View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006344 | Compliance Test Tool (CTT) Unified Architecture | 1 - Script Issue | public | 2021-01-14 09:35 | 2021-03-25 14:25 |
| Reporter | Uwe Stadelmann | Assigned To | Alexander Allmendinger | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 1.04.09.396 | ||||
| Fixed in Version | 1.03.341.398 | ||||
| Summary | 0006344: Not yet valid certificates: The start date is not in the future since 2021 | ||||
| Description | Some test cases verify the correct usage of certificates which are not yet valid. These certificates are at least ctt_apTV and ctt_usrTV. The script create_ctt_pki.sh defines the start date to 1st of January 2021 which is now in the past. The same is valid for the windows version. | ||||
| Tags | No tags attached. | ||||
| Attached Files | |||||
| Files Affected | |||||
| has duplicate | 0006471 | closed | Alexander Allmendinger | Compliance Test Tool (CTT) Unified Architecture | ValidFrom in ctt_appTV.der not longer usable |
| related to | 0006704 | assigned | Alexander Allmendinger | Certification | The CTT should report if certificate need to be regenerated |
|
|
In the script file creating the certificates fixed dates have been used for the "not yet valid" and "expired" certificates. Such fixed dates will expire at some point so the CMP group decided to use dates relative to the installation date in the future. This will be part of the next release but in case users need a workaround first, please used the attached files ... create_ctt_pki.bat (49,634 bytes)
@ECHO off REM %1 -> KEYSIZE REM %2 -> CURRENT_DIR REM %3 -> IS_PROJECT_DIR SETLOCAL ENABLEDELAYEDEXPANSION SET CURRENT_DIR=%~dp0 IF NOT "%2"=="" SET CURRENT_DIR=%2 SET STORE_PATH=%CURRENT_DIR%\TMPPKI SET DEPLOYED_SERVER_PKI_PATH=%CURRENT_DIR%ServerProjects\PKI IF "%3" == "true" SET DEPLOYED_SERVER_PKI_PATH=%CURRENT_DIR%\PKI SET DEPLOYED_SERVER_PKI_PATH=%CURRENT_DIR%ServerProjects\PKI IF "%3" == "true" SET DEPLOYED_SERVER_PKI_PATH=%CURRENT_DIR%\PKI SET DEPLOYED_CLIENT_PKI_PATH=%CURRENT_DIR%ClientProjects\PKI IF "%3" == "true" SET DEPLOYED_CLIENT_PKI_PATH=%CURRENT_DIR%\PKI SET DEPLOYED_SERVER_STORE_PATH=%DEPLOYED_SERVER_PKI_PATH%\CA SET DEPLOYED_CLIENT_STORE_PATH=%DEPLOYED_CLIENT_PKI_PATH%\CA SET HOSTNAME=%COMPUTERNAME% REM Initialize certificate subject fields SET KEYSIZE=2048 SET CERTSIGNATUREALG=sha256 IF NOT "%1"=="" SET KEYSIZE=%1 SET DEFAULTKEYSIZE=%KEYSIZE% SET CERTCN=UA\ Compliance\ Test\ Tool SET CERTO=OPC\ Foundation SET CERTL=Scottsdale SET CERTS=Arizona SET CERTC=US SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:OPCFoundation:UaComplianceTestTool SET CERT_VALIDITY_DAYS=365 SET CA_CERT_VALIDITY_DAYS=1825 REM Environment variable used by OpenSSL SET OPENSSL_CONF=openssl.cnf SET /a YEAR=%date:~12,2% SET /a MONTH=%date:~7,2% SET /a DAY=%date:~4,2% SET /a LASTYEAR=%YEAR%-1 SET /a NEXTYEAR=%YEAR%+1 REM These variables are referenced from the OpenSSL configuration file SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% SET G_STORE_PATH=%STORE_PATH% ECHO Initialize folder structures REM Temporary PKI store (working directory) IF NOT EXIST "%STORE_PATH%\certs" MKDIR "%STORE_PATH%\certs" IF NOT EXIST "%STORE_PATH%\crl" MKDIR "%STORE_PATH%\crl" IF NOT EXIST "%STORE_PATH%\private" MKDIR "%STORE_PATH%\private" IF NOT EXIST "%STORE_PATH%\request" MKDIR "%STORE_PATH%\request" REM ServerProject PKI store IF NOT EXIST "%DEPLOYED_SERVER_STORE_PATH%\certs" MKDIR "%DEPLOYED_SERVER_STORE_PATH%\certs" IF NOT EXIST "%DEPLOYED_SERVER_STORE_PATH%\crl" MKDIR "%DEPLOYED_SERVER_STORE_PATH%\crl" IF NOT EXIST "%DEPLOYED_SERVER_STORE_PATH%\private" MKDIR "%DEPLOYED_SERVER_STORE_PATH%\private" REM ClientProject PKI store IF NOT EXIST "%DEPLOYED_CLIENT_STORE_PATH%\certs" MKDIR "%DEPLOYED_CLIENT_STORE_PATH%\certs" IF NOT EXIST "%DEPLOYED_CLIENT_STORE_PATH%\crl" MKDIR "%DEPLOYED_CLIENT_STORE_PATH%\crl" IF NOT EXIST "%DEPLOYED_CLIENT_STORE_PATH%\private" MKDIR "%DEPLOYED_CLIENT_STORE_PATH%\private" REM ServerProject PKI copy_needed_files SET COPYTOSERVER_PATH=%DEPLOYED_SERVER_PKI_PATH%\copyToServer SET CS_AI_PKI=%COPYTOSERVER_PATH%\ApplicationInstance_PKI SET CS_USER_PKI=%COPYTOSERVER_PATH%\X509UserIdentity_PKI IF NOT EXIST "%COPYTOSERVER_PATH%" MKDIR "%COPYTOSERVER_PATH%" IF NOT EXIST "%CS_AI_PKI%" MKDIR "%CS_AI_PKI%" IF NOT EXIST "%CS_USER_PKI%" MKDIR "%CS_USER_PKI%" IF NOT EXIST "%CS_AI_PKI%\trusted" MKDIR "%CS_AI_PKI%\trusted" IF NOT EXIST "%CS_AI_PKI%\trusted\certs" MKDIR "%CS_AI_PKI%\trusted\certs" IF NOT EXIST "%CS_AI_PKI%\trusted\crl" MKDIR "%CS_AI_PKI%\trusted\crl" IF NOT EXIST "%CS_AI_PKI%\issuers" MKDIR "%CS_AI_PKI%\issuers" IF NOT EXIST "%CS_AI_PKI%\issuers\certs" MKDIR "%CS_AI_PKI%\issuers\certs" IF NOT EXIST "%CS_AI_PKI%\issuers\crl" MKDIR "%CS_AI_PKI%\issuers\crl" IF NOT EXIST "%CS_USER_PKI%\trusted" MKDIR "%CS_USER_PKI%\trusted" IF NOT EXIST "%CS_USER_PKI%\trusted\certs" MKDIR "%CS_USER_PKI%\trusted\certs" IF NOT EXIST "%CS_USER_PKI%\trusted\crl" MKDIR "%CS_USER_PKI%\trusted\crl" IF NOT EXIST "%CS_USER_PKI%\issuers" MKDIR "%CS_USER_PKI%\issuers" IF NOT EXIST "%CS_USER_PKI%\issuers\certs" MKDIR "%CS_USER_PKI%\issuers\certs" IF NOT EXIST "%CS_USER_PKI%\issuers\crl" MKDIR "%CS_USER_PKI%\issuers\crl" ECHO. ECHO. ECHO ===================================== ECHO = CTT Application Instance Certificate ECHO ===================================== SET CERTCN=ctt_appT SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_CLIENT_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Application Instance Certificate (Sha1, 1024 Bit) ECHO ===================================== SET KEYSIZE=1024 SET CERTSIGNATUREALG=sha1 SET OPENSSL_CONF=openssl_sha1.cnf SET CERTCN=ctt_appTSha1_1024 SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_CLIENT_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR SET KEYSIZE=%DEFAULTKEYSIZE% SET CERTSIGNATUREALG=sha256 SET OPENSSL_CONF=openssl.cnf ECHO. ECHO. ECHO ===================================== ECHO = CTT Application Instance Certificate (Sha1, 2048 Bit) ECHO ===================================== SET KEYSIZE=2048 SET CERTSIGNATUREALG=sha1 SET OPENSSL_CONF=openssl_sha1.cnf SET CERTCN=ctt_appTSha1_2048 SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_CLIENT_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR SET KEYSIZE=%DEFAULTKEYSIZE% SET CERTSIGNATUREALG=sha256 SET OPENSSL_CONF=openssl.cnf ECHO. ECHO. ECHO ===================================== ECHO = CTT Application Instance Certificate (Sha256, 2048 Bit) ECHO ===================================== SET KEYSIZE=2048 SET CERTSIGNATUREALG=sha256 SET CERTCN=ctt_appTSha256_2048 SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_CLIENT_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR SET KEYSIZE=%DEFAULTKEYSIZE% SET CERTSIGNATUREALG=sha256 ECHO. ECHO. ECHO ===================================== ECHO = CTT Application Instance Certificate (Sha256, 4096 Bit) ECHO ===================================== SET KEYSIZE=4096 SET CERTSIGNATUREALG=sha256 SET CERTCN=ctt_appTSha256_4096 SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_CLIENT_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR SET KEYSIZE=%DEFAULTKEYSIZE% SET CERTSIGNATUREALG=sha256 ECHO. ECHO. ECHO ===================================== ECHO = CTT Application Instance Certificate - Not Trusted! ECHO ===================================== SET CERTCN=ctt_appU SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Not Yet Valid Application Instance Certificate ECHO ===================================== SET CERTCN=ctt_appTV SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate_validity "%CERTCN%" "%X509_SUBJ%" "%NEXTYEAR%0101120000Z" "%NEXTYEAR%0601120000Z" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Expired Application Instance Certificate - Trusted! ECHO ===================================== SET CERTCN=ctt_appTE SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate_validity "%CERTCN%" "%X509_SUBJ%" "%LASTYEAR%0101120000Z" "%LASTYEAR%0106120000Z" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Expired Application Instance Certificate - Not Trusted! ECHO ===================================== SET CERTCN=ctt_appUE SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate_validity "%CERTCN%" "%X509_SUBJ%" "%LASTYEAR%0101120000Z" "%LASTYEAR%1206120000Z" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Invalid IP Address ECHO ===================================== SET CERTCN=ctt_appTSip SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:noSuchHost:UA Compliance Test Tool CALL:create_self_signed_certificate "%CERTCN%" "/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=noSuchHost" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Incorrectly Signed ECHO ===================================== SET CERTCN=ctt_appTSincorrect SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR CALL:invalidate_certificate_signature "%CERTCN%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Incorrect App URI ECHO ===================================== SET CERTCN=ctt_appTSuri SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:ThisIsAnInvalidUri CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Create a trusted root Certificate Authority (CA) ECHO ===================================== SET CERTCN=ctt_ca1T SET CURRENTCA=%CERTCN% SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% CALL:create_root_ca_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR CALL:create_all_issued_certificates %CURRENTCA% "trusted" CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_AI_PKI%\trusted\crl" || GOTO BATCH_END_ERROR CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_USER_PKI%\trusted\crl" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Create a trusted root Certificate Authority (CA) where the revocation list is not available ECHO ===================================== SET CERTCN=ctt_ca1TC SET CURRENTCA=%CERTCN% SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% CALL:create_root_ca_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR CALL:create_all_issued_certificates %CURRENTCA% "trusted" CALL:deploy_revocation_list "%CURRENTCA%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Create a unknown root Certificate Authority (CA) ECHO ===================================== SET CERTCN=ctt_ca1U SET CURRENTCA=%CERTCN% SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% CALL:create_root_ca_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:create_all_issued_certificates %CURRENTCA% "trusted" ECHO. ECHO. ECHO ===================================== ECHO = Create a issuers root Certificate Authority (CA) ECHO ===================================== SET CERTCN=ctt_ca1I SET CURRENTCA=%CERTCN% SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% CALL:create_root_ca_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\issuers\certs" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\issuers\certs" || GOTO BATCH_END_ERROR CALL:create_all_issued_certificates %CURRENTCA% "issuers" CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_AI_PKI%\issuers\crl" || GOTO BATCH_END_ERROR CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_USER_PKI%\issuers\crl" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Create a issuers root Certificate Authority (CA) where the revocation list is not known ECHO ===================================== SET CERTCN=ctt_ca1IC SET CURRENTCA=%CERTCN% SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% CALL:create_root_ca_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\issuers\certs" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\issuers\certs" || GOTO BATCH_END_ERROR CALL:create_all_issued_certificates %CURRENTCA% "issuers" REM ECHO. REM ECHO. REM ECHO ===================================== REM ECHO = Create a trusted secondary Certificate Authority (CA) from ctt_ca1T REM ECHO ===================================== REM SET CERTCN=ctt_ca1T_ca2T REM SET CURRENTCA=%CERTCN% REM SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% REM SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% REM CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1T" || GOTO BATCH_END_ERROR REM SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% REM CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR REM CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR REM CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR REM CALL:create_all_issued_certificates %CURRENTCA% "trusted" ECHO. ECHO. ECHO ===================================== ECHO = Create a untrusted secondary Certificate Authority (CA) from ctt_ca1T ECHO ===================================== SET CERTCN=ctt_ca1T_ca2U SET CURRENTCA=%CERTCN% SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1T" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:create_all_issued_certificates %CURRENTCA% "trusted" REM ECHO. REM ECHO. REM ECHO ===================================== REM ECHO = Create a issuers secondary Certificate Authority (CA) from ctt_ca1T REM ECHO ===================================== REM SET CERTCN=ctt_ca1T_ca2I REM SET CURRENTCA=%CERTCN% REM SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% REM SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% REM CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1T" || GOTO BATCH_END_ERROR REM SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% REM CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR REM CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\issuers\certs" || GOTO BATCH_END_ERROR REM CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\issuers\certs" || GOTO BATCH_END_ERROR REM CALL:create_all_issued_certificates %CURRENTCA% "issuers" ECHO. ECHO. ECHO ===================================== ECHO = Create a trusted secondary Certificate Authority (CA) from ctt_ca1I ECHO ===================================== SET CERTCN=ctt_ca1I_ca2T SET CURRENTCA=%CERTCN% SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1I" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR CALL:create_all_issued_certificates %CURRENTCA% "trusted" CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_AI_PKI%\trusted\crl" || GOTO BATCH_END_ERROR CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_USER_PKI%\trusted\crl" || GOTO BATCH_END_ERROR REM ECHO. REM ECHO. REM ECHO ===================================== REM ECHO = Create a issuers secondary Certificate Authority (CA) from ctt_ca1I REM ECHO ===================================== REM SET CERTCN=ctt_ca1I_ca2I REM SET CURRENTCA=%CERTCN% REM SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% REM SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% REM CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1I" || GOTO BATCH_END_ERROR REM SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% REM CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR REM CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\issuers\certs" || GOTO BATCH_END_ERROR REM CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\issuers\certs" || GOTO BATCH_END_ERROR REM CALL:create_all_issued_certificates %CURRENTCA% "issuers" ECHO. ECHO. ECHO ===================================== ECHO = Create a issuers secondary Certificate Authority (CA) from ctt_ca1TC ECHO ===================================== SET CERTCN=ctt_ca1TC_ca2I SET CURRENTCA=%CERTCN% SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1TC" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\issuers\certs" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\issuers\certs" || GOTO BATCH_END_ERROR CALL:create_all_issued_certificates %CURRENTCA% "issuers" CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_AI_PKI%\issuers\crl" || GOTO BATCH_END_ERROR CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_USER_PKI%\issuers\crl" || GOTO BATCH_END_ERROR REM ECHO. REM ECHO. REM ECHO ===================================== REM ECHO = Create a trusted thrid Certificate Authority (CA) from ctt_ca1T_ca2T REM ECHO ===================================== REM SET CERTCN=ctt_ca1T_ca2T_ca3T REM SET CURRENTCA=%CERTCN% REM SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% REM SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% REM CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1T_ca2T" || GOTO BATCH_END_ERROR REM SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% REM CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR REM CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR REM CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR REM CALL:create_all_issued_certificates %CURRENTCA% "trusted" REM ECHO. REM ECHO. REM ECHO ===================================== REM ECHO = Create a trusted thrid Certificate Authority (CA) from ctt_ca1T_ca2I REM ECHO ===================================== REM SET CERTCN=ctt_ca1T_ca2I_ca3T REM SET CURRENTCA=%CERTCN% REM SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% REM SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN% REM CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1T_ca2I" || GOTO BATCH_END_ERROR REM SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% REM CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR REM CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR REM CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR REM CALL:create_all_issued_certificates %CURRENTCA% "trusted" ECHO Now we are starting to generate the user certificates ECHO. ECHO. ECHO ===================================== ECHO = Creating a USER Certificate for the CTT ECHO ===================================== SET CERTCN=ctt_usrT SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org CALL:create_self_signed_certificate "%CERTCN%" "/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Creating a 2nd (not trusted) USER Certificate for the CTT ECHO ===================================== SET CERTCN=ctt_usrU SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org CALL:create_self_signed_certificate "%CERTCN%" "/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Expired USER Certificate - Trusted! ECHO ===================================== SET CERTCN=ctt_usrTE SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org CALL:create_self_signed_certificate_validity "%CERTCN%" "/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" "%LASTYEAR%0101120000Z" "%LASTYEAR%1206120000Z" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Expired USER Certificate - Not Trusted! ECHO ===================================== SET CERTCN=ctt_usrUE SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_self_signed_certificate_validity "%CERTCN%" "/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" "%LASTYEAR%0101120000Z" "%LASTYEAR%1206120000Z" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Not