cacert-devsetup/setup_test_ca.sh

#!/bin/sh

set -eux

if [ -d testca/ ]; then
  echo "testca/ exists, remove it if you want to start from scratch"
  exit 1
fi

ORGANIZATION="CAcert Inc."
COUNTRY_CODE="AU"

mkdir -p testca/
cd testca
mkdir -p root/newcerts class3/newcerts root/private class3/private certs
touch root/index.txt class3/index.txt
cat >ca.cnf <<EOF
[ca]
default_ca             = class3_ca

[root_ca]
dir                    = ./root
certs                  = \$dir/certs
crl_dir                = \$dir/crl
database               = \$dir/index.txt
serial                 = \$dir/serial
new_certs_dir          = \$dir/newcerts

crl                    = \$dir/crl.pem
certificate            = \$dir/ca.crt.pem
private_key            = \$dir/private/ca.key.pem
RANDFILE               = \$dir/private/.rand

policy                 = policy_any
unique_subject         = no
email_in_dn            = no
copy_extensions        = none

default_md             = sha256
default_days           = 1825
default_crl_days       = 30

extensions             = intermediary_extensions

[class3_ca]
dir                    = ./class3
certs                  = \$dir/certs
crl_dir                = \$dir/crl
database               = \$dir/index.txt
serial                 = \$dir/serial
new_certs_dir          = \$dir/newcerts

crl                    = \$dir/crl.pem
certificate            = \$dir/ca.crt.pem
private_key            = \$dir/private/ca.key.pem
RANDFILE               = \$dir/private/.rand

policy                 = policy_any
unique_subject         = no
email_in_dn            = no
copy_extensions        = copy

default_md             = sha256
default_days           = 365
default_crl_days       = 30

extensions             = class3_extensions

[policy_any]
countryName            = optional
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

[req]
default_bits           = 3072
prompt                 = no
utf8                   = yes
distinguished_name     = req_distinguished_name

[req_distinguished_name]
countryName            = AU
organizationName       = CAcert Inc.
organizationalUnitName = Software Testing

[root_extensions]
basicConstraints       = critical,CA:true
keyUsage               = critical,keyCertSign,cRLSign
subjectKeyIdentifier   = hash

[class3_extensions]
basicConstraints       = critical,CA:true,pathlen:0
keyUsage               = critical,keyCertSign,cRLSign
extendedKeyUsage       = serverAuth,clientAuth
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.org/ca/root/ca.crt,OCSP;URI:http://ocsp.test.cacert.org/
crlDistributionPoints  = URI:http://crl.test.cacert.org/class3.crl
certificatePolicies    = @policy_class3_ca

[server_ext]
basicConstraints       = critical,CA:false
keyUsage               = digitalSignature,keyEncipherment
extendedKeyUsage       = serverAuth
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.org/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.org/
crlDistributionPoints  = URI:http://crl.test.cacert.org/class3.crl
certificatePolicies    = @policy_class3_ca

[policy_class3_ca]
policyIdentifier       = 1.3.6.1.5.5.7.2.1
CPS                    = http://test.cacert.org/ca/class3/cps.html
EOF

openssl req -new -x509 -config ca.cnf \
  -keyout root/private/ca.key.pem \
  -nodes \
  -subj "/CN=Test Root/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
  -days 3650 \
  -extensions root_extensions \
  -out root/ca.crt.pem
openssl req -new -config ca.cnf \
  -keyout class3/private/ca.key.pem \
  -nodes \
  -subj "/CN=Class 3 Test CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
  -out class3/ca.csr.pem
openssl ca -config ca.cnf \
  -name root_ca \
  -in class3/ca.csr.pem -out class3/ca.crt.pem \
  -rand_serial \
  -extensions class3_extensions \
  -batch
openssl req -new -keyout certs/test.cacert.org.key.pem -nodes \
  -out certs/test.cacert.org.csr.pem -subj "/CN=test.cacert.org" \
  -addext "subjectAltName=DNS:test.cacert.org,DNS:www.test.cacert.org"
openssl req -new -keyout certs/secure.test.cacert.org.key.pem -nodes \
  -out certs/secure.test.cacert.org.csr.pem -subj "/CN=secure.test.cacert.org" \
  -addext "subjectAltName=DNS:secure.test.cacert.org"
openssl ca -config ca.cnf \
  -name class3_ca \
  -in certs/test.cacert.org.csr.pem \
  -out certs/test.cacert.org.crt.pem \
  -rand_serial \
  -extensions server_ext \
  -batch
openssl ca -config ca.cnf \
  -name class3_ca \
  -in certs/secure.test.cacert.org.csr.pem \
  -out certs/secure.test.cacert.org.crt.pem \
  -rand_serial \
  -extensions server_ext \
  -batch
Implement docker-compose setup for CAcert software 2020-12-20 14:52:15 +01:00			`#!/bin/sh`

			`set -eux`

			`if [ -d testca/ ]; then`
			`echo "testca/ exists, remove it if you want to start from scratch"`
			`exit 1`
			`fi`

