1
0
Fork 0
cacert-devsetup/setup_test_ca.sh

156 lines
4.6 KiB
Bash
Raw Normal View History

#!/bin/sh
set -eux
if [ -d testca/ ]; then
echo "testca/ exists, remove it if you want to start from scratch"
exit 1
fi
ORGANIZATION="CAcert Inc."
COUNTRY_CODE="AU"
mkdir -p testca/
cd testca
mkdir -p root/newcerts class3/newcerts root/private class3/private certs
touch root/index.txt class3/index.txt
cat >ca.cnf <<EOF
[ca]
default_ca = class3_ca
[root_ca]
dir = ./root
certs = \$dir/certs
crl_dir = \$dir/crl
database = \$dir/index.txt
serial = \$dir/serial
new_certs_dir = \$dir/newcerts
crl = \$dir/crl.pem
certificate = \$dir/ca.crt.pem
private_key = \$dir/private/ca.key.pem
RANDFILE = \$dir/private/.rand
policy = policy_any
unique_subject = no
email_in_dn = no
copy_extensions = none
default_md = sha256
default_days = 1825
default_crl_days = 30
extensions = intermediary_extensions
[class3_ca]
dir = ./class3
certs = \$dir/certs
crl_dir = \$dir/crl
database = \$dir/index.txt
serial = \$dir/serial
new_certs_dir = \$dir/newcerts
crl = \$dir/crl.pem
certificate = \$dir/ca.crt.pem
private_key = \$dir/private/ca.key.pem
RANDFILE = \$dir/private/.rand
policy = policy_any
unique_subject = no
email_in_dn = no
copy_extensions = copy
default_md = sha256
default_days = 365
default_crl_days = 30
extensions = class3_extensions
[policy_any]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 3072
prompt = no
utf8 = yes
distinguished_name = req_distinguished_name
[req_distinguished_name]
countryName = AU
organizationName = CAcert Inc.
organizationalUnitName = Software Testing
[root_extensions]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[class3_extensions]
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.org/ca/root/ca.crt,OCSP;URI:http://ocsp.test.cacert.org/
crlDistributionPoints = URI:http://crl.test.cacert.org/class3.crl
certificatePolicies = @policy_class3_ca
[server_ext]
basicConstraints = critical,CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.org/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.org/
crlDistributionPoints = URI:http://crl.test.cacert.org/class3.crl
certificatePolicies = @policy_class3_ca
[policy_class3_ca]
policyIdentifier = 1.3.6.1.5.5.7.2.1
CPS = http://test.cacert.org/ca/class3/cps.html
EOF
openssl req -new -x509 -config ca.cnf \
-keyout root/private/ca.key.pem \
-nodes \
-subj "/CN=Test Root/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
-days 3650 \
-extensions root_extensions \
-out root/ca.crt.pem
openssl req -new -config ca.cnf \
-keyout class3/private/ca.key.pem \
-nodes \
-subj "/CN=Class 3 Test CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
-out class3/ca.csr.pem
openssl ca -config ca.cnf \
-name root_ca \
-in class3/ca.csr.pem -out class3/ca.crt.pem \
-rand_serial \
-extensions class3_extensions \
-batch
openssl req -new -keyout certs/test.cacert.org.key.pem -nodes \
-out certs/test.cacert.org.csr.pem -subj "/CN=test.cacert.org" \
-addext "subjectAltName=DNS:test.cacert.org,DNS:www.test.cacert.org"
openssl req -new -keyout certs/secure.test.cacert.org.key.pem -nodes \
-out certs/secure.test.cacert.org.csr.pem -subj "/CN=secure.test.cacert.org" \
-addext "subjectAltName=DNS:secure.test.cacert.org"
openssl ca -config ca.cnf \
-name class3_ca \
-in certs/test.cacert.org.csr.pem \
-out certs/test.cacert.org.crt.pem \
-rand_serial \
-extensions server_ext \
-batch
openssl ca -config ca.cnf \
-name class3_ca \
-in certs/secure.test.cacert.org.csr.pem \
-out certs/secure.test.cacert.org.crt.pem \
-rand_serial \
-extensions server_ext \
-batch