get.pme.sh/pnats@v0.0.0-20240304004023-26bb5a137ed0/test/configs/certs/ocsp/gen.sh (about) 1 #!/usr/bin/env bash 2 set -euo pipefail 3 4 # gen.sh generates certificates used in OCSP tests. It generates a CA, client 5 # certs, and a few different types of server certs with different OCSP 6 # settings. This requires OpenSSL, not LibreSSL. 7 # 8 # usage: ./gen.sh 9 10 ################################################################################ 11 # Setup CA 12 ################################################################################ 13 mkdir -p ./demoCA/newcerts 14 rm -f demoCA/index.txt 15 touch demoCA/index.txt 16 echo "01" > demoCA/serial 17 18 prefix="ca" 19 openssl genrsa -out ${prefix}-key.pem 20 openssl req -new -key ${prefix}-key.pem -out ${prefix}-csr.pem \ 21 -config <(echo " 22 [ req ] 23 prompt = no 24 distinguished_name = req_distinguished_name 25 string_mask = utf8only 26 utf8 = yes 27 x509_extensions = v3_ca 28 29 [ req_distinguished_name ] 30 C = US 31 ST = CA 32 L = San Francisco 33 O = Synadia 34 OU = nats.io 35 CN = localhost ca 36 37 [ v3_ca ] 38 subjectKeyIdentifier=hash 39 authorityKeyIdentifier=keyid:always,issuer 40 basicConstraints = critical,CA:true 41 ") 42 openssl ca -batch -keyfile ${prefix}-key.pem -selfsign -notext \ 43 -config <(echo " 44 [ ca ] 45 default_ca = ca_default 46 47 [ ca_default ] 48 dir = ./demoCA 49 database = ./demoCA/index.txt 50 new_certs_dir = ./demoCA/newcerts 51 serial = ./demoCA/serial 52 default_md = default 53 policy = policy_anything 54 x509_extensions = v3_ca 55 default_md = sha256 56 57 default_enddate = 20291014135726Z 58 copy_extensions = copy 59 60 [ policy_anything ] 61 countryName = optional 62 stateOrProvinceName = optional 63 localityName = optional 64 organizationName = optional 65 organizationalUnitName = optional 66 commonName = supplied 67 emailAddress = optional 68 69 [ v3_ca ] 70 subjectKeyIdentifier=hash 71 authorityKeyIdentifier=keyid:always,issuer 72 basicConstraints = critical,CA:true 73 ") \ 74 -out ${prefix}-cert.pem -infiles ${prefix}-csr.pem 75 76 ################################################################################ 77 # Client cert 78 ################################################################################ 79 prefix="client" 80 openssl genrsa -out ${prefix}-key.pem 81 openssl req -new -key ${prefix}-key.pem -out ${prefix}-csr.pem \ 82 -config <(echo " 83 [ req ] 84 prompt = no 85 distinguished_name = req_distinguished_name 86 req_extensions = v3_req 87 string_mask = utf8only 88 utf8 = yes 89 90 [ req_distinguished_name ] 91 C = US 92 ST = CA 93 L = San Francisco 94 O = Synadia 95 OU = nats.io 96 CN = localhost client 97 98 [ v3_req ] 99 subjectAltName = @alt_names 100 101 [ alt_names ] 102 IP.1 = 127.0.0.1 103 IP.2 = 0:0:0:0:0:0:0:1 104 DNS.1 = localhost 105 DNS.2 = client.localhost 106 ") 107 openssl ca -batch -keyfile ca-key.pem -cert ca-cert.pem -notext \ 108 -config <(echo " 109 [ ca ] 110 default_ca = ca_default 111 112 [ ca_default ] 113 dir = ./demoCA 114 database = ./demoCA/index.txt 115 new_certs_dir = ./demoCA/newcerts 116 serial = ./demoCA/serial 117 default_md = default 118 policy = policy_anything 119 x509_extensions = ext_ca 120 default_md = sha256 121 122 default_enddate = 20291014135726Z 123 copy_extensions = copy 124 125 [ policy_anything ] 126 countryName = optional 127 stateOrProvinceName = optional 128 localityName = optional 129 organizationName = optional 130 organizationalUnitName = optional 131 commonName = supplied 132 emailAddress = optional 133 134 [ ext_ca ] 135 basicConstraints = CA:FALSE 136 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 137 extendedKeyUsage = serverAuth, clientAuth 138 ") \ 139 -out ${prefix}-cert.pem -infiles ${prefix}-csr.pem 140 141 ################################################################################ 142 # Server cert 143 ################################################################################ 144 prefix="server" 145 openssl genrsa -out ${prefix}-key.pem 146 openssl req -new -key ${prefix}-key.pem -out ${prefix}-csr.pem \ 147 -config <(echo " 148 [ req ] 149 prompt = no 150 distinguished_name = req_distinguished_name 151 req_extensions = v3_req 152 string_mask = utf8only 153 utf8 = yes 154 155 [ req_distinguished_name ] 156 C = US 157 ST = CA 158 L = San Francisco 159 O = Synadia 160 OU = nats.io 161 CN = localhost server 162 163 [ v3_req ] 164 subjectAltName = @alt_names 165 166 [ alt_names ] 167 IP.1 = 127.0.0.1 168 IP.2 = 0:0:0:0:0:0:0:1 169 DNS.1 = localhost 170 DNS.2 = server.localhost 171 ") 172 openssl ca -batch -keyfile ca-key.pem -cert ca-cert.pem -notext \ 173 -config <(echo " 174 [ ca ] 175 default_ca = ca_default 176 177 [ ca_default ] 178 dir = ./demoCA 179 database = ./demoCA/index.txt 180 new_certs_dir = ./demoCA/newcerts 181 serial = ./demoCA/serial 182 default_md = default 183 policy = policy_anything 184 x509_extensions = ext_ca 185 default_md = sha256 186 187 default_enddate = 20291014135726Z 188 copy_extensions = copy 189 190 [ policy_anything ] 191 countryName = optional 192 stateOrProvinceName = optional 193 localityName = optional 194 organizationName = optional 195 organizationalUnitName = optional 196 commonName = supplied 197 emailAddress = optional 198 199 [ ext_ca ] 200 basicConstraints = CA:FALSE 201 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 202 extendedKeyUsage = serverAuth, clientAuth 203 ") \ 204 -out ${prefix}-cert.pem -infiles ${prefix}-csr.pem 205 206 ################################################################################ 207 # Server cert (tlsfeature) 208 ################################################################################ 209 prefix="server-status-request" 210 openssl genrsa -out ${prefix}-key.pem 211 openssl req -new -key ${prefix}-key.pem -out ${prefix}-csr.pem \ 212 -config <(echo " 213 [ req ] 214 prompt = no 215 distinguished_name = req_distinguished_name 216 req_extensions = v3_req 217 string_mask = utf8only 218 utf8 = yes 219 220 [ req_distinguished_name ] 221 C = US 222 ST = CA 223 L = San Francisco 224 O = Synadia 225 OU = nats.io 226 CN = localhost server status request 227 228 [ v3_req ] 229 subjectAltName = @alt_names 230 231 [ alt_names ] 232 IP.1 = 127.0.0.1 233 IP.2 = 0:0:0:0:0:0:0:1 234 DNS.1 = localhost 235 DNS.2 = server-status-request.localhost 236 ") 237 openssl ca -batch -keyfile ca-key.pem -cert ca-cert.pem -notext \ 238 -config <(echo " 239 [ ca ] 240 default_ca = ca_default 241 242 [ ca_default ] 243 dir = ./demoCA 244 database = ./demoCA/index.txt 245 new_certs_dir = ./demoCA/newcerts 246 serial = ./demoCA/serial 247 default_md = default 248 policy = policy_anything 249 x509_extensions = ext_ca 250 default_md = sha256 251 252 default_enddate = 20291014135726Z 253 copy_extensions = copy 254 255 [ policy_anything ] 256 countryName = optional 257 stateOrProvinceName = optional 258 localityName = optional 259 organizationName = optional 260 organizationalUnitName = optional 261 commonName = supplied 262 emailAddress = optional 263 264 [ ext_ca ] 265 basicConstraints = CA:FALSE 266 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 267 tlsfeature = status_request 268 extendedKeyUsage = serverAuth, clientAuth 269 ") \ 270 -out ${prefix}-cert.pem -infiles ${prefix}-csr.pem 271 272 ################################################################################ 273 # Server cert (authorityInfoAccess and tlsfeature) 274 ################################################################################ 275 for n in {01..08}; do 276 prefix="server-status-request-url-${n}" 277 278 openssl genrsa -out ${prefix}-key.pem 279 openssl req -new -key ${prefix}-key.pem -out ${prefix}-csr.pem \ 280 -config <(echo " 281 [ req ] 282 prompt = no 283 distinguished_name = req_distinguished_name 284 req_extensions = v3_req 285 string_mask = utf8only 286 utf8 = yes 287 288 [ req_distinguished_name ] 289 C = US 290 ST = CA 291 L = San Francisco 292 O = Synadia 293 OU = nats.io 294 CN = localhost ${prefix} 295 296 [ v3_req ] 297 subjectAltName = @alt_names 298 299 [ alt_names ] 300 IP.1 = 127.0.0.1 301 IP.2 = 0:0:0:0:0:0:0:1 302 DNS.1 = localhost 303 DNS.2 = ${prefix}.localhost 304 ") 305 openssl ca -batch -keyfile ca-key.pem -cert ca-cert.pem -notext \ 306 -config <(echo " 307 [ ca ] 308 default_ca = ca_default 309 310 [ ca_default ] 311 dir = ./demoCA 312 database = ./demoCA/index.txt 313 new_certs_dir = ./demoCA/newcerts 314 serial = ./demoCA/serial 315 default_md = default 316 policy = policy_anything 317 x509_extensions = ext_ca 318 default_md = sha256 319 320 default_enddate = 20291014135726Z 321 copy_extensions = copy 322 323 [ policy_anything ] 324 countryName = optional 325 stateOrProvinceName = optional 326 localityName = optional 327 organizationName = optional 328 organizationalUnitName = optional 329 commonName = supplied 330 emailAddress = optional 331 332 [ ext_ca ] 333 basicConstraints = CA:FALSE 334 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 335 authorityInfoAccess = OCSP;URI:http://127.0.0.1:8888 336 tlsfeature = status_request 337 extendedKeyUsage = serverAuth, clientAuth 338 ") \ 339 -out ${prefix}-cert.pem -infiles ${prefix}-csr.pem 340 done 341 342 ################################################################################ 343 # Clean up 344 ################################################################################ 345 rm -f *-csr.pem 346 rm -rf ./demoCA