f9b0eb5195
This commit renames the application container to webdb and drops the test suffix in favour of using www.cacert.localhost directly. The server certificate for www.cacert.localhost got an additional subjectAlternativeName secure.cacert.localhost and is used for both hostnames now. Environment variables containing _APP have been renamed to _WEBDB to keep consistency.
225 lines
7.2 KiB
Bash
Executable file
225 lines
7.2 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
set -eu
|
|
|
|
ORGANIZATION="CAcert Inc."
|
|
COUNTRY_CODE="AU"
|
|
. ./.env
|
|
|
|
if [ ! -d testca/ ]; then
|
|
mkdir -p testca/
|
|
cd testca
|
|
mkdir -p root/newcerts class3/newcerts root/private class3/private certs
|
|
touch root/index.txt class3/index.txt
|
|
else
|
|
cd testca
|
|
fi
|
|
|
|
cat >ca.cnf <<EOF
|
|
[ca]
|
|
default_ca = class3_ca
|
|
|
|
[root_ca]
|
|
dir = ./root
|
|
certs = \$dir/certs
|
|
crl_dir = \$dir/crl
|
|
database = \$dir/index.txt
|
|
serial = \$dir/serial
|
|
new_certs_dir = \$dir/newcerts
|
|
|
|
crl = \$dir/crl.pem
|
|
certificate = \$dir/ca.crt.pem
|
|
private_key = \$dir/private/ca.key.pem
|
|
RANDFILE = \$dir/private/.rand
|
|
|
|
policy = policy_any
|
|
unique_subject = no
|
|
email_in_dn = no
|
|
copy_extensions = none
|
|
|
|
default_md = sha256
|
|
default_days = 1825
|
|
default_crl_days = 30
|
|
|
|
extensions = intermediary_extensions
|
|
|
|
[class3_ca]
|
|
dir = ./class3
|
|
certs = \$dir/certs
|
|
crl_dir = \$dir/crl
|
|
database = \$dir/index.txt
|
|
serial = \$dir/serial
|
|
new_certs_dir = \$dir/newcerts
|
|
|
|
crl = \$dir/crl.pem
|
|
certificate = \$dir/ca.crt.pem
|
|
private_key = \$dir/private/ca.key.pem
|
|
RANDFILE = \$dir/private/.rand
|
|
|
|
policy = policy_any
|
|
unique_subject = no
|
|
email_in_dn = yes
|
|
copy_extensions = copy
|
|
|
|
default_md = sha256
|
|
default_days = 365
|
|
default_crl_days = 30
|
|
|
|
extensions = class3_extensions
|
|
|
|
[policy_any]
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
organizationName = optional
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
[req]
|
|
default_bits = 3072
|
|
prompt = no
|
|
utf8 = yes
|
|
distinguished_name = req_distinguished_name
|
|
|
|
[req_distinguished_name]
|
|
countryName = AU
|
|
organizationName = CAcert Inc.
|
|
organizationalUnitName = Software Testing
|
|
|
|
[root_extensions]
|
|
basicConstraints = critical,CA:true
|
|
keyUsage = critical,keyCertSign,cRLSign
|
|
subjectKeyIdentifier = hash
|
|
|
|
[class3_extensions]
|
|
basicConstraints = critical,CA:true,pathlen:0
|
|
keyUsage = critical,keyCertSign,cRLSign
|
|
extendedKeyUsage = serverAuth,clientAuth
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always
|
|
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/root/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
|
|
crlDistributionPoints = URI:http://crl.test.cacert.localhost/class3.crl
|
|
certificatePolicies = @policy_class3_ca
|
|
|
|
[client_ext]
|
|
basicConstraints = critical,CA:false
|
|
keyUsage = digitalSignature,keyEncipherment
|
|
extendedKeyUsage = clientAuth
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always
|
|
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
|
|
crlDistributionPoints = URI:http://crl.test.cacert.localhost/class3.crl
|
|
certificatePolicies = @policy_class3_ca
|
|
|
|
[server_ext]
|
|
basicConstraints = critical,CA:false
|
|
keyUsage = digitalSignature,keyEncipherment
|
|
extendedKeyUsage = serverAuth
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always
|
|
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://test.cacert.localhost/ca/class3/ca.crt,OCSP;URI:http://ocsp.test.cacert.localhost/
|
|
crlDistributionPoints = URI:http://crl.test.cacert.localhost/class3.crl
|
|
certificatePolicies = @policy_class3_ca
