Add an OCSPD responder
This commit is contained in:
parent
75246c956f
commit
5f07a5e24c
|
@ -34,6 +34,11 @@ subjectKeyIdentifier=hash
|
||||||
authorityKeyIdentifier=keyid:always,issuer:always
|
authorityKeyIdentifier=keyid:always,issuer:always
|
||||||
basicConstraints = CA:true
|
basicConstraints = CA:true
|
||||||
|
|
||||||
|
[ v3_ocsp ]
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||||
|
extendedKeyUsage = OCSPSigning
|
||||||
|
|
||||||
[ req_distinguished_name ]
|
[ req_distinguished_name ]
|
||||||
countryName = Country Name (2 letter code)
|
countryName = Country Name (2 letter code)
|
||||||
countryName_default = FR
|
countryName_default = FR
|
||||||
|
|
49
shellpki.sh
49
shellpki.sh
|
@ -52,6 +52,44 @@ commonName_default = ${cn}
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ocsp() {
|
||||||
|
umask 0177
|
||||||
|
|
||||||
|
ocsp_uri="${1:-}"
|
||||||
|
[ -z "${ocsp_uri}" ] && usage >&2 && exit 1
|
||||||
|
|
||||||
|
url=$(echo "${ocsp_uri}"|cut -d':' -f1)
|
||||||
|
port=$(echo "${ocsp_uri}"|cut -d':' -f2)
|
||||||
|
|
||||||
|
[ ! -f "${OCSPKEY}" ] && "$OPENSSL" \
|
||||||
|
genrsa \
|
||||||
|
-out "${OCSPKEY}" \
|
||||||
|
2048 >/dev/null 2>&1
|
||||||
|
|
||||||
|
"$OPENSSL" req \
|
||||||
|
-batch -new \
|
||||||
|
-key "${OCSPKEY}" \
|
||||||
|
-out "${CSRDIR}/ocsp.csr" \
|
||||||
|
-config /dev/stdin <<EOF
|
||||||
|
$(cat "${CONFFILE}")
|
||||||
|
commonName_default = ${url}
|
||||||
|
[ usr_cert ]
|
||||||
|
authorityInfoAccess = OCSP;URI:http://${ocsp_uri}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
[ ! -f "${OCSPCERT}" ] && ask_ca_password 0
|
||||||
|
|
||||||
|
[ ! -f "${OCSPCERT}" ] && CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}" \
|
||||||
|
ca \
|
||||||
|
-extensions v3_ocsp \
|
||||||
|
-in "${CSRDIR}/ocsp.csr" \
|
||||||
|
-out "${OCSPCERT}" \
|
||||||
|
-passin env:CA_PASSWORD \
|
||||||
|
-config "${CONFFILE}"
|
||||||
|
|
||||||
|
"${OPENSSL}" ocsp -index "${INDEX}" -port "${port}" -rsigner "${OCSPCERT}" -rkey "${OCSPKEY}" -CA "${CACERT}" -text
|
||||||
|
}
|
||||||
|
|
||||||
usage() {
|
usage() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Usage: ${0} <subcommand> [options] [CommonName]
|
Usage: ${0} <subcommand> [options] [CommonName]
|
||||||
|
@ -60,6 +98,10 @@ Initialize PKI (create CA key and self-signed cert) :
|
||||||
|
|
||||||
${0} init <commonName_for_CA>
|
${0} init <commonName_for_CA>
|
||||||
|
|
||||||
|
Run OCSPD server :
|
||||||
|
|
||||||
|
${0} ocsp <ocsp_uri:ocsp_port>
|
||||||
|
|
||||||
Create a client cert with key and CSR directly generated on server
|
Create a client cert with key and CSR directly generated on server
|
||||||
(use -p for set a password on client key) :
|
(use -p for set a password on client key) :
|
||||||
|
|
||||||
|
@ -367,6 +409,8 @@ main() {
|
||||||
CADIR=$(grep -E "^dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1)
|
CADIR=$(grep -E "^dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1)
|
||||||
CAKEY=$(grep -E "^private_key" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
CAKEY=$(grep -E "^private_key" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||||
CACERT=$(grep -E "^certificate" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
CACERT=$(grep -E "^certificate" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||||
|
OCSPKEY="${CADIR}/ocsp.key"
|
||||||
|
OCSPCERT="${CADIR}/ocsp.pem"
|
||||||
CRTDIR=$(grep -E "^certs" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
CRTDIR=$(grep -E "^certs" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||||
TMPDIR=$(grep -E "^new_certs_dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
TMPDIR=$(grep -E "^new_certs_dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||||
INDEX=$(grep -E "^database" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
INDEX=$(grep -E "^database" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
|
||||||
|
@ -398,6 +442,11 @@ main() {
|
||||||
init "$@"
|
init "$@"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
ocsp)
|
||||||
|
shift
|
||||||
|
ocsp "$@"
|
||||||
|
;;
|
||||||
|
|
||||||
create)
|
create)
|
||||||
shift
|
shift
|
||||||
create "$@"
|
create "$@"
|
||||||
|
|
Loading…
Reference in a new issue