			`ORGANIZATION="CAcert Inc."`
			`COUNTRY_CODE="AU"`

			`mkdir -p testca/`
			`cd testca`
			`mkdir -p root/newcerts class3/newcerts root/private class3/private certs`
			`touch root/index.txt class3/index.txt`
			`cat >ca.cnf <<EOF`
			`[ca]`
			`default_ca = class3_ca`

			`[root_ca]`
			`dir = ./root`
			`certs = \$dir/certs`
			`crl_dir = \$dir/crl`
			`database = \$dir/index.txt`
			`serial = \$dir/serial`
			`new_certs_dir = \$dir/newcerts`

			`crl = \$dir/crl.pem`
			`certificate = \$dir/ca.crt.pem`
			`private_key = \$dir/private/ca.key.pem`
			`RANDFILE = \$dir/private/.rand`

			`policy = policy_any`
			`unique_subject = no`
			`email_in_dn = no`
			`copy_extensions = none`

			`default_md = sha256`
			`default_days = 1825`
			`default_crl_days = 30`

			`extensions = intermediary_extensions`

			`[class3_ca]`
			`dir = ./class3`
			`certs = \$dir/certs`
			`crl_dir = \$dir/crl`
			`database = \$dir/index.txt`
			`serial = \$dir/serial`
			`new_certs_dir = \$dir/newcerts`

			`crl = \$dir/crl.pem`
			`certificate = \$dir/ca.crt.pem`
			`private_key = \$dir/private/ca.key.pem`
			`RANDFILE = \$dir/private/.rand`

			`policy = policy_any`
			`unique_subject = no`
			`email_in_dn = no`
			`copy_extensions = copy`

			`default_md = sha256`
			`default_days = 365`
			`default_crl_days = 30`

			`extensions = class3_extensions`

			`[policy_any]`
			`countryName = optional`
			`stateOrProvinceName = optional`
			`organizationName = optional`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`[req]`
			`default_bits = 3072`
			`prompt = no`
			`utf8 = yes`
			`distinguished_name = req_distinguished_name`

			`[req_distinguished_name]`
			`countryName = AU`
			`organizationName = CAcert Inc.`
			`organizationalUnitName = Software Testing`

			`[root_extensions]`
			`basicConstraints = critical,CA:true`
			`keyUsage = critical,keyCertSign,cRLSign`
			`subjectKeyIdentifier = hash`

			`[class3_extensions]`
			`basicConstraints = critical,CA:true,pathlen:0`
			`keyUsage = critical,keyCertSign,cRLSign`
			`extendedKeyUsage = serverAuth,clientAuth`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always`
			`authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.org/ca/root/ca.crt,OCSP;URI:http://ocsp.test.cacert.org/`
			`crlDistributionPoints = URI:http://crl.test.cacert.org/class3.crl`
			`certificatePolicies = @policy_class3_ca`

			`[server_ext]`
			`basicConstraints = critical,CA:false`
			`keyUsage = digitalSignature,keyEncipherment`
			`extendedKeyUsage = serverAuth`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always`
			`authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.org/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.org/`
			`crlDistributionPoints = URI:http://crl.test.cacert.org/class3.crl`
			`certificatePolicies = @policy_class3_ca`

			`[policy_class3_ca]`
			`policyIdentifier = 1.3.6.1.5.5.7.2.1`
			`CPS = http://test.cacert.org/ca/class3/cps.html`
			`EOF`

			`openssl req -new -x509 -config ca.cnf \`
			`-keyout root/private/ca.key.pem \`
			`-nodes \`
			`-subj "/CN=Test Root/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \`
			`-days 3650 \`
			`-extensions root_extensions \`
			`-out root/ca.crt.pem`
			`openssl req -new -config ca.cnf \`
			`-keyout class3/private/ca.key.pem \`
			`-nodes \`
			`-subj "/CN=Class 3 Test CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \`
			`-out class3/ca.csr.pem`
			`openssl ca -config ca.cnf \`
			`-name root_ca \`
			`-in class3/ca.csr.pem -out class3/ca.crt.pem \`
			`-rand_serial \`
			`-extensions class3_extensions \`
			`-batch`
			`openssl req -new -keyout certs/test.cacert.org.key.pem -nodes \`
			`-out certs/test.cacert.org.csr.pem -subj "/CN=test.cacert.org" \`
			`-addext "subjectAltName=DNS:test.cacert.org,DNS:www.test.cacert.org"`
			`openssl req -new -keyout certs/secure.test.cacert.org.key.pem -nodes \`
			`-out certs/secure.test.cacert.org.csr.pem -subj "/CN=secure.test.cacert.org" \`
			`-addext "subjectAltName=DNS:secure.test.cacert.org"`
			`openssl ca -config ca.cnf \`
			`-name class3_ca \`
			`-in certs/test.cacert.org.csr.pem \`
			`-out certs/test.cacert.org.crt.pem \`
			`-rand_serial \`
			`-extensions server_ext \`
			`-batch`
			`openssl ca -config ca.cnf \`
			`-name class3_ca \`
			`-in certs/secure.test.cacert.org.csr.pem \`
			`-out certs/secure.test.cacert.org.crt.pem \`
			`-rand_serial \`
			`-extensions server_ext \`
			`-batch`