diff --git a/certs/ocsp/ocsp-key.pem b/certs/ocsp/ocsp-key.pem new file mode 100644 index 000000000..61c5616a9 --- /dev/null +++ b/certs/ocsp/ocsp-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAuLojtPbDexTDpPUdYaH1HmO5hSM0UG34fKKKBIvVdVwt92OI +0Qd66gtFNSvrH7EitJRBOOKddNaLMCIQUcXbyj9GK/7lWj9BdGd1lamU1cPuQviN +65KV4dllt0PEGN4WgJDOJDUhxFWsWlHgLi2zClpPSnMxUO5KFr05i60FSIexmeIQ +pwZyZ8pc0Ze9yPF2+OBK7LyT9GZMKHHR2GYDtJAwuxew/pf1HujHXZuLERkSPKuC +cXj/rj8ysghxshuMJ6wRuNhDSc+wcLHwjK7aJIcXO9gEZWwAdlDvFQjXtHNoJhSH +lcNfbmG4h4T6gBoKi5jz4/9ORBxldHxxVGXlOQIDAQABAoIBAGI2tR1VxYD+/TYL +DGAIV+acZtqeaQYKMf8x++eG4SrQo6/QP8HDFFqzO0yV2SC0cRtJZ5PzCHxCRSaG +Nd8EL2NMWOazUwW0c/yLtTypOPSeg2Mf+3SwLvgxOZ9CbFQ8YAJi+vbNOPLGCijL +N0HWEkcC1P1kWWgKCWIloR7eEt0IQOb5PPSCu3buq/rForb6qUf+L+ESpWed6bnc +uhIrHDuQ/PopW05fW1r61zI286wKdLRyatQsljNqPvVdFVhtCKqCqMHdIzMg2cbh +q9DJMWc/KLjzBk6YPMZKm/4k4RXj+IwS+iITbpUNrhYj2TMevBMPW3AIRobD823D +ehQv+rECgYEA3CWL+G9zJ5PXRDAdQ69lN+CE/Uf9444CN5idMO+qRQ+QE8hWYT/U +PFH/aUgd1k3WJZseR/GTWx29VsRPSDWZXzwzLfUNKnqvp0b2oZe/EdYiRSo8OCPp +kF07HbTKe4Cyma7HdgDkNkS+UW5JujnuLcuee+wTq6xU0289juwFBc8CgYEA1s/d +VtwXqBf3qMxfi+eMa77fqxptAFGtZNKNkYwX42Ow6Hehj8EnoPqYEF+9MzKn/BFh +ROnQ76axKBN8mkRUjpv7d2+zMlDnGrWul8q6VrfGiU2P7jd4L6GY/V1MYktnIBsd +Ld/jW8P0FFfI2RIREPWdrATxBhQpTJfXd/7rLncCgYB1wrvyBCQUSrg/KIGvADbj +wf1Bw23jeMZk2QVU9Q8e7ClE+8iBMvSj47T9q28SgQaJjUWQdIA/oFP1AwPp+4n0 +cK5r6gbF72Tg1Uv+ur6hmuswFlyqJ0O8TrLdvCUIFZr0LJNT4zwwb2tjAdz8ehqX +crFvVqRbE884XuwN9ODm7wKBgQDIEnKlI/kkpq4UmcWkGNXAxNauFr7PPUOyVCln +FoRpVcC/xCzGJ7ExTjWzing950BulgFynhPsIeV+3id/x4S6Dq34YCEXDCMzzWQA +HOHRQvm3iHY1+ZQHSQulb/Bk3LYAQUC8KXspTSlYiSqYgytCEIH6Zd/XOY/9tq8J +JHUHoQKBgHYIB2mRCuDK5C3dCspdPVeAUqptK1nnXxWY/MXA6v+M4wFsIxV7Iwg7 +HEjeD5yKH4619syPCFz3jrCxL0oJqVTD2tnrbLf8idEt2eaV/3o2mUGFjvWpTywg +F8DewhrGh6z7FWHp4cMrxpq1hkdi6k+481T1GKBJ1zBSTzskTHQB +-----END RSA PRIVATE KEY----- diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index ec4e35e47..de8d8e791 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -202,6 +202,23 @@ function run_renewcerts(){ openssl x509 -in server-ecc-comp.pem -text > tmp.pem mv tmp.pem server-ecc-comp.pem + ########################################################### + ########## update and sign ocsp-cert.pem ################## + ########################################################### + echo "Updating ocsp-cert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\ocsp.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ocsp/ocsp-key.pem -nodes > ocsp-req.pem + + openssl x509 -req -in ocsp-req.pem -extfile wolfssl.cnf -extensions v3_ocsp -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 03 > ocsp/ocsp-cert.pem + + rm ocsp-req.pem + + openssl x509 -in ca-cert.pem -text > ca_tmp.pem + openssl x509 -in ocsp/ocsp-cert.pem -text > ocsp_tmp.pem + mv ocsp_tmp.pem ocsp/ocsp-cert.pem + cat ca_tmp.pem >> ocsp/ocsp-cert.pem + rm ca_tmp.pem ############################################################ ########## make .der files from .pem files ################# ############################################################ @@ -302,7 +319,7 @@ elif [ ! -z "$1" ]; then echo "" echo "" #else the argument was invalid, tell user to use -h or -help - else + else echo "" echo "That is not a valid option." echo "" @@ -328,7 +345,7 @@ else # check options.h a second time, if the user had # ntru installed on their system and in the default - # path location, then it will now be defined, if the + # path location, then it will now be defined, if the # user does not have ntru on their system this will fail # again and we will not update any certs until user installs # ntru in the default location diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 7decf9ef9..3da804b44 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -1,5 +1,5 @@ # -# wolfssl configuration file +# wolfssl configuration file # HOME = . RANDFILE = $ENV::HOME/.rnd @@ -20,7 +20,7 @@ default_ca = CA_default # The default ca section [ CA_default ] #################################################################### -# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY # +# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY # # # dir = $HOME./.. # #################################################################### @@ -124,6 +124,7 @@ authorityKeyIdentifier=keyid,issuer subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=CA:true +authorityInfoAccess = OCSP;URI:http://localhost:22222 # Extensions to add to a certificate request [ v3_req ] @@ -140,6 +141,14 @@ basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always +# OCSP extensions. +[ v3_ocsp ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = OCSPSigning +basicConstraints = CA:false + # These extensions should be added when creating a proxy certificate [ proxy_cert_ext ] basicConstraints=CA:FALSE @@ -158,7 +167,7 @@ dir = ./demoCA # directory serial = $dir/tsaserial # (mandatory) crypto_device = builtin # engine signer_cert = $dir/tsacert.pem # certificate -certs = $dir/cacert.pem # chain +certs = $dir/cacert.pem # chain signer_key = $dir/private/tsakey.pem # (optional) default_policy = tsa_policy1 # Policy other_policies = tsa_policy2, tsa_policy3 # (optional)