Yet Valid USER Certificate ECHO ===================================== SET CERTCN=ctt_usrTV SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org CALL:create_self_signed_certificate_validity "%CERTCN%" "/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" "%NEXTYEAR%0101120000Z" "%NEXTYEAR%0601120000Z" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = CTT Incorrectly Signed USER certificate ECHO ===================================== SET CERTCN=ctt_usrTSincorrect SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR CALL:invalidate_certificate_signature "%CERTCN%" || GOTO BATCH_END_ERROR SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR GOTO BATCH_END_SUCCESS REM ================================================================ REM ====================== Helper functions ======================== REM ================================================================ :create_self_signed_certificate IF %1.==. GOTO function_arguments_error IF %2.==. GOTO function_arguments_error SET NAME=%~1 SET SUBJ=%~2 SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem SET REQUEST_LOCATION=%STORE_PATH%\request\%NAME%.csr SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der SET TEMP_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem REM These variables are referenced from the OpenSSL configuration file SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%NAME%.txt SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%NAME%.txt SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%NAME%.txt REM remove files to create when they already exist IF exist "%PRIVATE_KEY_LOCATION%" del "%PRIVATE_KEY_LOCATION%" IF exist "%REQUEST_LOCATION%" del "%REQUEST_LOCATION%" IF exist "%CERTIFICATE_LOCATION%" del "%CERTIFICATE_LOCATION%" IF exist "%TEMP_CERTIFICATE_LOCATION%" del "%TEMP_CERTIFICATE_LOCATION%" IF exist "%G_CA_DATABASE_LOCATION%" del "%G_CA_DATABASE_LOCATION%"* IF exist "%G_CA_SERIAL_NUMBER_LOCATION%" del "%G_CA_SERIAL_NUMBER_LOCATION%"* IF exist "%G_CA_CRL_NUMBER_LOCATION%" del "%G_CA_CRL_NUMBER_LOCATION%"* REM Creating CA related files REM Generate an empty file ECHO. 2> "%G_CA_DATABASE_LOCATION%" ECHO 00 > "%G_CA_SERIAL_NUMBER_LOCATION%" ECHO 00 > "%G_CA_CRL_NUMBER_LOCATION%" REM Creating private key openssl genrsa -out "%PRIVATE_KEY_LOCATION%" %KEYSIZE% || GOTO SUBR_OPENSSL_ERROR REM Creating certificate request openssl req -config "%OPENSSL_CONF%" -new -%CERTSIGNATUREALG% -key "%PRIVATE_KEY_LOCATION%" -outform PEM -out "%REQUEST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR REM Creating self signed cert openssl ca -config "%OPENSSL_CONF%" -batch -days %CERT_VALIDITY_DAYS% -selfsign -keyfile "%PRIVATE_KEY_LOCATION%" -in "%REQUEST_LOCATION%" -out "%TEMP_CERTIFICATE_LOCATION%" -subj "%SUBJ%" -extensions v3_self_signed || GOTO SUBR_OPENSSL_ERROR REM Converting PEM certificate to DER format openssl x509 -inform PEM -in "%TEMP_CERTIFICATE_LOCATION%" -outform DER -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR GOTO:EOF REM ================================================================ :create_self_signed_certificate_validity IF %1.==. GOTO function_arguments_error IF %2.==. GOTO function_arguments_error IF %3.==. GOTO function_arguments_error IF %4.==. GOTO function_arguments_error SET NAME=%~1 SET SUBJ=%~2 SET STARTDATE=%~3 SET ENDDATE=%~4 SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem SET REQUEST_LOCATION=%STORE_PATH%\request\%NAME%.csr SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der SET TEMP_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem REM These variables are referenced from the OpenSSL configuration file SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%NAME%.txt SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%NAME%.txt SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%NAME%.txt REM remove files to create when they already exist IF exist "%PRIVATE_KEY_LOCATION%" del "%PRIVATE_KEY_LOCATION%" IF exist "%REQUEST_LOCATION%" del "%REQUEST_LOCATION%" IF exist "%CERTIFICATE_LOCATION%" del "%CERTIFICATE_LOCATION%" IF exist "%TEMP_CERTIFICATE_LOCATION%" del "%TEMP_CERTIFICATE_LOCATION%" IF exist "%G_CA_DATABASE_LOCATION%" del "%G_CA_DATABASE_LOCATION%"* IF exist "%G_CA_SERIAL_NUMBER_LOCATION%" del "%G_CA_SERIAL_NUMBER_LOCATION%"* IF exist "%G_CA_CRL_NUMBER_LOCATION%" del "%G_CA_CRL_NUMBER_LOCATION%"* REM Creating CA related files REM Generate an empty file ECHO. 2> "%G_CA_DATABASE_LOCATION%" ECHO 00 > "%G_CA_SERIAL_NUMBER_LOCATION%" ECHO 00 > "%G_CA_CRL_NUMBER_LOCATION%" REM Creating private key openssl genrsa -out "%PRIVATE_KEY_LOCATION%" %KEYSIZE% || GOTO SUBR_OPENSSL_ERROR REM Creating certificate request openssl req -config "%OPENSSL_CONF%" -new -key "%PRIVATE_KEY_LOCATION%" -outform PEM -out "%REQUEST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR REM Creating self signed cert openssl ca -config "%OPENSSL_CONF%" -batch -startdate %STARTDATE% -enddate %ENDDATE% -selfsign -keyfile "%PRIVATE_KEY_LOCATION%" -in "%REQUEST_LOCATION%" -out "%TEMP_CERTIFICATE_LOCATION%" -subj "%SUBJ%" -extensions v3_self_signed || GOTO SUBR_OPENSSL_ERROR REM Converting PEM certificate to DER format openssl x509 -inform PEM -in "%TEMP_CERTIFICATE_LOCATION%" -outform DER -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR GOTO:EOF REM ================================================================ :invalidate_certificate_signature IF %1.==. GOTO function_arguments_error SET NAME=%~1 SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der openssl enc -e -base64 -in "%CERTIFICATE_LOCATION%" -out "%CERTIFICATE_LOCATION%.b64" || GOTO SUBR_OPENSSL_ERROR CSCRIPT "fupfile.vbs" "%CERTIFICATE_LOCATION%.b64" || EXIT /B 1 openssl enc -d -base64 -in "%CERTIFICATE_LOCATION%.b64" -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR GOTO:EOF REM ================================================================ :create_root_ca_certificate IF %1.==. GOTO function_arguments_error IF %2.