|
|
|
|
[policy_class3_ca]
|
|
policyIdentifier = 1.3.6.1.5.5.7.2.1
|
|
CPS = http://test.cacert.localhost/ca/class3/cps.html
|
|
EOF
|
|
|
|
if [ ! -f root/ca.crt.pem ]; then
|
|
openssl req -new -x509 -config ca.cnf \
|
|
-keyout root/private/ca.key.pem \
|
|
-nodes \
|
|
-subj "/CN=Test Root/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
|
|
-days 3650 \
|
|
-extensions root_extensions \
|
|
-out root/ca.crt.pem
|
|
fi
|
|
if [ ! -f class3/ca.crt.pem ]; then
|
|
openssl req -new -config ca.cnf \
|
|
-keyout class3/private/ca.key.pem \
|
|
-nodes \
|
|
-subj "/CN=Class 3 Test CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
|
|
-out class3/ca.csr.pem
|
|
openssl ca -config ca.cnf \
|
|
-name root_ca \
|
|
-in class3/ca.csr.pem -out class3/ca.crt.pem \
|
|
-rand_serial \
|
|
-extensions class3_extensions \
|
|
-batch
|
|
fi
|
|
|
|
if [ ! -f certs/cachain.crt.pem ]; then
|
|
(
|
|
openssl x509 -in class3/ca.crt.pem
|
|
openssl x509 -in root/ca.crt.pem
|
|
) >certs/cachain.crt.pem
|
|
fi
|
|
|
|
if [ ! -f certs/cats.cacert.localhost.crt.pem ]; then
|
|
openssl req -new -keyout certs/cats.cacert.localhost.key.pem -nodes \
|
|
-out certs/cats.cacert.localhost.csr.pem -subj "/CN=cats.cacert.localhost" \
|
|
-addext "subjectAltName=DNS:cats.cacert.localhost,DNS:www.cats.cacert.localhost"
|
|
openssl ca -config ca.cnf \
|
|
-name class3_ca \
|
|
-in certs/cats.cacert.localhost.csr.pem \
|
|
-out certs/cats.cacert.localhost.crt.pem \
|
|
-rand_serial \
|
|
-extensions server_ext \
|
|
-batch
|
|
fi
|
|
if [ ! -f certs/cats-client.cacert.localhost.crt.pem ]; then
|
|
openssl req -new -keyout certs/cats-client.cacert.localhost.key.pem -nodes \
|
|
-out certs/cats-client.cacert.localhost.csr.pem -subj "/CN=cats.cacert.localhost" \
|
|
-addext "subjectAltName=DNS:cats.cacert.localhost"
|
|
openssl ca -config ca.cnf \
|
|
-name class3_ca \
|
|
-in certs/cats-client.cacert.localhost.csr.pem \
|
|
-out certs/cats-client.cacert.localhost.crt.pem \
|
|
-rand_serial \
|
|
-extensions client_ext \
|
|
-batch
|
|
fi
|
|
if [ ! -f certs/mgr.cacert.localhost.crt.pem ]; then
|
|
openssl req -new -keyout certs/mgr.cacert.localhost.key.pem -nodes \
|
|
-out certs/mgr.cacert.localhost.csr.pem -subj "/CN=mgr.cacert.localhost" \
|
|
-addext "subjectAltName=DNS:mgr.cacert.localhost,DNS:www.mgr.cacert.localhost"
|
|
openssl ca -config ca.cnf \
|
|
-name class3_ca \
|
|
-in certs/mgr.cacert.localhost.csr.pem \
|
|
-out certs/mgr.cacert.localhost.crt.pem \
|
|
-rand_serial \
|
|
-extensions server_ext \
|
|
-batch
|
|
fi
|
|
if [ ! -f certs/www.cacert.localhost.crt.pem ]; then
|
|
openssl req -new -keyout certs/www.cacert.localhost.key.pem -nodes \
|
|
-out certs/www.cacert.localhost.csr.pem -subj "/CN=www.cacert.localhost" \
|
|
-addext "subjectAltName=DNS:www.cacert.localhost,DNS:secure.cacert.localhost"
|
|
openssl ca -config ca.cnf \
|
|
-name class3_ca \
|
|
-in certs/www.cacert.localhost.csr.pem \
|
|
-out certs/www.cacert.localhost.crt.pem \
|
|
-rand_serial \
|
|
-extensions server_ext \
|
|
-batch
|
|
fi
|
|
|
|
if [ ! -f certs/testclient.p12 ]; then
|
|
openssl req -new -keyout certs/testclient.key.pem -nodes \
|
|
-out certs/testclient.csr.pem -subj "/CN=${CLIENT_CERT_USERNAME}/emailAddress=${CLIENT_CERT_EMAIL}" \
|
|
-addext "subjectAltName=email:${CLIENT_CERT_EMAIL}"
|
|
openssl ca -config ca.cnf \
|
|
-name class3_ca \
|
|
-in certs/testclient.csr.pem \
|
|
-out certs/testclient.crt.pem \
|
|
-rand_serial \
|
|
-extensions client_ext \
|
|
-batch
|
|
openssl pkcs12 -export -out certs/testclient.p12 \
|
|
-passout "pass:${CLIENT_CERT_PASSWORD}" \
|
|
-chain -CAfile certs/cachain.crt.pem \
|
|
-inkey certs/testclient.key.pem \
|
|
-in certs/testclient.crt.pem \
|
|
-name "${CLIENT_CERT_USERNAME}"
|
|
fi
|