cacert-devsetup/setup_test_ca.sh

#!/bin/sh

set -eu

ORGANIZATION="CAcert Inc."
COUNTRY_CODE="AU"
CACERT_GPG_NAME="CA Cert Signing Authority (Root CA)"
CACERT_GPG_EMAIL="gpg@cacert.localhost"

. ./.env

if [ ! -d testca/ ]; then
  mkdir -p testca/
  cd testca
  mkdir -p root/newcerts class3/newcerts root/private class3/private certs gpg/gpg_root_0
  touch root/index.txt class3/index.txt
else
  cd testca
fi

cat >ca.cnf <<EOF
[ca]
default_ca             = class3_ca

[root_ca]
dir                    = ./root
certs                  = \$dir/certs
crl_dir                = \$dir/crl
database               = \$dir/index.txt
serial                 = \$dir/serial
new_certs_dir          = \$dir/newcerts

crl                    = \$dir/crl.pem
certificate            = \$dir/ca.crt.pem
private_key            = \$dir/private/ca.key.pem
RANDFILE               = \$dir/private/.rand

policy                 = policy_any
unique_subject         = no
email_in_dn            = no
copy_extensions        = none

default_md             = sha256
default_days           = 1825
default_crl_days       = 30

extensions             = intermediary_extensions

[class3_ca]
dir                    = ./class3
certs                  = \$dir/certs
crl_dir                = \$dir/crl
database               = \$dir/index.txt
serial                 = \$dir/serial
new_certs_dir          = \$dir/newcerts

crl                    = \$dir/crl.pem
certificate            = \$dir/ca.crt.pem
private_key            = \$dir/private/ca.key.pem
RANDFILE               = \$dir/private/.rand

policy                 = policy_any
unique_subject         = no
email_in_dn            = yes
copy_extensions        = copy

default_md             = sha256
default_days           = 365
default_crl_days       = 30

extensions             = class3_extensions

[policy_any]
countryName            = optional
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

[req]
default_bits           = 3072
prompt                 = no
utf8                   = yes
distinguished_name     = req_distinguished_name

[req_distinguished_name]
countryName            = AU
organizationName       = CAcert Inc.
organizationalUnitName = Software Testing

[root_extensions]
basicConstraints       = critical,CA:true
keyUsage               = critical,keyCertSign,cRLSign
subjectKeyIdentifier   = hash

[class3_extensions]
basicConstraints       = critical,CA:true,pathlen:0
keyUsage               = critical,keyCertSign,cRLSign
extendedKeyUsage       = serverAuth,clientAuth
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/root/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
crlDistributionPoints  = URI:http://crl.test.cacert.localhost/class3.crl
certificatePolicies    = @policy_class3_ca

[client_ext]
basicConstraints       = critical,CA:false
keyUsage               = digitalSignature,keyEncipherment
extendedKeyUsage       = clientAuth
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
crlDistributionPoints  = URI:http://crl.test.cacert.localhost/class3.crl
certificatePolicies    = @policy_class3_ca

[server_ext]
basicConstraints       = critical,CA:false
keyUsage               = digitalSignature,keyEncipherment
extendedKeyUsage       = serverAuth
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
crlDistributionPoints  = URI:http://crl.test.cacert.localhost/class3.crl
certificatePolicies    = @policy_class3_ca

[policy_class3_ca]
policyIdentifier       = 1.3.6.1.5.5.7.2.1
CPS                    = http://test.cacert.localhost/ca/class3/cps.html
EOF

if [ ! -f root/ca.crt.pem ]; then
  openssl req -new -x509 -config ca.cnf \
    -keyout root/private/ca.key.pem \
    -nodes \
    -subj "/CN=Test Root/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
    -days 3650 \
    -extensions root_extensions \
    -out root/ca.crt.pem
fi
if [ ! -f class3/ca.crt.pem ]; then
  openssl req -new -config ca.cnf \
    -keyout class3/private/ca.key.pem \
    -nodes \
    -subj "/CN=Class 3 Test CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
    -out class3/ca.csr.pem
  openssl ca -config ca.cnf \
    -name root_ca \
    -in class3/ca.csr.pem -out class3/ca.crt.pem \
    -rand_serial \
    -extensions class3_extensions \
    -batch
fi

