate generation for proxy failed!
+ exit 1
+ fi
# Sign the cert request with the user cert and key. Set the serial number here!
-keyfile ${X509_SIGNING_KEY} \
-out ${X509_PROX_CERT} \
-outdir $tmpdir \
- -config ${CA_PROXY_CONF} -md md5 -days ${validity} -batch \
- -passin pass:${PASSWORD} -notext \
- -extensions proxy_none "
+ -preserveDN \
+ -config ${REQ_CONFIG_FILE} -md md5 -days ${validity} -batch \
+ -passin pass:${PASSWORD} -notext"
echo $CMD; $CMD
+ if [ $? != 0 ]; then
+ echo Proxy certificate signing failed!
+ exit 1
+ fi
+
# Add the user and proxy certs and the proxy private key to the keystore
- openssl pkcs12 -in ${X509_PROX_CERT} \
+ CMD="openssl pkcs12 -in ${X509_PROX_CERT} \
-out ${filebase}.proxy.proxy.p12 -export \
-inkey ${X509_PROX_KEY} \
-passin pass:${PASSWORD} -passout pass:${PASSWORD} \
- -name "${catype} proxy certificate" -certfile ${X509_SIGNING_CERT}
+ -name \"${catype} proxy certificate\" -certfile ${X509_SIGNING_CERT}"
+
+ echo $CMD; eval $CMD
# Create a grid proxy file...
# Copy the proxy cert to the grid proxy file.
cp ${X509_PROX_CERT} ${X509_PROX_GRID}
+ if [ $? != 0 ]; then
+ echo Proxy file generation failed!
+ exit 1
+ fi
+
# Now add the proxy private key to the grid proxy file.
openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID}
+ if [ $? != 0 ]; then
+ echo Proxy file generation failed!
+ exit 1
+ fi
+
# Now add the original certificate used to sign the request to the proxy file.
# In this case it is the proxy certificate!
openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID}
# adding in the original certificate to the chain. 03/06/05
openssl x509 -in ${filebase}.cert >> ${X509_PROX_GRID}
+ if [ $? != 0 ]; then
+ echo Proxy file generation failed!
+ exit 1
+ fi
+
chmod 600 ${X509_PROX_GRID}
- cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt
+# cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt
+ # copy the normal cert files back
+ cp ${CA_DIR}/index_cert_save.txt ${CA_DIR}/index.txt
+ cp ${CA_DIR}/serial_cert_save.txt ${CA_DIR}/serial.txt
# Clean up stuff
# rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \
create_cert $CERT_DIR/${catype}_host "$HOSTNAME" server $DAYS
# generating CRL
- openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
+ openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE
# make it user friendly
if [ ! -d 'grid-security/certificates' ]; then
function create_bad {
- # generating client certificate
- create_cert $CERT_DIR/${catype}_client00 "$LOGNAME" client $DAYS
-
- # create cert with mismatched signing_policy
- export CN="bad policy client"
- CMD="openssl req -out $CERT_DIR/bad_policy.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_policy.priv -config $CA_DIR/req_conf_policy.cnf"
- echo $CMD; $CMD
- CMD="openssl ca -in $CERT_DIR/bad_policy.req -out $CERT_DIR/bad_policy.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
- echo $CMD; $CMD
-
- # create a cert which is not vaild yet
- export CN="bad future client"
- theyear=`date +%Y`
- let "theyear += 10 "
- valid=${theyear:2}`date +%m%d`000000Z
- CMD="openssl req -out $CERT_DIR/bad_future.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_future.priv -config $CA_DIR/req_conf_future.cnf"
- echo $CMD; eval $CMD
