From ace806f0df20574b9df303676b324d4916c0a615 Mon Sep 17 00:00:00 2001
From: Joni Hahkala <joni.hahkala@cern.ch>
Date: Mon, 23 Nov 2009 22:53:48 +0000
Subject: [PATCH] simplification, limited proxy, proxy with bad dn,
 combinations

---
 bin/generate-test-certificates.sh | 265 ++++++++++----------------------------
 1 file changed, 71 insertions(+), 194 deletions(-)

diff --git a/bin/generate-test-certificates.sh b/bin/generate-test-certificates.sh
index 09ce658..fe1fa98 100755
--- a/bin/generate-test-certificates.sh
+++ b/bin/generate-test-certificates.sh
@@ -129,8 +129,6 @@ function create_cert {
 
 function create_cert_proxy {
 
-    echo "create_cert_proxy Start"
-
     filebase=$1
     ident=$3
     validity=$5
@@ -148,13 +146,13 @@ function create_cert_proxy {
 
     dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'`/CN=$4"
  
-    echo "Creating a proxy cert ${X509_PROX_CERT} for '$CN/CN=$PROXYNAME'"
+    echo "Creating a proxy cert ${X509_PROX_CERT} for '$dn"
     echo "         in files named $filebase.(cert|priv)"
     echo "         with $validity days validity time"
 
     if [ -r "${X509_PROX_CERT}" ]; then
         echo "There already exists a file named ${X509_PROX_CERT}"
-        echo "file. Proxy certificate is not generated for '$CN'"
+        echo "file. Proxy certificate is not generated for '$dn'"
         return 
     fi
 
@@ -232,7 +230,8 @@ function create_cert_proxy {
 
     # Now add the original certificate used to sign the request to the proxy file.
     # This should be the certificate issued by the CA to the 'user'.
-    openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID}
+    CMD="openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID}"
+    echo $CMD; eval "$CMD"
 
     if [ $? != 0 ]; then
 	echo Proxy file generation failed!
@@ -254,134 +253,19 @@ function create_cert_proxy {
 
