-
Notifications
You must be signed in to change notification settings - Fork 1
/
start-p1-ocsp.sh
executable file
·151 lines (115 loc) · 5.1 KB
/
start-p1-ocsp.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/bin/bash
# Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
#set -euo pipefail
# https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
# https://www.shellhacks.com/create-csr-openssl-without-prompt-non-interactive/
# https://akshayranganath.github.io/OCSP-Validation-With-Openssl/
# https://medium.com/@KentaKodashima/generate-pem-keys-with-openssl-on-macos-ecac55791373
# OpenSSL testing of certs: https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
create_CRL() {
# Create CRL for certificate
openssl ca -config $ROOTDIR/certs/participant1/intermediate/openssl.cnf \
-gencrl -out $ROOTDIR/certs/participant1/intermediate/crl/intermediate.crl.pem
# Check CRL
openssl crl -in $ROOTDIR/certs/participant1/intermediate/crl/intermediate.crl.pem -noout -text
}
create_ocsp_key() {
echo "Creating OCSP Server Key"
# Create OCSP
openssl genrsa \
-out $ROOTDIR/certs/participant1/intermediate/private/ocsp.$DOMAIN.key.pem 4096
openssl req -config $ROOTDIR/certs/participant1/intermediate/openssl.cnf -new -sha256 \
-subj "/C=US/ST=New York/O=$DOMAIN_NAME/CN=ocsp.$DOMAIN" \
-key $ROOTDIR/certs/participant1/intermediate/private/ocsp.$DOMAIN.key.pem \
-out $ROOTDIR/certs/participant1/intermediate/csr/ocsp.$DOMAIN.csr.pem
openssl ca -batch -config $ROOTDIR/certs/participant1/intermediate/openssl.cnf \
-extensions ocsp -days 375 -notext -md sha256 \
-in $ROOTDIR/certs/participant1/intermediate/csr/ocsp.$DOMAIN.csr.pem \
-out $ROOTDIR/certs/participant1/intermediate/certs/ocsp.$DOMAIN.cert.pem
# Validate extensions
openssl x509 -noout -text \
-in $ROOTDIR/certs/participant1/intermediate/certs/ocsp.$DOMAIN.cert.pem
}
create_test() {
echo "Creating Test certificate"
openssl genrsa -out $ROOTDIR/certs/participant1/server/private/test.$DOMAIN.key.pem 2048
openssl req -config $ROOTDIR/certs/participant1/intermediate/openssl.cnf \
-subj "/C=US/ST=New York/O=DOMAIN_NAME/CN=test.$DOMAIN" \
-key $ROOTDIR/certs/participant1/server/private/test.$DOMAIN.key.pem \
-new -sha256 -out $ROOTDIR/certs/participant1/server/csr/test.$DOMAIN.csr.pem
openssl ca -batch -config $ROOTDIR/certs/participant1/intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in $ROOTDIR/certs/participant1/server/csr/test.$DOMAIN.csr.pem \
-out $ROOTDIR/certs/participant1/server/certs/test.$DOMAIN.cert.pem
openssl x509 -noout -ocsp_uri -in "$ROOTDIR/certs/participant1/server/certs/test.$DOMAIN.cert.pem"
}
start_ocsp() {
echo "Starting OCSP responder"
cd $ROOTDIR
# Note that this is set to only listen for one request and then terminate
openssl ocsp -port $OCSP_PARTICIPANT1_INTERMEDIATE_PORT -text \
-index "$(pwd)/certs/participant1/intermediate/index.txt" \
-CA "$(pwd)/certs/participant1/intermediate/certs/ca-chain.cert.pem" \
-rkey "$(pwd)/certs/participant1/intermediate/private/ocsp.$DOMAIN.key.pem" \
-rsigner "$(pwd)/certs/participant1/intermediate/certs/ocsp.$DOMAIN.cert.pem" \
-nrequest 1 &
sleep 3
}
start_ocsp_longrunning() {
echo "Starting OCSP responder"
cd $ROOTDIR
# Note that this is set to only listen for one request and then terminate
x=1
while [ $x -le 20 ]
do
if [ -f ocsp_kill_switch ] ; then
exit 0
fi
openssl ocsp -port $OCSP_PARTICIPANT1_INTERMEDIATE_PORT -text \
-index "$(pwd)/certs/participant1/intermediate/index.txt" \
-CA "$(pwd)/certs/participant1/intermediate/certs/ca-chain.cert.pem" \
-rkey "$(pwd)/certs/participant1/intermediate/private/ocsp.$DOMAIN.key.pem" \
-rsigner "$(pwd)/certs/participant1/intermediate/certs/ocsp.$DOMAIN.cert.pem" \
-multi 1 \
-timeout 5
x=$(( $x + 1 ))
done
}
check_ocsp_response() {
echo "Check OCSP response"
openssl ocsp -CAfile "$ROOTDIR/certs/participant1/intermediate/certs/ca-chain.cert.pem" \
-url http://127.0.0.1:$OCSP_PARTICIPANT1_INTERMEDIATE_PORT -resp_text \
-issuer "$ROOTDIR/certs/participant1/intermediate/certs/intermediate.cert.pem" \
-cert "$ROOTDIR/certs/participant1/server/certs/test.$DOMAIN.cert.pem"
}
revoke_test() {
echo "Revoking certificate"
openssl ca -batch -config "$ROOTDIR/certs/participant1/intermediate/openssl.cnf" \
-revoke "$ROOTDIR/certs/participant1/server/certs/test.$DOMAIN.cert.pem"
}
source env.sh
DOMAIN="customer1.com"
DOMAIN_NAME="Customer1 LLC"
export ROOTDIR=$PWD
cd $ROOTDIR
if [ ! -d certs ] ; then
echo "ERROR: You need to create PKI CA hierarchy first!"
exit
fi
if [ ! -d $ROOTDIR/certs/participant1/server ] ; then
mkdir $ROOTDIR/certs/participant1/server
mkdir $ROOTDIR/certs/participant1/server/certs
mkdir $ROOTDIR/certs/participant1/server/private
mkdir $ROOTDIR/certs/participant1/server/csr
fi
if [ ! -f $ROOTDIR/certs/participant1/intermediate/private/ocsp.$DOMAIN.key.pem ]; then
create_ocsp_key
fi
create_test
start_ocsp
check_ocsp_response
revoke_test
start_ocsp
check_ocsp_response
start_ocsp_longrunning