if [ ! -f certs/cachain.crt.pem ]; then
  (
    openssl x509 -in class3/ca.crt.pem
    openssl x509 -in root/ca.crt.pem
  ) >certs/cachain.crt.pem
fi

if [ ! -f certs/cats.cacert.localhost.crt.pem ]; then
  openssl req -new -keyout certs/cats.cacert.localhost.key.pem -nodes \
    -out certs/cats.cacert.localhost.csr.pem -subj "/CN=cats.cacert.localhost" \
    -addext "subjectAltName=DNS:cats.cacert.localhost,DNS:www.cats.cacert.localhost"
  openssl ca -config ca.cnf \
    -name class3_ca \
    -in certs/cats.cacert.localhost.csr.pem \
    -out certs/cats.cacert.localhost.crt.pem \
    -rand_serial \
    -extensions server_ext \
    -batch
fi
if [ ! -f certs/cats-client.cacert.localhost.crt.pem ]; then
  openssl req -new -keyout certs/cats-client.cacert.localhost.key.pem -nodes \
    -out certs/cats-client.cacert.localhost.csr.pem -subj "/CN=cats.cacert.localhost" \
    -addext "subjectAltName=DNS:cats.cacert.localhost"
  openssl ca -config ca.cnf \
    -name class3_ca \
    -in certs/cats-client.cacert.localhost.csr.pem \
    -out certs/cats-client.cacert.localhost.crt.pem \
    -rand_serial \
    -extensions client_ext \
    -batch
fi
if [ ! -f certs/mgr.cacert.localhost.crt.pem ]; then
  openssl req -new -keyout certs/mgr.cacert.localhost.key.pem -nodes \
    -out certs/mgr.cacert.localhost.csr.pem -subj "/CN=mgr.cacert.localhost" \
    -addext "subjectAltName=DNS:mgr.cacert.localhost,DNS:www.mgr.cacert.localhost"
  openssl ca -config ca.cnf \
    -name class3_ca \
    -in certs/mgr.cacert.localhost.csr.pem \
    -out certs/mgr.cacert.localhost.crt.pem \
    -rand_serial \
    -extensions server_ext \
    -batch
fi
if [ ! -f certs/www.cacert.localhost.crt.pem ]; then
  openssl req -new -keyout certs/www.cacert.localhost.key.pem -nodes \
    -out certs/www.cacert.localhost.csr.pem -subj "/CN=www.cacert.localhost" \
    -addext "subjectAltName=DNS:www.cacert.localhost,DNS:secure.cacert.localhost"
  openssl ca -config ca.cnf \
    -name class3_ca \
    -in certs/www.cacert.localhost.csr.pem \
    -out certs/www.cacert.localhost.crt.pem \
    -rand_serial \
    -extensions server_ext \
    -batch
fi

if [ ! -f certs/testclient.p12 ]; then
  openssl req -new -keyout certs/testclient.key.pem -nodes \
    -out certs/testclient.csr.pem -subj "/CN=${CLIENT_CERT_USERNAME}/emailAddress=${CLIENT_CERT_EMAIL}" \
    -addext "subjectAltName=email:${CLIENT_CERT_EMAIL}"
  openssl ca -config ca.cnf \
    -name class3_ca \
    -in certs/testclient.csr.pem \
    -out certs/testclient.crt.pem \
    -rand_serial \
    -extensions client_ext \
    -batch
  openssl pkcs12 -export -out certs/testclient.p12 \
    -passout "pass:${CLIENT_CERT_PASSWORD}" \
    -chain -CAfile certs/cachain.crt.pem \
    -inkey certs/testclient.key.pem \
    -in certs/testclient.crt.pem \
    -name "${CLIENT_CERT_USERNAME}"
fi

if [ ! -f gpg/gpg_root_0/secring.gpg ]; then
  chmod 0700 gpg/gpg_root_0
  gpg --homedir gpg/gpg_root_0 --generate-key --batch <<EOF
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert
Name-Real: ${CACERT_GPG_NAME}
Name-Email: ${CACERT_GPG_EMAIL}
%no-protection
EOF
  gpg --homedir gpg/gpg_root_0 --export | gpg1 --homedir gpg/gpg_root_0 --import
  gpg --homedir gpg/gpg_root_0 --export-secret-keys | gpg1 --homedir gpg/gpg_root_0 --import
fi
Implement docker-compose setup for CAcert software 2020-12-20 14:52:15 +01:00			`#!/bin/sh`