 function create_cert_proxy_proxy {
 
-    echo "create_cert_proxy_proxy Start"
-    filebase=$1
-    export FILEBASE=${filebase}
-    export CN=$2
-    ident=$3
-    validity=$5
-    signing_pair=$6
- 
-    ending="grid_proxy_proxy"
-
-    # This really depends on if we make a proxy or a proxy-proxy
-    X509_SIGNING_CERT=${filebase}.${signing_pair}.cert  # eg. trusted_client.proxy_exp.cert
-    echo $X509_SIGNING_CERT
-    X509_SIGNING_KEY=${filebase}.${signing_pair}.priv
-    X509_SIGNING_REQ=${filebase}.${signing_pair}.req
-
-    X509_PROX_CERT=${filebase}.${ident}.proxy.cert
-    X509_PROX_KEY=${filebase}.${ident}.proxy.priv
-    X509_PROX_REQ=${filebase}.${ident}.proxy.req
-    X509_PROX_GRID=${filebase}.${ident}.${ending}
-
-    dn="`openssl x509 -in ${X509_SIGNING_CERT} -subject -noout| sed 's/^subject= //'`/CN=$4"
-
-    if [ -r "${X509_PROX_CERT}" ]; then
-        echo "There already exists a file named ${X509_PROX_CERT}"
-        echo "file. Proxy-proxy certificate is not generated for '$CN'"
-        return 0
-    fi
-
-    # Get the serial number of the certificate that will eventually sign the proxy.
-    # Put it into a temporary file to be read by the ca command later.
-    # SERIAL="`openssl x509 -in ${X509_SIGNING_CERT} -noout -serial | sed 's/^serial=//'`"
-    # echo ${SERIAL} > ${CA_DIR}/serial_proxy.txt
-
-    # Have to 'edit' the ca database to remove the entry for the signing certificate.
-    # maybe no need... make a dummy database, touch and then delete afterwards...
-    #touch ${CA_DIR}/index_proxy.txt
-
-    # instead save the ones for real certs and copy the ones saved before and use them and later switch back
-    cp ${CA_DIR}/index.txt ${CA_DIR}/index_cert_save.txt
-    cp ${CA_DIR}/serial.txt ${CA_DIR}/serial_cert_save.txt
-    cp ${CA_DIR}/index_proxy.txt ${CA_DIR}/index.txt 
-    cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt 
-    
-    CMD="openssl genrsa -f4 -out ${X509_PROX_KEY} ${PROXY_BITS}; chmod 400 ${X509_PROX_KEY}"
-    echo $CMD; $CMD
-    if [ $? != 0 ]; then
-	echo Private key generation for proxy failed!
-	exit 1
-    fi
-
-    # Create the certificate request.
-    CMD="openssl req -new -out ${X509_PROX_REQ} \
-                 -key ${X509_PROX_KEY} \
-                 -config ${REQ_CONFIG_FILE} -subj \"$dn\""
-    echo $CMD; eval $CMD
-
-    if [ $? != 0 ]; then
-	echo Certificate generation for proxy failed!
-	exit 1
-    fi
-
-    # Sign the cert request with the user cert and key. Set the serial number here!
-
-    CMD="openssl ca -in ${X509_PROX_REQ} \
-                    -cert ${X509_SIGNING_CERT} \
-                    -keyfile ${X509_SIGNING_KEY} \
-                    -out ${X509_PROX_CERT} \
-                    -outdir $tmpdir \
-                    -preserveDN \
-                    -config ${REQ_CONFIG_FILE} -md md5 -days ${validity} -batch \
-                    -passin pass:${PASSWORD} -notext"
-    echo $CMD; $CMD
-
-    if [ $? != 0 ]; then
-	echo Proxy certificate signing failed!
-	exit 1
-    fi
-
-    # Add the user and proxy certs and the proxy private key to the keystore
-    CMD="openssl pkcs12 -in ${X509_PROX_CERT} \
-                   -out ${filebase}.proxy.proxy.p12 -export \
-                   -inkey ${X509_PROX_KEY} \
-                   -passin pass:${PASSWORD} -passout pass:${PASSWORD} \
-                   -name \"${catype} proxy certificate\" -certfile ${X509_SIGNING_CERT}"
-
-    echo $CMD; eval $CMD
-
-    # Create a grid proxy file... 
-    # Copy the proxy cert to the grid proxy file.
-    cp ${X509_PROX_CERT} ${X509_PROX_GRID}
-    
-    if [ $? != 0 ]; then
-	echo Proxy file generation failed!
-	exit 1
-    fi
-
-    # Now add the proxy private key to the grid proxy file.
-    openssl rsa -in ${X509_PROX_KEY} -passin pass:${PASSWORD} >> ${X509_PROX_GRID}
-    
-    if [ $? != 0 ]; then
-	echo Proxy file generation failed!
-	exit 1
-    fi
-
-    # Now add the original certificate used to sign the request to the proxy file.
-    # In this case it is the proxy certificate!
-    openssl x509 -in ${X509_SIGNING_CERT} >> ${X509_PROX_GRID}
+    ending="grid_proxy"
 
+    create_cert_proxy $1.$6 "$2" $3 "$4" $5
+ 
+#    echo Appending $1.cert to "$1.$3.$6.$ending"
     # adding in the original certificate to the chain. 03/06/05
-    openssl x509 -in ${filebase}.cert >> ${X509_PROX_GRID}
+    CMD="openssl x509 -in $1.cert >> \"$1.$3.$6.$ending\""
+    echo "$CMD"; eval "$CMD"
 
     if [ $? != 0 ]; then
 	echo Proxy file generation failed!
 	exit 1
     fi
-
-    chmod 600 ${X509_PROX_GRID}
-
-#    cp ${CA_DIR}/serial_proxy.txt ${CA_DIR}/serial.txt
-    # copy the normal cert files back
-    cp ${CA_DIR}/index_cert_save.txt ${CA_DIR}/index.txt
-    cp ${CA_DIR}/serial_cert_save.txt ${CA_DIR}/serial.txt
-
-    # Clean up stuff
-    # rm ${CA_DIR}/serial_proxy.txt ${CA_DIR}/index_proxy.txt \
-    #    ${X509_PROX_REQ} ${X509_PROX_CERT} ${X509_PROX_KEY} \
-    #    ${X509_SIGNING_CERT} ${X509_SIGNING_KEY} ${X509_SIGNING_REQ} 
 }
 