- CMD="openssl ca -in $CERT_DIR/bad_future.req -out $CERT_DIR/bad_future.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -startdate $valid -days $DAYS"
- echo $CMD; $CMD
-
- # create host cert with mismatched signing_policy
- export CN="$HOSTNAME"
- CMD="openssl req -out $CERT_DIR/bad_policy_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_policy_host.priv -config $CA_DIR/req_conf_policy.cnf"
- echo $CMD; $CMD
- CMD="openssl ca -in $CERT_DIR/bad_policy_host.req -out $CERT_DIR/bad_policy_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
- echo $CMD; $CMD
-
- # create revoked host cert
- export CN="$HOSTNAME"
- CMD="openssl req -out $CERT_DIR/bad_revoked_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_revoked_host.priv -config $CA_DIR/req_conf.cnf"
- echo $CMD; $CMD
- CMD="openssl ca -in $CERT_DIR/bad_revoked_host.req -out $CERT_DIR/bad_revoked_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days $DAYS"
- echo $CMD; $CMD
-
- openssl ca -revoke $CERT_DIR/bad_revoked_host.cert -config $CA_CONF
-
- # create expired host cert
- export CN="$HOSTNAME"
- CMD="openssl req -out $CERT_DIR/bad_expired_host.req -newkey rsa:$bits -new -keyout $CERT_DIR/bad_expired_host.priv -config $CA_DIR/req_conf.cnf"
- echo $CMD; $CMD
- CMD="openssl ca -in $CERT_DIR/bad_expired_host.req -out $CERT_DIR/bad_expired_host.cert -outdir $tmpdir -md md5 -config $CA_CONF -batch -days -1"
- echo $CMD; $CMD
-
-
- # generating CRL
- openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
-
# generating a signing_policy file
- subject_name=$(openssl x509 -in $CA_DIR/${catype}.cert -subject -noout)
+ subject_name=`openssl x509 -in $CA_DIR/${catype}.cert -subject -noout| sed 's/^subject= //'`
cat <<EOF > $CA_DIR/${catype}.signing_policy
-# Signing policy file for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
-access_id_CA X509 '${subject_name:9}'
+# Signing policy file for the $subject_name"
+access_id_CA X509 '${subject_name}'
pos_rights globus CA:sign
-cond_subjects globus '"$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"'
+cond_subjects globus '"$(echo "${subject_name}" | sed -e 's#/CN=.*$##')/*"'
EOF
cat <<EOF > $CA_DIR/${catype}.namespaces
-# Namespace for the $(echo "$subject_name" | sed -e 's#^.*/CN=##')
-TO Issuer "${subject_name:9}" \
- PERMIT Subject "$(echo "${subject_name:9}" | sed -e 's#/CN=.*$##')/*"
+# Namespace for the $subject_name"
+TO Issuer "${subject_name}" \
+ PERMIT Subject "$(echo "${subject_name}" | sed -e 's#/CN=.*$##')/*"
EOF
TYPE="client"
CTYPE="client"
- # i=0;
- # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
- # ls -l ${CA_DIR}/.
-
create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
-
- # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+
+ TYPE="clientbaddn"
+ CTYPE="client with bad DN"
- # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
- # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
+ TYPE="clientfuture"
+ CTYPE="client future"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
- # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
TYPE="clientserial"
TYPE="fclient"
CTYPE="flag client"
- # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
- # Is there a problem here? The serial # does not advance after writing the certificate. Check later.
- # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
- # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-
- # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
- # let "i += 1"; echo "State : $i"; cat ${CA_DIR}/serial_proxy.txt; echo;
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
TYPE="bigclient"
CTYPE="bigclient"
+ TYPE2="client"
- create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS 4096
-
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS 4096
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+ create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+ TYPE="verybigclient"
+ CTYPE="very big client"
+ TYPE2="client"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS 8192
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
+ create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
CTYPE="server"
create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
-
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+ TYPE="host"
+ CTYPE="$HOSTNAME"
+ TYPE2="server"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS
+
+ TYPE="host_rev"
+ CTYPE="$HOSTNAME"
+ TYPE2="server"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
+
+
+ TYPE="host_exp"
+ CTYPE="$HOSTNAME"
+ TYPE2="server"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} -1
+
+ TYPE="host_baddn"
+ CTYPE="$HOSTNAME"
+ TYPE2="hostbaddn"
+
+ create_cert $CERT_DIR/${catype}_${TYPE} "${CTYPE}" ${TYPE2} $DAYS
+
TYPE="altname"
CTYPE="altname"
- create_cert $CERT_DIR/${catype}_${TYPE} "$catype/xxx.foo.bar" ${TYPE} $DAYS
+ create_cert $CERT_DIR/${catype}_${TYPE} "$catype\/xxx.foo.bar" ${TYPE} $DAYS
TYPE="altname"
CTYPE="altname2"
CTYPE="clientserver"
create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
-
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
CTYPE="none"
create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
-
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-# Create revoked certificates
+ # Create revoked certificates with otherwise valid proxies
TYPE="client_rev"
CTYPE="client revoked"
create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
- openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
TYPE="fclient_rev"
CTYPE="flag client revoked"
create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
- openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
TYPE="server_rev"
CTYPE="server revoked"
create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
- openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
TYPE="clientserver_rev"
CTYPE="clientserver revoked"
create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
- openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
TYPE="none_rev"
CTYPE="none revoked"
create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
- openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $CA_CONF
+ openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
# some extra certificates
- TYPE="client"
- CTYPE="client dnerror"
- TYPE2="proxy_dnerror"
- create_cert_proxy $CERT_DIR/${catype}_client "$catype client dnerror" ${TYPE2} "proxy" $DAYS
-
# generating CRL
- openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $CA_CONF
+ openssl ca -gencrl -crldays 10000 -out $CA_DIR/${catype}.crl -config $REQ_CONFIG_FILE
# now do the clean-up?
-
- rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt
+ rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt ${CA_DIR}/serial_cert_save.txt ${CA_DIR}/index_cert_save.txt
}
############################## main ################################
-USAGE="$0 [--help] [--all|--some] [--voms] [--onlyenv] [--extra #extra-user-certs]"
+USAGE="$0 [--help] [--all|--some] [--voms] [--onlyenv] [--extra #extra-user-certs] target_dir"
TEMP=$(getopt -o hasvoe: --long help,all,some,voms,onlyenv,extra: -- "$@")
eval set -- "$TEMP"
case "$1" in
-a|--all)
ALL='yes'
- CATYPES='trusted fake big expired bad'
+ CATYPES='trusted fake big expired nokeyusage subsubca'
shift
;;
-s|--some)
TARGETDIR=$1
CONFIGDIR=$(cd $(dirname $0)/..; echo $PWD)/test
-export PASSWORD='changeit'
+PASSWORD='changeit'
DAYS=10000
if [ -z "$TARGETDIR" ]; then
export CATYPE=${catype}
export CA_DIR=${catype}-ca
export CERT_DIR=${catype}-certs
- export CA_CONF=$CA_DIR/ca_conf.cnf
- export CA_PROXY_CONF=$CA_DIR/ca_proxy_conf.cnf
export REQ_CONFIG_FILE=$CA_DIR/req_conf.cnf
- export REQ_CONFIG_FILE_SERIAL=$CA_DIR/req_conf_sn.cnf
- export REQ_CONFIG_FILE_EMAIL=$CA_DIR/req_conf_email.cnf
- export REQ_CONFIG_FILE_UID=$CA_DIR/req_conf_uid.cnf
- export REQ_CONFIG_FILE_ALTNAME=$CA_DIR/req_conf_altname.cnf
- export REQ_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_conf.cnf
- export REQ_PROXY_PROXY_CONFIG_FILE=$CA_DIR/req_proxy_proxy_conf.cnf
- export PROXY_BITS=512
-
- if [ "$catype" = "big" ]; then
- export BITS=8192
- else
- export BITS=1024
- fi
+ export PROXY_BITS=1024
+ export CASROOT=./
# putting the CA certificate to the right place
if [ ! -d "$CONFIGDIR/${catype}-ca" ]; then
git://scientific.zcu.cz / glite-security-test-utils.git / commitdiff