Extend certificate creation examples to include CRL generation and sample

HOME			= .

RANDFILE		= $ENV::HOME/.rnd

CN			= "Not Defined"

default_ca		= ca

####################################################################

[ req ]

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid

# OCSP responder certificate

[ ocsp_cert ]

basicConstraints=critical, CA:FALSE

keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.

nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid

extendedKeyUsage=OCSPSigning

[ dh_cert ]

basicConstraints = critical,CA:true

keyUsage = critical, cRLSign, keyCertSign

# Minimal CA entry to allow generation of CRLs.

[ca]

database=index.txt

crlnumber=crlnum.txt

# Root CA: create certificate directly

CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \

	-keyout root.pem -out root.pem -newkey rsa:2048 -days 3650

# Server certificate: create request first

CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \

	-keyout skey.pem -out req.pem -newkey rsa:1024

# Sign request: end entity extensions

$OPENSSL x509 -req -in req.pem -CA root.pem -days 3600 \

	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem

# Intermediate CA: request first

CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \

	-keyout intkey.pem -out intreq.pem -newkey rsa:2048

# Sign request: CA extensions

$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \

	-extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem

# Server certificate: create request first

CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \

	-keyout skey.pem -out req.pem -newkey rsa:1024

# Sign request: end entity extensions

$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \

	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem

# Client certificate: request first

CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \

	-keyout ckey.pem -out creq.pem -newkey rsa:1024

$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \

	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem

# Revkoed certificate: request first

CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \

	-keyout revkey.pem -out rreq.pem -newkey rsa:1024

# Sign using intermediate CA

$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \

	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem

# OCSP responder certificate: request first

CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \

	-keyout respkey.pem -out respreq.pem -newkey rsa:1024

# Sign using intermediate CA and responder extensions

$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \

	-extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem

# Example creating a PKCS#3 DH certificate. 

# First DH parameters

$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \

	-force_pubkey dhcpub.pem \

	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem

# Examples of CRL generation without the need to use 'ca' to issue

# certificates.

# Create zero length index file

>index.txt

# Create initial crl number file

echo 01 >crlnum.txt

# Add entries for server and client certs

$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \

		-config ca.cnf -md sha1

$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \

		-config ca.cnf -md sha1

$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \

		-config ca.cnf -md sha1

# Generate a CRL.

$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \

		-md sha1 -crldays 1 -out crl1.pem

# Revoke a certificate

openssl ca -revoke rev.pem -crl_reason superseded \

		-keyfile root.pem -cert root.pem -config ca.cnf -md sha1

# Generate another CRL

$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \

		-md sha1 -crldays 1 -out crl2.pem

# Example querying OpenSSL test responder. Assumes ocsprun.sh has been

# called.

OPENSSL=../../apps/openssl

OPENSSL_CONF=../../apps/openssl.cnf

export OPENSSL_CONF

# Send responder queries for each certificate.

echo "Requesting OCSP status for each certificate"

$OPENSSL ocsp -issuer intca.pem -cert client.pem -CAfile root.pem \

			-url http://127.0.0.1:8888/

$OPENSSL ocsp -issuer intca.pem -cert server.pem -CAfile root.pem \

			-url http://127.0.0.1:8888/

$OPENSSL ocsp -issuer intca.pem -cert rev.pem -CAfile root.pem \

			-url http://127.0.0.1:8888/

# One query for all three certificates.

echo "Requesting OCSP status for three certificates in one request"

$OPENSSL ocsp -issuer intca.pem \

	-cert client.pem -cert server.pem -cert rev.pem \

	-CAfile root.pem -url http://127.0.0.1:8888/

# Example of running an querying OpenSSL test OCSP responder.

# This assumes "mkcerts.sh" or similar has been run to set up the

# necessary file structure.

OPENSSL=../../apps/openssl

OPENSSL_CONF=../../apps/openssl.cnf

export OPENSSL_CONF

# Run OCSP responder.

PORT=8888

$OPENSSL ocsp -port $PORT -index index.txt -CA intca.pem \

	-rsigner resp.pem -rkey respkey.pem -rother intca.pem $*