Add test mgr setup 2020-12-22 08:49:18 +01:00			`set -eu`
Implement docker-compose setup for CAcert software 2020-12-20 14:52:15 +01:00
			`ORGANIZATION="CAcert Inc."`
			`COUNTRY_CODE="AU"`
Fix gpg setup for signer 2020-12-26 11:52:37 +01:00			`CACERT_GPG_NAME="CA Cert Signing Authority (Root CA)"`
			`CACERT_GPG_EMAIL="gpg@cacert.localhost"`

Add test mgr setup 2020-12-22 08:49:18 +01:00			`. ./.env`

			`if [ ! -d testca/ ]; then`
			`mkdir -p testca/`
			`cd testca`
Add GPG support to signer image 2020-12-26 08:31:58 +01:00			`mkdir -p root/newcerts class3/newcerts root/private class3/private certs gpg/gpg_root_0`
Add test mgr setup 2020-12-22 08:49:18 +01:00			`touch root/index.txt class3/index.txt`
			`else`
			`cd testca`
			`fi`
Implement docker-compose setup for CAcert software 2020-12-20 14:52:15 +01:00
			`cat >ca.cnf <<EOF`
			`[ca]`
			`default_ca = class3_ca`

			`[root_ca]`
			`dir = ./root`
			`certs = \$dir/certs`
			`crl_dir = \$dir/crl`
			`database = \$dir/index.txt`
			`serial = \$dir/serial`
			`new_certs_dir = \$dir/newcerts`

			`crl = \$dir/crl.pem`
			`certificate = \$dir/ca.crt.pem`
			`private_key = \$dir/private/ca.key.pem`
			`RANDFILE = \$dir/private/.rand`

			`policy = policy_any`
			`unique_subject = no`
			`email_in_dn = no`
			`copy_extensions = none`

			`default_md = sha256`
			`default_days = 1825`
			`default_crl_days = 30`

			`extensions = intermediary_extensions`

			`[class3_ca]`
			`dir = ./class3`
			`certs = \$dir/certs`
			`crl_dir = \$dir/crl`
			`database = \$dir/index.txt`
			`serial = \$dir/serial`
			`new_certs_dir = \$dir/newcerts`

			`crl = \$dir/crl.pem`
			`certificate = \$dir/ca.crt.pem`
			`private_key = \$dir/private/ca.key.pem`
			`RANDFILE = \$dir/private/.rand`

			`policy = policy_any`
			`unique_subject = no`
Add cats to the docker-compose setup 2020-12-22 15:51:13 +01:00			`email_in_dn = yes`
Implement docker-compose setup for CAcert software 2020-12-20 14:52:15 +01:00			`copy_extensions = copy`

			`default_md = sha256`
			`default_days = 365`
			`default_crl_days = 30`

			`extensions = class3_extensions`

			`[policy_any]`
			`countryName = optional`
			`stateOrProvinceName = optional`
			`organizationName = optional`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`[req]`
			`default_bits = 3072`
			`prompt = no`
			`utf8 = yes`
			`distinguished_name = req_distinguished_name`

			`[req_distinguished_name]`
			`countryName = AU`
			`organizationName = CAcert Inc.`
			`organizationalUnitName = Software Testing`

			`[root_extensions]`
			`basicConstraints = critical,CA:true`
			`keyUsage = critical,keyCertSign,cRLSign`
			`subjectKeyIdentifier = hash`

			`[class3_extensions]`
			`basicConstraints = critical,CA:true,pathlen:0`
			`keyUsage = critical,keyCertSign,cRLSign`
			`extendedKeyUsage = serverAuth,clientAuth`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always`
Add README, move URLs to cacert.localhost 2020-12-20 15:28:19 +01:00			`authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/root/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/`
			`crlDistributionPoints = URI:http://crl.test.cacert.localhost/class3.crl`
Implement docker-compose setup for CAcert software 2020-12-20 14:52:15 +01:00			`certificatePolicies = @policy_class3_ca`

