adds config to generate ocsp certs

certs/ocsp/ocsp-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuLojtPbDexTDpPUdYaH1HmO5hSM0UG34fKKKBIvVdVwt92OI
+0Qd66gtFNSvrH7EitJRBOOKddNaLMCIQUcXbyj9GK/7lWj9BdGd1lamU1cPuQviN
+65KV4dllt0PEGN4WgJDOJDUhxFWsWlHgLi2zClpPSnMxUO5KFr05i60FSIexmeIQ
+pwZyZ8pc0Ze9yPF2+OBK7LyT9GZMKHHR2GYDtJAwuxew/pf1HujHXZuLERkSPKuC
+cXj/rj8ysghxshuMJ6wRuNhDSc+wcLHwjK7aJIcXO9gEZWwAdlDvFQjXtHNoJhSH
+lcNfbmG4h4T6gBoKi5jz4/9ORBxldHxxVGXlOQIDAQABAoIBAGI2tR1VxYD+/TYL
+DGAIV+acZtqeaQYKMf8x++eG4SrQo6/QP8HDFFqzO0yV2SC0cRtJZ5PzCHxCRSaG
+Nd8EL2NMWOazUwW0c/yLtTypOPSeg2Mf+3SwLvgxOZ9CbFQ8YAJi+vbNOPLGCijL
+N0HWEkcC1P1kWWgKCWIloR7eEt0IQOb5PPSCu3buq/rForb6qUf+L+ESpWed6bnc
+uhIrHDuQ/PopW05fW1r61zI286wKdLRyatQsljNqPvVdFVhtCKqCqMHdIzMg2cbh
+q9DJMWc/KLjzBk6YPMZKm/4k4RXj+IwS+iITbpUNrhYj2TMevBMPW3AIRobD823D
+ehQv+rECgYEA3CWL+G9zJ5PXRDAdQ69lN+CE/Uf9444CN5idMO+qRQ+QE8hWYT/U
+PFH/aUgd1k3WJZseR/GTWx29VsRPSDWZXzwzLfUNKnqvp0b2oZe/EdYiRSo8OCPp
+kF07HbTKe4Cyma7HdgDkNkS+UW5JujnuLcuee+wTq6xU0289juwFBc8CgYEA1s/d
+VtwXqBf3qMxfi+eMa77fqxptAFGtZNKNkYwX42Ow6Hehj8EnoPqYEF+9MzKn/BFh
+ROnQ76axKBN8mkRUjpv7d2+zMlDnGrWul8q6VrfGiU2P7jd4L6GY/V1MYktnIBsd
+Ld/jW8P0FFfI2RIREPWdrATxBhQpTJfXd/7rLncCgYB1wrvyBCQUSrg/KIGvADbj
+wf1Bw23jeMZk2QVU9Q8e7ClE+8iBMvSj47T9q28SgQaJjUWQdIA/oFP1AwPp+4n0
+cK5r6gbF72Tg1Uv+ur6hmuswFlyqJ0O8TrLdvCUIFZr0LJNT4zwwb2tjAdz8ehqX
+crFvVqRbE884XuwN9ODm7wKBgQDIEnKlI/kkpq4UmcWkGNXAxNauFr7PPUOyVCln
+FoRpVcC/xCzGJ7ExTjWzing950BulgFynhPsIeV+3id/x4S6Dq34YCEXDCMzzWQA
+HOHRQvm3iHY1+ZQHSQulb/Bk3LYAQUC8KXspTSlYiSqYgytCEIH6Zd/XOY/9tq8J
+JHUHoQKBgHYIB2mRCuDK5C3dCspdPVeAUqptK1nnXxWY/MXA6v+M4wFsIxV7Iwg7
+HEjeD5yKH4619syPCFz3jrCxL0oJqVTD2tnrbLf8idEt2eaV/3o2mUGFjvWpTywg
+F8DewhrGh6z7FWHp4cMrxpq1hkdi6k+481T1GKBJ1zBSTzskTHQB
+-----END RSA PRIVATE KEY-----

certs/renewcerts.sh

@@ -202,6 +202,23 @@ function run_renewcerts(){
     openssl x509 -in server-ecc-comp.pem -text > tmp.pem
     mv tmp.pem server-ecc-comp.pem
 
+    ###########################################################
+    ########## update and sign ocsp-cert.pem ##################
+    ###########################################################
+    echo "Updating ocsp-cert.pem"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\ocsp.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ocsp/ocsp-key.pem -nodes > ocsp-req.pem
+
+    openssl x509 -req -in ocsp-req.pem -extfile wolfssl.cnf -extensions v3_ocsp -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 03 > ocsp/ocsp-cert.pem
+
+    rm ocsp-req.pem
+
+    openssl x509 -in ca-cert.pem -text > ca_tmp.pem
+    openssl x509 -in ocsp/ocsp-cert.pem -text > ocsp_tmp.pem
+    mv ocsp_tmp.pem ocsp/ocsp-cert.pem
+    cat ca_tmp.pem >> ocsp/ocsp-cert.pem
+    rm ca_tmp.pem
     ############################################################
     ########## make .der files from .pem files #################
     ############################################################
@@ -302,7 +319,7 @@ elif [ ! -z "$1" ]; then
         echo ""
         echo ""
     #else the argument was invalid, tell user to use -h or -help
-    else 
+    else
         echo ""
         echo "That is not a valid option."
         echo ""
@@ -328,7 +345,7 @@ else
 
     # check options.h a second time, if the user had
     # ntru installed on their system and in the default
-    # path location, then it will now be defined, if the 
+    # path location, then it will now be defined, if the
     # user does not have ntru on their system this will fail
     # again and we will not update any certs until user installs
     # ntru in the default location

certs/renewcerts/wolfssl.cnf

@@ -1,5 +1,5 @@
 #
-# wolfssl configuration file 
+# wolfssl configuration file
 #
 HOME        = .
 RANDFILE    = $ENV::HOME/.rnd
@@ -20,7 +20,7 @@ default_ca  = CA_default        # The default ca section
 [ CA_default ]
 
 ####################################################################
-# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY                #
+# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY               #
 #                                                                  #
 dir             = $HOME./..                                        #
 ####################################################################
@@ -124,6 +124,7 @@ authorityKeyIdentifier=keyid,issuer
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints=CA:true
+authorityInfoAccess = OCSP;URI:http://localhost:22222
 
 # Extensions to add to a certificate request
 [ v3_req ]
@@ -140,6 +141,14 @@ basicConstraints = CA:true
 [ crl_ext ]
 authorityKeyIdentifier=keyid:always
 
+# OCSP extensions.
+[ v3_ocsp ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = OCSPSigning
+basicConstraints = CA:false
+
 # These extensions should be added when creating a proxy certificate
 [ proxy_cert_ext ]
 basicConstraints=CA:FALSE
@@ -158,7 +167,7 @@ dir                     = ./demoCA                              # directory
 serial                  = $dir/tsaserial                        # (mandatory)
 crypto_device           = builtin                               # engine
 signer_cert             = $dir/tsacert.pem                      # certificate
-certs                   = $dir/cacert.pem                       # chain 
+certs                   = $dir/cacert.pem                       # chain
 signer_key              = $dir/private/tsakey.pem               # (optional)
 default_policy          = tsa_policy1                           # Policy
 other_policies          = tsa_policy2, tsa_policy3              # (optional)