diff --git a/openssl.cnf b/openssl.cnf index b05a875..2c87f10 100644 --- a/openssl.cnf +++ b/openssl.cnf @@ -34,6 +34,11 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true +[ v3_ocsp ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = OCSPSigning + [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = FR diff --git a/shellpki.sh b/shellpki.sh index 37feb00..2db71fb 100755 --- a/shellpki.sh +++ b/shellpki.sh @@ -52,6 +52,44 @@ commonName_default = ${cn} EOF } +ocsp() { + umask 0177 + + ocsp_uri="${1:-}" + [ -z "${ocsp_uri}" ] && usage >&2 && exit 1 + + url=$(echo "${ocsp_uri}"|cut -d':' -f1) + port=$(echo "${ocsp_uri}"|cut -d':' -f2) + + [ ! -f "${OCSPKEY}" ] && "$OPENSSL" \ + genrsa \ + -out "${OCSPKEY}" \ + 2048 >/dev/null 2>&1 + + "$OPENSSL" req \ + -batch -new \ + -key "${OCSPKEY}" \ + -out "${CSRDIR}/ocsp.csr" \ + -config /dev/stdin < [options] [CommonName] @@ -60,6 +98,10 @@ Initialize PKI (create CA key and self-signed cert) : ${0} init +Run OCSPD server : + + ${0} ocsp + Create a client cert with key and CSR directly generated on server (use -p for set a password on client key) : @@ -367,6 +409,8 @@ main() { CADIR=$(grep -E "^dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1) CAKEY=$(grep -E "^private_key" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~") CACERT=$(grep -E "^certificate" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~") + OCSPKEY="${CADIR}/ocsp.key" + OCSPCERT="${CADIR}/ocsp.pem" CRTDIR=$(grep -E "^certs" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~") TMPDIR=$(grep -E "^new_certs_dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~") INDEX=$(grep -E "^database" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~") @@ -398,6 +442,11 @@ main() { init "$@" ;; + ocsp) + shift + ocsp "$@" + ;; + create) shift create "$@"