Add test mgr setup 2020-12-22 08:49:18 +01:00			`[client_ext]`
			`basicConstraints = critical,CA:false`
			`keyUsage = digitalSignature,keyEncipherment`
			`extendedKeyUsage = clientAuth`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always`
			`authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/`
			`crlDistributionPoints = URI:http://crl.test.cacert.localhost/class3.crl`
			`certificatePolicies = @policy_class3_ca`

Implement docker-compose setup for CAcert software 2020-12-20 14:52:15 +01:00			`[server_ext]`
			`basicConstraints = critical,CA:false`
			`keyUsage = digitalSignature,keyEncipherment`
			`extendedKeyUsage = serverAuth`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid:always`
Add README, move URLs to cacert.localhost 2020-12-20 15:28:19 +01:00			`authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/`
			`crlDistributionPoints = URI:http://crl.test.cacert.localhost/class3.crl`
Implement docker-compose setup for CAcert software 2020-12-20 14:52:15 +01:00			`certificatePolicies = @policy_class3_ca`

			`[policy_class3_ca]`
			`policyIdentifier = 1.3.6.1.5.5.7.2.1`
Add README, move URLs to cacert.localhost 2020-12-20 15:28:19 +01:00			`CPS = http://test.cacert.localhost/ca/class3/cps.html`
Implement docker-compose setup for CAcert software 2020-12-20 14:52:15 +01:00			`EOF`

Add test mgr setup 2020-12-22 08:49:18 +01:00			`if [ ! -f root/ca.crt.pem ]; then`
			`openssl req -new -x509 -config ca.cnf \`
			`-keyout root/private/ca.key.pem \`
			`-nodes \`
			`-subj "/CN=Test Root/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \`
			`-days 3650 \`
			`-extensions root_extensions \`
			`-out root/ca.crt.pem`
			`fi`
			`if [ ! -f class3/ca.crt.pem ]; then`
			`openssl req -new -config ca.cnf \`
			`-keyout class3/private/ca.key.pem \`
			`-nodes \`
			`-subj "/CN=Class 3 Test CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \`
			`-out class3/ca.csr.pem`
			`openssl ca -config ca.cnf \`
			`-name root_ca \`
			`-in class3/ca.csr.pem -out class3/ca.crt.pem \`
			`-rand_serial \`
			`-extensions class3_extensions \`
			`-batch`
			`fi`

			`if [ ! -f certs/cachain.crt.pem ]; then`
			`(`
			`openssl x509 -in class3/ca.crt.pem`
			`openssl x509 -in root/ca.crt.pem`
			`) >certs/cachain.crt.pem`
			`fi`

