Browse Source

Add an OCSPD responder

pull/2/head
Victor Laborie 2 years ago
parent
commit
5f07a5e24c
2 changed files with 54 additions and 0 deletions
  1. +5
    -0
      openssl.cnf
  2. +49
    -0
      shellpki.sh

+ 5
- 0
openssl.cnf View File

@@ -34,6 +34,11 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ v3_ocsp ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FR


+ 49
- 0
shellpki.sh View File

@@ -52,6 +52,44 @@ commonName_default = ${cn}
EOF
}

ocsp() {
umask 0177

ocsp_uri="${1:-}"
[ -z "${ocsp_uri}" ] && usage >&2 && exit 1

url=$(echo "${ocsp_uri}"|cut -d':' -f1)
port=$(echo "${ocsp_uri}"|cut -d':' -f2)

[ ! -f "${OCSPKEY}" ] && "$OPENSSL" \
genrsa \
-out "${OCSPKEY}" \
2048 >/dev/null 2>&1

"$OPENSSL" req \
-batch -new \
-key "${OCSPKEY}" \
-out "${CSRDIR}/ocsp.csr" \
-config /dev/stdin <<EOF
$(cat "${CONFFILE}")
commonName_default = ${url}
[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://${ocsp_uri}
EOF

[ ! -f "${OCSPCERT}" ] && ask_ca_password 0

[ ! -f "${OCSPCERT}" ] && CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" \
ca \
-extensions v3_ocsp \
-in "${CSRDIR}/ocsp.csr" \
-out "${OCSPCERT}" \
-passin env:CA_PASSWORD \
-config "${CONFFILE}"

"${OPENSSL}" ocsp -index "${INDEX}" -port "${port}" -rsigner "${OCSPCERT}" -rkey "${OCSPKEY}" -CA "${CACERT}" -text
}

usage() {
cat <<EOF
Usage: ${0} <subcommand> [options] [CommonName]
@@ -60,6 +98,10 @@ Initialize PKI (create CA key and self-signed cert) :

${0} init <commonName_for_CA>

Run OCSPD server :

${0} ocsp <ocsp_uri:ocsp_port>

Create a client cert with key and CSR directly generated on server
(use -p for set a password on client key) :

@@ -367,6 +409,8 @@ main() {
CADIR=$(grep -E "^dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1)
CAKEY=$(grep -E "^private_key" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
CACERT=$(grep -E "^certificate" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
OCSPKEY="${CADIR}/ocsp.key"
OCSPCERT="${CADIR}/ocsp.pem"
CRTDIR=$(grep -E "^certs" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
TMPDIR=$(grep -E "^new_certs_dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
INDEX=$(grep -E "^database" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
@@ -398,6 +442,11 @@ main() {
init "$@"
;;

ocsp)
shift
ocsp "$@"
;;

create)
shift
create "$@"


Loading…
Cancel
Save