 function create_voms {
@@ -543,28 +427,6 @@ EOF
 }
 
 
-function create_bad {
-
-    # generating a signing_policy file
-    subject_name=`openssl x509 -in $CA_DIR/${catype}.cert -subject -noout| sed 's/^subject= //'`
-    cat <<EOF > $CA_DIR/${catype}.signing_policy
-# Signing policy file for the $subject_name"
-access_id_CA            X509    '${subject_name}'
-pos_rights              globus  CA:sign
-cond_subjects           globus  '"$(echo "${subject_name}" | sed -e 's#/CN=.*$##')/*"'
-EOF
-
-    cat <<EOF > $CA_DIR/${catype}.namespaces
-# Namespace for the $subject_name"
-TO Issuer "${subject_name}" \
-  PERMIT Subject "$(echo "${subject_name}" | sed -e 's#/CN=.*$##')/*"
- 
-EOF
-    
-}
-
-
-
 # create all certificates
 function create_all {
 
@@ -585,63 +447,78 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_dnerror "dnerror proxy" $PROXY_VALIDITY
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_lim "limited proxy" $PROXY_VALIDITY
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_dnerror "dnerror proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_lim "limited proxy" $PROXY_VALIDITY proxy
+
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy_dnerror
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_dnerror "dnerror proxy" $PROXY_VALIDITY proxy_dnerror
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_lim "limited proxy" $PROXY_VALIDITY proxy_dnerror
+
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy_lim
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_dnerror "dnerror proxy" $PROXY_VALIDITY proxy_lim
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_lim "limited proxy" $PROXY_VALIDITY proxy_lim
+
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy_exp
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp
 
     TYPE="clientbaddn"
     CTYPE="client with bad DN"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy
 
     TYPE="clientfuture"
     CTYPE="client future"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy
 
     TYPE="clientserial"
     CTYPE="client serial"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy
 
     TYPE="clientemail"
     CTYPE="client email"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDIT $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDIT $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp
 
     TYPE="clientuid"
     CTYPE="client UID"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp
 
     TYPE="fclient"
     CTYPE="flag client"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp
 
     TYPE="bigclient"
     CTYPE="bigclient"
@@ -649,9 +526,9 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS 4096
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp
 
     TYPE="verybigclient"
     CTYPE="very big client"
@@ -659,18 +536,18 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS 8192
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp
 
     TYPE="server"
     CTYPE="server"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp
 
     TYPE="host"
     CTYPE="$HOSTNAME"
@@ -718,18 +595,18 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp
 
     TYPE="none"
     CTYPE="none"
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "expired proxy" -1
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy_exp "expired proxy" -1 proxy_exp
+    create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_exp "proxy" -1 proxy_exp
 
     # create certs with valid proxies, but expired user certs
 
@@ -739,7 +616,7 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
 
     TYPE="fclient_exp"
     CTYPE="flag client expired"
@@ -747,7 +624,7 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
 
     TYPE="server_exp"
     CTYPE="flag server expired"
@@ -755,7 +632,7 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
 
     TYPE="clientserver_exp"
     CTYPE="clientserver expired"
@@ -763,7 +640,7 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
 
     TYPE="none_exp"
     CTYPE="none expired"
@@ -771,7 +648,7 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} -1
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
 
     # Create revoked certificates with otherwise valid proxies
 
@@ -781,7 +658,7 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
     openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
 
     TYPE="fclient_rev"
@@ -790,7 +667,7 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
     openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
 
     TYPE="server_rev"
@@ -799,7 +676,7 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
     openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
 
     TYPE="clientserver_rev"
@@ -808,7 +685,7 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
     openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
 
     TYPE="none_rev"
@@ -817,7 +694,7 @@ function create_all {
 
     create_cert $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" ${TYPE2} $DAYS
     create_cert_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY
-    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy_proxy "proxy" $PROXY_VALIDITY proxy
+    create_cert_proxy_proxy $CERT_DIR/${catype}_${TYPE} "$catype ${CTYPE}" proxy "proxy" $PROXY_VALIDITY proxy
     openssl ca -revoke $CERT_DIR/${catype}_${TYPE}.cert -config $REQ_CONFIG_FILE
 
     # some extra certificates
-- 
1.8.2.3