==. GOTO function_arguments_error SET NAME=%~1 SET SUBJ=%~2 SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem SET REQUEST_LOCATION=%STORE_PATH%\request\%NAME%.csr SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der SET TEMP_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem REM These variables are referenced from the OpenSSL configuration file SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%NAME%.txt SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%NAME%.txt SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%NAME%.txt REM remove files to create when they already exist IF exist "%PRIVATE_KEY_LOCATION%" del "%PRIVATE_KEY_LOCATION%" IF exist "%REQUEST_LOCATION%" del "%REQUEST_LOCATION%" IF exist "%CERTIFICATE_LOCATION%" del "%CERTIFICATE_LOCATION%" IF exist "%TEMP_CERTIFICATE_LOCATION%" del "%TEMP_CERTIFICATE_LOCATION%" IF exist "%G_CA_DATABASE_LOCATION%" del "%G_CA_DATABASE_LOCATION%"* IF exist "%G_CA_SERIAL_NUMBER_LOCATION%" del "%G_CA_SERIAL_NUMBER_LOCATION%"* IF exist "%G_CA_CRL_NUMBER_LOCATION%" del "%G_CA_CRL_NUMBER_LOCATION%"* REM Creating CA related files REM Generate an empty file ECHO. 2> "%G_CA_DATABASE_LOCATION%" ECHO 00 > "%G_CA_SERIAL_NUMBER_LOCATION%" ECHO 00 > "%G_CA_CRL_NUMBER_LOCATION%" REM Creating private key openssl genrsa -out "%PRIVATE_KEY_LOCATION%" %KEYSIZE% || GOTO SUBR_OPENSSL_ERROR REM Creating certificate request openssl req -config "%OPENSSL_CONF%" -new -key "%PRIVATE_KEY_LOCATION%" -outform PEM -out "%REQUEST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR REM Creating self signed cert openssl ca -config "%OPENSSL_CONF%" -batch -days %CA_CERT_VALIDITY_DAYS% -selfsign -keyfile "%PRIVATE_KEY_LOCATION%" -in "%REQUEST_LOCATION%" -extensions v3_ca -out "%TEMP_CERTIFICATE_LOCATION%" -subj "%SUBJ%" || GOTO SUBR_OPENSSL_ERROR REM Converting PEM certificate to DER format openssl x509 -inform PEM -in "%TEMP_CERTIFICATE_LOCATION%" -outform DER -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR GOTO:EOF REM ================================================================ :create_issued_ca IF %1.==. GOTO function_arguments_error IF %2.==. GOTO function_arguments_error IF %3.==. GOTO function_arguments_error SET NAME=%~1 SET SUBJ=%~2 SET CA_NAME=%~3 SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem SET REQUEST_LOCATION=%STORE_PATH%\request\%NAME%.csr SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der SET TEMP_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem SET CA_PEM_CERTIFICATE=%STORE_PATH%\certs\%CA_NAME%.pem SET CA_PRIVATE_KEY=%STORE_PATH%\private\%CA_NAME%.pem REM These variables are referenced from the OpenSSL configuration file SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%NAME%.txt SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%NAME%.txt SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%NAME%.txt REM remove files to create when they already exist IF exist "%PRIVATE_KEY_LOCATION%" del "%PRIVATE_KEY_LOCATION%" IF exist "%REQUEST_LOCATION%" del "%REQUEST_LOCATION%" IF exist "%CERTIFICATE_LOCATION%" del "%CERTIFICATE_LOCATION%" IF exist "%TEMP_CERTIFICATE_LOCATION%" del "%TEMP_CERTIFICATE_LOCATION%" IF exist "%G_CA_DATABASE_LOCATION%" del "%G_CA_DATABASE_LOCATION%"* IF exist "%G_CA_SERIAL_NUMBER_LOCATION%" del "%G_CA_SERIAL_NUMBER_LOCATION%"* IF exist "%G_CA_CRL_NUMBER_LOCATION%" del "%G_CA_CRL_NUMBER_LOCATION%"* REM Creating CA related files REM Generate an empty file ECHO. 2> "%G_CA_DATABASE_LOCATION%" ECHO 00 > "%G_CA_SERIAL_NUMBER_LOCATION%" ECHO 00 > "%G_CA_CRL_NUMBER_LOCATION%" ECHO Creating private key openssl genrsa -out "%PRIVATE_KEY_LOCATION%" %KEYSIZE% || GOTO SUBR_OPENSSL_ERROR ECHO Creating certificate request openssl req -config "%OPENSSL_CONF%" -new -key "%PRIVATE_KEY_LOCATION%" -outform PEM -out "%REQUEST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR ECHO Creating self signed cert openssl ca -config "%OPENSSL_CONF%" -batch -days %CERT_VALIDITY_DAYS% -in "%REQUEST_LOCATION%" -extensions v3_ca -out "%TEMP_CERTIFICATE_LOCATION%" -subj "%SUBJ%" -keyfile "%CA_PRIVATE_KEY%" -cert "%CA_PEM_CERTIFICATE%" || GOTO SUBR_OPENSSL_ERROR ECHO Converting PEM certificate to DER format openssl x509 -inform PEM -in "%TEMP_CERTIFICATE_LOCATION%" -outform DER -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR GOTO:EOF REM ================================================================ :create_issued_certificate IF %1.==. GOTO function_arguments_error IF %2.==. GOTO function_arguments_error IF %3.==. GOTO function_arguments_error SET NAME=%~1 SET SUBJ=%~2 SET CA_NAME=%~3 SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem SET REQUEST_LOCATION=%STORE_PATH%\request\%NAME%.csr SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der SET TEMP_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem SET CA_PEM_CERTIFICATE=%STORE_PATH%\certs\%CA_NAME%.pem SET CA_PRIVATE_KEY=%STORE_PATH%\private\%CA_NAME%.pem REM These variables are referenced from the OpenSSL configuration file SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%CA_NAME%.txt SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%CA_NAME%.txt SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%CA_NAME%.txt REM remove files to create when they already exist IF exist "%PRIVATE_KEY_LOCATION%" del "%PRIVATE_KEY_LOCATION%" IF exist "%REQUEST_LOCATION%" del "%REQUEST_LOCATION%" IF exist "%CERTIFICATE_LOCATION%" del "%CERTIFICATE_LOCATION%" IF exist "%TEMP_CERTIFICATE_LOCATION%" del "%TEMP_CERTIFICATE_LOCATION%" REM Creating private key openssl genrsa -out "%PRIVATE_KEY_LOCATION%" %KEYSIZE% || GOTO SUBR_OPENSSL_ERROR REM Creating certificate request openssl req -config "%OPENSSL_CONF%" -new -key "%PRIVATE_KEY_LOCATION%" -outform PEM -out "%REQUEST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR REM Creating self signed cert openssl ca -config "%OPENSSL_CONF%" -batch -days %CERT_VALIDITY_DAYS% -in "%REQUEST_LOCATION%" -out "%TEMP_CERTIFICATE_LOCATION%" -subj "%SUBJ%" -keyfile "%CA_PRIVATE_KEY%" -cert "%CA_PEM_CERTIFICATE%" || GOTO SUBR_OPENSSL_ERROR REM Converting PEM certificate to DER format openssl x509 -inform PEM -in "%TEMP_CERTIFICATE_LOCATION%" -outform DER -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR GOTO:EOF REM ================================================================ :revoke_certificate IF %1.==. GOTO function_arguments_error IF %2.