tests/certs/scripts: generate also CRL

... and make it possible to do so without any user interaction

diff --git a/tests/certs/EdelCurlRoot-ca.cnf b/tests/certs/EdelCurlRoot-ca.cnf
new file mode 100644 (file)
index 0000000..ba99881
--- /dev/null
+++ b/tests/certs/EdelCurlRoot-ca.cnf
@@ -0,0 +1,11 @@
+[ ca ]
+default_ca = EdelCurlRoot
+
+[ EdelCurlRoot ]
+database = EdelCurlRoot-ca.db
+certificate = EdelCurlRoot-ca.crt
+private_key = EdelCurlRoot-ca.key
+crlnumber = EdelCurlRoot-ca.cnt
+default_md = sha1
+default_days = 365
+default_crl_days = 30

diff --git a/tests/certs/scripts/genroot.sh b/tests/certs/scripts/genroot.sh
index b463e2c6e06c08c61a7831cf4389323f5af07ce3..6ac138873ea3f7e258320326c15b4c9735f9c36f 100755 (executable)
--- a/tests/certs/scripts/genroot.sh
+++ b/tests/certs/scripts/genroot.sh
@@ -40,8 +40,11 @@ SERIAL=`/usr/bin/env perl -e "$GETSERIAL"`
 
 echo SERIAL=$SERIAL PREFIX=$PREFIX DURATION=$DURATION KEYSIZE=$KEYSIZE
 
-echo "openssl req -config $PREFIX-ca.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-ca.key -out $PREFIX-ca.csr"
-$OPENSSL req -config $PREFIX-ca.prm -newkey rsa:$KEYSIZE -keyout $PREFIX-ca.key -out $PREFIX-ca.csr
+echo "openssl genrsa -out $PREFIX-ca.key $KEYSIZE -passout XXX"
+openssl genrsa -out $PREFIX-ca.key $KEYSIZE -passout pass:secret
+
+echo "openssl req -config $PREFIX-ca.prm -new -key $PREFIX-ca.key -out $PREFIX-ca.csr"
+$OPENSSL req -config $PREFIX-ca.prm -new -key $PREFIX-ca.key -out $PREFIX-ca.csr -passin pass:secret
 
 echo "openssl x509 -set_serial $SERIAL -extfile $PREFIX-ca.prm -days $DURATION -req -signkey $PREFIX-ca.key -in $PREFIX-ca.csr -out $PREFIX-$SERIAL.ca-cacert -sha1 "
 

diff --git a/tests/certs/scripts/genserv.sh b/tests/certs/scripts/genserv.sh
index 61145d84bb621749c2cf653ee59561c1bae6f064..a70da9c76dee2a62c45a12cc4787ea8b7faa95ce 100755 (executable)
--- a/tests/certs/scripts/genserv.sh
+++ b/tests/certs/scripts/genserv.sh
@@ -39,7 +39,7 @@ if [ ".$CAPREFIX" = . ] ; then
        NOTOK=1
 else
     if [ ! -f $CAPREFIX-ca.cacert ] ; then
-       echo No CA certficate file $PREFIX-ca.caert
+       echo No CA certficate file $CAPREFIX-ca.caert
        NOTOK=1
     fi
     if [ ! -f $CAPREFIX-ca.key ] ; then
@@ -74,7 +74,6 @@ fi
 echo "openssl rsa -in $PREFIX-sv.key -out $PREFIX-sv.key"
 $OPENSSL rsa -in $PREFIX-sv.key -out $PREFIX-sv.key -passin pass:secret
 echo pseudo secrets generated
-read
 
 echo "openssl x509 -set_serial $SERIAL -extfile $PREFIX-sv.prm -days $DURATION  -CA $CAPREFIX-ca.cacert -CAkey $CAPREFIX-ca.key -in $PREFIX-sv.csr -req -out $PREFIX-sv.crt -text -nameopt multiline -sha1"
 
@@ -85,16 +84,23 @@ if [ "$P12." = YES. ] ; then
    echo "$OPENSSL pkcs12 -export -des3 -out $PREFIX-sv.p12 -caname $CAPREFIX -name $PREFIX -inkey $PREFIX-sv.key -in $PREFIX-sv.crt -certfile $CAPREFIX-ca.crt "
 
    $OPENSSL pkcs12 -export -des3 -out $PREFIX-sv.p12 -caname $CAPREFIX -name $PREFIX -inkey $PREFIX-sv.key -in $PREFIX-sv.crt -certfile $CAPREFIX-ca.crt
-
-   read
 fi
 
 echo "openssl x509 -noout -text -hash -in $PREFIX-sv.selfcert -nameopt multiline"
 $OPENSSL x509 -noout -text -hash -in $PREFIX-sv.crt -nameopt multiline
 
+# revoke server cert
+touch $CAPREFIX-ca.db
+echo 01 > $CAPREFIX-ca.cnt
+echo "openssl ca -config $CAPREFIX-ca.cnf -revoke $PREFIX-sv.crt"
+$OPENSSL ca -config $CAPREFIX-ca.cnf -revoke $PREFIX-sv.crt
+
+# issue CRL
+echo "openssl ca -config $CAPREFIX-ca.cnf -gencrl -out $PREFIX-sv.crl"
+$OPENSSL ca -config $CAPREFIX-ca.cnf -gencrl -out $PREFIX-sv.crl
+
 echo "openssl x509 -in $PREFIX-sv.crt -outform der -out $PREFIX-sv.der "
 $OPENSSL x509 -in $PREFIX-sv.crt -outform der -out $PREFIX-sv.der
-read
 
 # all together now
 touch $PREFIX-sv.dhp