			`if [ ! -f certs/cats.cacert.localhost.crt.pem ]; then`
			`openssl req -new -keyout certs/cats.cacert.localhost.key.pem -nodes \`
			`-out certs/cats.cacert.localhost.csr.pem -subj "/CN=cats.cacert.localhost" \`
			`-addext "subjectAltName=DNS:cats.cacert.localhost,DNS:www.cats.cacert.localhost"`
			`openssl ca -config ca.cnf \`
			`-name class3_ca \`
			`-in certs/cats.cacert.localhost.csr.pem \`
			`-out certs/cats.cacert.localhost.crt.pem \`
			`-rand_serial \`
			`-extensions server_ext \`
			`-batch`
			`fi`
			`if [ ! -f certs/cats-client.cacert.localhost.crt.pem ]; then`
			`openssl req -new -keyout certs/cats-client.cacert.localhost.key.pem -nodes \`
			`-out certs/cats-client.cacert.localhost.csr.pem -subj "/CN=cats.cacert.localhost" \`
			`-addext "subjectAltName=DNS:cats.cacert.localhost"`
			`openssl ca -config ca.cnf \`
			`-name class3_ca \`
			`-in certs/cats-client.cacert.localhost.csr.pem \`
			`-out certs/cats-client.cacert.localhost.crt.pem \`
			`-rand_serial \`
			`-extensions client_ext \`
			`-batch`
			`fi`
			`if [ ! -f certs/mgr.cacert.localhost.crt.pem ]; then`
			`openssl req -new -keyout certs/mgr.cacert.localhost.key.pem -nodes \`
			`-out certs/mgr.cacert.localhost.csr.pem -subj "/CN=mgr.cacert.localhost" \`
			`-addext "subjectAltName=DNS:mgr.cacert.localhost,DNS:www.mgr.cacert.localhost"`
			`openssl ca -config ca.cnf \`
			`-name class3_ca \`
			`-in certs/mgr.cacert.localhost.csr.pem \`
			`-out certs/mgr.cacert.localhost.crt.pem \`
			`-rand_serial \`
			`-extensions server_ext \`
			`-batch`
			`fi`
Rename application to webdb This commit renames the application container to webdb and drops the test suffix in favour of using www.cacert.localhost directly. The server certificate for www.cacert.localhost got an additional subjectAlternativeName secure.cacert.localhost and is used for both hostnames now. Environment variables containing _APP have been renamed to _WEBDB to keep consistency. 2020-12-23 07:17:06 +01:00			`if [ ! -f certs/www.cacert.localhost.crt.pem ]; then`
			`openssl req -new -keyout certs/www.cacert.localhost.key.pem -nodes \`
			`-out certs/www.cacert.localhost.csr.pem -subj "/CN=www.cacert.localhost" \`
			`-addext "subjectAltName=DNS:www.cacert.localhost,DNS:secure.cacert.localhost"`
Add test mgr setup 2020-12-22 08:49:18 +01:00			`openssl ca -config ca.cnf \`
			`-name class3_ca \`
Rename application to webdb This commit renames the application container to webdb and drops the test suffix in favour of using www.cacert.localhost directly. The server certificate for www.cacert.localhost got an additional subjectAlternativeName secure.cacert.localhost and is used for both hostnames now. Environment variables containing _APP have been renamed to _WEBDB to keep consistency. 2020-12-23 07:17:06 +01:00			`-in certs/www.cacert.localhost.csr.pem \`
			`-out certs/www.cacert.localhost.crt.pem \`
Add test mgr setup 2020-12-22 08:49:18 +01:00			`-rand_serial \`
			`-extensions server_ext \`
			`-batch`
			`fi`

			`if [ ! -f certs/testclient.p12 ]; then`
			`openssl req -new -keyout certs/testclient.key.pem -nodes \`
Add cats to the docker-compose setup 2020-12-22 15:51:13 +01:00			`-out certs/testclient.csr.pem -subj "/CN=${CLIENT_CERT_USERNAME}/emailAddress=${CLIENT_CERT_EMAIL}" \`
Add test mgr setup 2020-12-22 08:49:18 +01:00			`-addext "subjectAltName=email:${CLIENT_CERT_EMAIL}"`
			`openssl ca -config ca.cnf \`
			`-name class3_ca \`
			`-in certs/testclient.csr.pem \`
			`-out certs/testclient.crt.pem \`
			`-rand_serial \`
			`-extensions client_ext \`
			`-batch`
			`openssl pkcs12 -export -out certs/testclient.p12 \`
			`-passout "pass:${CLIENT_CERT_PASSWORD}" \`
			`-chain -CAfile certs/cachain.crt.pem \`
			`-inkey certs/testclient.key.pem \`
			`-in certs/testclient.crt.pem \`
			`-name "${CLIENT_CERT_USERNAME}"`
			`fi`
Add GPG support to signer image 2020-12-26 08:31:58 +01:00
			`if [ ! -f gpg/gpg_root_0/secring.gpg ]; then`
Fix gpg setup for signer 2020-12-26 11:52:37 +01:00			`chmod 0700 gpg/gpg_root_0`
			`gpg --homedir gpg/gpg_root_0 --generate-key --batch <<EOF`
Add GPG support to signer image 2020-12-26 08:31:58 +01:00			`Key-Type: RSA`
			`Key-Length: 4096`
			`Key-Usage: cert`
Fix gpg setup for signer 2020-12-26 11:52:37 +01:00			`Name-Real: ${CACERT_GPG_NAME}`
			`Name-Email: ${CACERT_GPG_EMAIL}`
			`%no-protection`
Add GPG support to signer image 2020-12-26 08:31:58 +01:00			`EOF`
Fix gpg setup for signer 2020-12-26 11:52:37 +01:00			`gpg --homedir gpg/gpg_root_0 --export \| gpg1 --homedir gpg/gpg_root_0 --import`
			`gpg --homedir gpg/gpg_root_0 --export-secret-keys \| gpg1 --homedir gpg/gpg_root_0 --import`
			`fi`