==. GOTO function_arguments_error SET NAME=%~1 SET CA_NAME=%~2 SET DER_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der SET PEM_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem SET CA_CERTIFICATE=%STORE_PATH%\certs\%CA_NAME%.pem SET CA_PRIVATE_KEY=%STORE_PATH%\private\%CA_NAME%.pem REM These variables are referenced from the OpenSSL configuration file SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%CA_NAME%.txt SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%CA_NAME%.txt SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%CA_NAME%.txt REM Converting DER certificate to PEM format openssl x509 -inform DER -in "%DER_CERTIFICATE_LOCATION%" -outform PEM -out "%PEM_CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR REM Revoking certificate openssl ca -config "%OPENSSL_CONF%" -revoke "%PEM_CERTIFICATE_LOCATION%" -cert "%CA_CERTIFICATE%" -keyfile "%CA_PRIVATE_KEY%" || GOTO SUBR_OPENSSL_ERROR GOTO:EOF REM ================================================================ :update_revocation_list IF %1.==. GOTO function_arguments_error SET CA_NAME=%~1 SET REVOCATION_LIST_LOCATION=%STORE_PATH%\crl\%CA_NAME%.crl SET CA_CERTIFICATE=%STORE_PATH%\certs\%CA_NAME%.pem SET CA_PRIVATE_KEY=%STORE_PATH%\private\%CA_NAME%.pem REM These variables are referenced from the OpenSSL configuration file SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%CA_NAME%.txt SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%CA_NAME%.txt SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%CA_NAME%.txt REM Generate CRL openssl ca -config "%OPENSSL_CONF%" -gencrl -crldays 1825 -out "%REVOCATION_LIST_LOCATION%" -cert "%CA_CERTIFICATE%" -keyfile "%CA_PRIVATE_KEY%" || GOTO SUBR_OPENSSL_ERROR REM Convert CRL from PEM to DER format openssl crl -inform PEM -in "%REVOCATION_LIST_LOCATION%" -outform DER -out "%REVOCATION_LIST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR GOTO:EOF REM ================================================================ :deploy_certificate IF %1.==. GOTO function_arguments_error IF %2.==. GOTO function_arguments_error SET NAME=%~1 SET DEPLOYED_STORE_LOCATION=%~2 SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem SET TARGET_CERTIFICATE_LOCATION=%DEPLOYED_STORE_LOCATION%\certs\%NAME%.der SET TARGET_PRIVATE_KEY_LOCATION=%DEPLOYED_STORE_LOCATION%\private\%NAME%.pem COPY /Y "%CERTIFICATE_LOCATION%" "%TARGET_CERTIFICATE_LOCATION%" || GOTO SUBR_DEPLOY_FILE_ERROR COPY /Y "%PRIVATE_KEY_LOCATION%" "%TARGET_PRIVATE_KEY_LOCATION%" || GOTO SUBR_DEPLOY_FILE_ERROR GOTO:EOF REM ================================================================ :deploy_revocation_list IF %1.==. GOTO function_arguments_error IF %2.==. GOTO function_arguments_error SET CA_NAME=%~1 SET DEPLOYED_STORE_LOCATION=%~2 SET REVOCATION_LIST_LOCATION=%STORE_PATH%\crl\%CA_NAME%.crl SET TARGET_REVOCATION_LIST_LOCATION=%DEPLOYED_STORE_LOCATION%\crl\%CA_NAME%.crl COPY /Y "%REVOCATION_LIST_LOCATION%" "%TARGET_REVOCATION_LIST_LOCATION%" || GOTO SUBR_DEPLOY_FILE_ERROR GOTO:EOF REM ================================================================ :copy_needed_files IF %1.==. GOTO function_arguments_error IF %2.==. GOTO function_arguments_error SET NAME=%~1 SET DEPLOYED_STORE_LOCATION=%~2 SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME% SET TARGET_CERTIFICATE_LOCATION=%DEPLOYED_STORE_LOCATION%\%NAME% COPY /Y "%CERTIFICATE_LOCATION%" "%TARGET_CERTIFICATE_LOCATION%" || GOTO SUBR_DEPLOY_FILE_ERROR GOTO:EOF REM ================================================================ :create_all_issued_certificates IF %1.==. GOTO function_arguments_error IF %2.==. GOTO function_arguments_error SET CATOISSUECERTIFICATESFROM=%~1 SET PATHTORI=%~2 ECHO Creating all issued certificates for %CATOISSUECERTIFICATESFROM% which is %PATHORI% ECHO. ECHO. ECHO ===================================== ECHO = Issue a trusted Certificate from %CATOISSUECERTIFICATESFROM% for the CTT ECHO ===================================== SET CERTCN=%CATOISSUECERTIFICATESFROM%_appT SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Issue a untrusted Certificate from %CATOISSUECERTIFICATESFROM% for the CTT ECHO ===================================== SET CERTCN=%CATOISSUECERTIFICATESFROM%_appU SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Revoke an issued Certificate from %CATOISSUECERTIFICATESFROM% for the trusted folder ECHO ===================================== SET CERTCN=%CATOISSUECERTIFICATESFROM%_appTR SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:revoke_certificate "%CERTCN%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:update_revocation_list "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:deploy_revocation_list "%CATOISSUECERTIFICATESFROM%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Revoke a second issued Certificate from %CATOISSUECERTIFICATESFROM% which is not trusted ECHO ===================================== SET CERTCN=%CATOISSUECERTIFICATESFROM%_appUR SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:revoke_certificate "%CERTCN%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:update_revocation_list "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:deploy_revocation_list "%CATOISSUECERTIFICATESFROM%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR REM Now lets issue the user certs for this ca SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org ECHO. ECHO. ECHO ===================================== ECHO = Issue a trusted User Certificate from %CATOISSUECERTIFICATESFROM% for the CTT ECHO ===================================== SET CERTCN=%CATOISSUECERTIFICATESFROM%_usrT SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_issued_certificate "%CERTCN%" "/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Issue a untrusted User Certificate from %CATOISSUECERTIFICATESFROM% for the CTT ECHO ===================================== SET CERTCN=%CATOISSUECERTIFICATESFROM%_usrU SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_issued_certificate "%CERTCN%" "/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Revoke an issued User Certificate from %CATOISSUECERTIFICATESFROM% for the trusted folder ECHO ===================================== SET CERTCN=%CATOISSUECERTIFICATESFROM%_usrTR SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:revoke_certificate "%CERTCN%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:update_revocation_list "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:deploy_revocation_list "%CATOISSUECERTIFICATESFROM%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR ECHO. ECHO. ECHO ===================================== ECHO = Revoke a second issued Certificate from %CATOISSUECERTIFICATESFROM% which is not trusted ECHO ===================================== SET CERTCN=%CATOISSUECERTIFICATESFROM%_usrUR SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME% CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:revoke_certificate "%CERTCN%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:update_revocation_list "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR REM Reset the Subject alternative name SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME% GOTO:EOF REM ================================================================ :function_arguments_error ECHO Invalid arguments when calling script function EXIT /B 1 :SUBR_OPENSSL_ERROR ECHO OpenSSL exited with an error EXIT /B 1 :SUBR_DEPLOY_FILE_ERROR ECHO Failed to deploy file EXIT /B 1 :BATCH_END_SUCCESS REM Delete temporary store location RMDIR "%STORE_PATH%" /S /Q ECHO. ECHO. ECHO ~~~ Certificates successfully created ~~~ ENDLOCAL EXIT /B 0 :BATCH_END_ERROR REM Delete PKI folder RMDIR "%STORE_PATH%" /S /Q RMDIR "%DEPLOYED_SERVER_PKI_PATH%" /S /Q RMDIR "%DEPLOYED_CLIENT_PKI_PATH%" /S /Q ECHO. ECHO. ECHO ~~~ Failed to create certificates ~~~ ENDLOCAL EXIT /B 1 |
|
|
Here is the updated Linux sh script which is being used ... create_ctt_pki.sh (43,085 bytes)
#!/bin/bash
#handling calling arguments
if [ "$#" -gt 0 ]; then
echo "Arg0: DefaultKeySize=$1"
KEYSIZE=$1
else
KEYSIZE=2048
fi
if [ "$#" -gt 1 ]; then
echo "Arg1: CurrentDir=$2"
CURRENT_DIR=$2
else
#getting current directory where the script is called
pushd `dirname $0` > /dev/null
CURRENT_DIR="$PWD"
popd > /dev/null
fi
if [ "$#" -gt 2 ]; then
echo "Arg2: IsProjectDir=$3"
ISPROJECTDIR=$3
fi
if [ "$#" -gt 3 ]; then
echo "Arg3: ApplicationDir=$4"
APPLICATION_DIR=$4
else
APPLICATION_DIR=$CURRENT_DIR
fi
echo "Working directory: $CURRENT_DIR"
STORE_PATH=$CURRENT_DIR/TMPPKI
if ! [ $ISPROJECTDIR -eq 1 ]; then
DEPLOYED_SERVER_PKI_PATH=$CURRENT_DIR/../ServerProjects/PKI
DEPLOYED_CLIENT_PKI_PATH=$CURRENT_DIR/../ClientProjects/PKI
else
DEPLOYED_SERVER_PKI_PATH=$CURRENT_DIR/PKI
DEPLOYED_CLIENT_PKI_PATH=$CURRENT_DIR/PKI
fi
DEPLOYED_SERVER_STORE_PATH=$DEPLOYED_SERVER_PKI_PATH/CA
DEPLOYED_CLIENT_STORE_PATH=$DEPLOYED_CLIENT_PKI_PATH/CA
HOSTNAME=$(hostname)
# Initialize certificate subject fields
DEFAULTKEYSIZE=$KEYSIZE
CERTCN="UA Compliance Test Tool"
CERTO="OPC Foundation"
CERTL="Scottsdale"
CERTS="Arizona"
CERTC="US"
X509_SUBJ="/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
SUBJECT_ALTERNATIVE_NAME="URI:urn:$HOSTNAME:OPCFoundation:UaComplianceTestTool"
CERT_VALIDITY_DAYS=365
CA_CERT_VALIDITY_DAYS=1825
export YEAR=$(date +"%y")
export MONTH=$(date +"%m")
export DAY=$(date +"%d")
export LASTYEAR=$(($YEAR-1))
export NEXTYEAR=$(($YEAR+1))
#Environment variable used by OpenSSL
OPENSSL_CONF=$APPLICATION_DIR/openssl.cnf
# These variables are referenced from the OpenSSL configuration file
export G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
export G_STORE_PATH=$STORE_PATH
echo "Initialize folder structures"
# Temporary PKI store (working directory)
mkdir -p "$STORE_PATH/certs" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$STORE_PATH/crl" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$STORE_PATH/private" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$STORE_PATH/request" || { echo "Failed to create folder"; exit 1; }
# ServerProject PKI store
mkdir -p "$DEPLOYED_SERVER_STORE_PATH/certs" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$DEPLOYED_SERVER_STORE_PATH/crl" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$DEPLOYED_SERVER_STORE_PATH/private" || { echo "Failed to create folder"; exit 1; }
# ClientProject PKI store
mkdir -p "$DEPLOYED_CLIENT_STORE_PATH/certs" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$DEPLOYED_CLIENT_STORE_PATH/crl" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$DEPLOYED_CLIENT_STORE_PATH/private" || { echo "Failed to create folder"; exit 1; }
# ServerProject PKI copy_needed_files
export COPYTOSERVER_PATH=$DEPLOYED_SERVER_PKI_PATH/copyToServer
export CS_AI_PKI=$COPYTOSERVER_PATH/ApplicationInstance_PKI
export CS_USER_PKI=$COPYTOSERVER_PATH/X509UserIdentity_PKI
mkdir -p "$COPYTOSERVER_PATH" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_AI_PKI" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_USER_PKI" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_AI_PKI/trusted" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_AI_PKI/trusted/certs" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_AI_PKI/trusted/crl" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_AI_PKI/issuers" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_AI_PKI/issuers/certs" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_AI_PKI/issuers/crl" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_USER_PKI/trusted" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_USER_PKI/trusted/certs" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_USER_PKI/trusted/crl" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_USER_PKI/issuers" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_USER_PKI/issuers/certs" || { echo "Failed to create folder"; exit 1; }
mkdir -p "$CS_USER_PKI/issuers/crl" || { echo "Failed to create folder"; exit 1; }
#Write .rnd file to avoid errors in terminal
openssl rand -writerand $STORE_PATH/.rnd
#================================================================
#====================== Helper functions ========================
#================================================================
process_end_success()
{
rm -rf "$STORE_PATH"
echo ""
echo ""
echo "~~~ Certificates successfully created ~~~ "
exit 0
}
process_end_error()
{
rm -rf "$STORE_PATH"
rm -rf "$DEPLOYED_SERVER_PKI_PATH"
rm -rf "$DEPLOYED_CLIENT_PKI_PATH"
echo ""
echo ""
echo "~~~ Failed to create certificates ~~~"
exit 1
}
create_self_signed_certificate()
{
if [ "$#" -ne 2 ]; then
echo "Invalid arguments when calling script function (expected=2|received=$#)"
return 1
fi
NAME=$1
SUBJ=$2
PRIVATE_KEY_LOCATION=$STORE_PATH/private/$NAME.pem
REQUEST_LOCATION=$STORE_PATH/request/$NAME.csr
CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.der
TEMP_CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.pem
# These variables are referenced from the OpenSSL configuration file
export G_CA_DATABASE_LOCATION=$STORE_PATH/database_$NAME.txt
export G_CA_SERIAL_NUMBER_LOCATION=$STORE_PATH/serial_$NAME.txt
export G_CA_CRL_NUMBER_LOCATION=$STORE_PATH/crlnumber_$NAME.txt
# remove files to create when they already exist
if [ -f "$PRIVATE_KEY_LOCATION" ]; then rm "$PRIVATE_KEY_LOCATION" ; fi
if [ -f "$REQUEST_LOCATION" ]; then rm "$REQUEST_LOCATION" ; fi
if [ -f "$CERTIFICATE_LOCATION" ]; then rm "$CERTIFICATE_LOCATION" ; fi
if [ -f "$TEMP_CERTIFICATE_LOCATION" ]; then rm "$TEMP_CERTIFICATE_LOCATION" ; fi
if [ -f "$G_CA_DATABASE_LOCATION" ]; then rm "$G_CA_DATABASE_LOCATION"* ; fi
if [ -f "$G_CA_SERIAL_NUMBER_LOCATION" ]; then rm "$G_CA_SERIAL_NUMBER_LOCATION"* ; fi
if [ -f "$G_CA_CRL_NUMBER_LOCATION" ]; then rm "$G_CA_CRL_NUMBER_LOCATION"* ; fi
# Creating CA related files
# Generate an empty file
touch "$G_CA_DATABASE_LOCATION"
echo 00 > "$G_CA_SERIAL_NUMBER_LOCATION"
echo 00 > "$G_CA_CRL_NUMBER_LOCATION"
# Creating private key
openssl genrsa -out "$PRIVATE_KEY_LOCATION" $KEYSIZE || return 1
# Creating certificate request
openssl req -config "$OPENSSL_CONF" -new -key "$PRIVATE_KEY_LOCATION" -outform PEM -out "$REQUEST_LOCATION" || return 1
# Creating self signed cert
openssl ca -config "$OPENSSL_CONF" -batch -days $CERT_VALIDITY_DAYS -selfsign -keyfile "$PRIVATE_KEY_LOCATION" -in "$REQUEST_LOCATION" -out "$TEMP_CERTIFICATE_LOCATION" -subj "$SUBJ" -extensions v3_self_signed || return 1
# Converting PEM certificate to DER format
openssl x509 -inform PEM -in "$TEMP_CERTIFICATE_LOCATION" -outform DER -out "$CERTIFICATE_LOCATION" || return 1
return 0
}
create_self_signed_certificate_validity()
{
if [ "$#" -ne 4 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
NAME=$1
SUBJ=$2
STARTDATE=$3
ENDDATE=$4
PRIVATE_KEY_LOCATION=$STORE_PATH/private/$NAME.pem
REQUEST_LOCATION=$STORE_PATH/request/$NAME.csr
CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.der
TEMP_CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.pem
# These variables are referenced from the OpenSSL configuration file
export G_CA_DATABASE_LOCATION=$STORE_PATH/database_$NAME.txt
export G_CA_SERIAL_NUMBER_LOCATION=$STORE_PATH/serial_$NAME.txt
export G_CA_CRL_NUMBER_LOCATION=$STORE_PATH/crlnumber_$NAME.txt
# remove files to create when they already exist
if [ -f "$PRIVATE_KEY_LOCATION" ]; then rm "$PRIVATE_KEY_LOCATION" ; fi
if [ -f "$REQUEST_LOCATION" ]; then rm "$REQUEST_LOCATION" ; fi
if [ -f "$CERTIFICATE_LOCATION" ]; then rm "$CERTIFICATE_LOCATION" ; fi
if [ -f "$TEMP_CERTIFICATE_LOCATION" ]; then rm "$TEMP_CERTIFICATE_LOCATION" ; fi
if [ -f "$G_CA_DATABASE_LOCATION" ]; then rm "$G_CA_DATABASE_LOCATION"* ; fi
if [ -f "$G_CA_SERIAL_NUMBER_LOCATION" ]; then rm "$G_CA_SERIAL_NUMBER_LOCATION"* ; fi
if [ -f "$G_CA_CRL_NUMBER_LOCATION" ]; then rm "$G_CA_CRL_NUMBER_LOCATION"* ; fi
# Creating CA related files
# Generate an empty file
touch "$G_CA_DATABASE_LOCATION"
echo 00 > "$G_CA_SERIAL_NUMBER_LOCATION"
echo 00 > "$G_CA_CRL_NUMBER_LOCATION"
# Creating private key
openssl genrsa -out "$PRIVATE_KEY_LOCATION" $KEYSIZE || return 1
# Creating certificate request
openssl req -config "$OPENSSL_CONF" -new -key "$PRIVATE_KEY_LOCATION" -outform PEM -out "$REQUEST_LOCATION" || return 1
# Creating self signed cert
openssl ca -config "$OPENSSL_CONF" -batch -startdate $STARTDATE -enddate $ENDDATE -selfsign -keyfile "$PRIVATE_KEY_LOCATION" -in "$REQUEST_LOCATION" -out "$TEMP_CERTIFICATE_LOCATION" -subj "$SUBJ" -extensions v3_self_signed || return 1
# Converting PEM certificate to DER format
openssl x509 -inform PEM -in "$TEMP_CERTIFICATE_LOCATION" -outform DER -out "$CERTIFICATE_LOCATION" || return 1
return 0
}
invalidate_certificate_signature()
{
if [ "$#" -ne 1 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
NAME=$1
CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.der
FILE_SIZE=`stat -c%s "$CERTIFICATE_LOCATION"`
BYTECNT_PRE=`expr $FILE_SIZE - 51`
TEMP_FILE=$STORE_PATH/certs/tempinvalidsign.der
if [ -f "$TEMP_FILE" ]; then rm "$TEMP_FILE" ; fi
head -c $BYTECNT_PRE "$CERTIFICATE_LOCATION" > $TEMP_FILE
echo -n -e "\x3F" >> $TEMP_FILE
tail -c 50 "$CERTIFICATE_LOCATION" >> $TEMP_FILE
cp "$TEMP_FILE" "$CERTIFICATE_LOCATION" || return 1
rm "$TEMP_FILE" || return 1
return 0
}
create_root_ca_certificate()
{
if [ "$#" -ne 2 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
NAME=$1
SUBJ=$2
PRIVATE_KEY_LOCATION=$STORE_PATH/private/$NAME.pem
REQUEST_LOCATION=$STORE_PATH/request/$NAME.csr
CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.der
TEMP_CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.pem
# These variables are referenced from the OpenSSL configuration file
export G_CA_DATABASE_LOCATION=$STORE_PATH/database_$NAME.txt
export G_CA_SERIAL_NUMBER_LOCATION=$STORE_PATH/serial_$NAME.txt
export G_CA_CRL_NUMBER_LOCATION=$STORE_PATH/crlnumber_$NAME.txt
# remove files to create when they already exist
if [ -f "$PRIVATE_KEY_LOCATION" ]; then rm "$PRIVATE_KEY_LOCATION" ; fi
if [ -f "$REQUEST_LOCATION" ]; then rm "$REQUEST_LOCATION" ; fi
if [ -f "$CERTIFICATE_LOCATION" ]; then rm "$CERTIFICATE_LOCATION" ; fi
if [ -f "$TEMP_CERTIFICATE_LOCATION" ]; then rm "$TEMP_CERTIFICATE_LOCATION" ; fi
if [ -f "$G_CA_DATABASE_LOCATION" ]; then rm "$G_CA_DATABASE_LOCATION"* ; fi
if [ -f "$G_CA_SERIAL_NUMBER_LOCATION" ]; then rm "$G_CA_SERIAL_NUMBER_LOCATION"* ; fi
if [ -f "$G_CA_CRL_NUMBER_LOCATION" ]; then rm "$G_CA_CRL_NUMBER_LOCATION"* ; fi
# Creating CA related files
# Generate an empty file
touch "$G_CA_DATABASE_LOCATION"
echo 00 > "$G_CA_SERIAL_NUMBER_LOCATION"
echo 00 > "$G_CA_CRL_NUMBER_LOCATION"
# Creating private key
openssl genrsa -out "$PRIVATE_KEY_LOCATION" $KEYSIZE || return 1
# Creating certificate request
openssl req -config "$OPENSSL_CONF" -new -key "$PRIVATE_KEY_LOCATION" -outform PEM -out "$REQUEST_LOCATION" || return 1
# Creating self signed cert
openssl ca -config "$OPENSSL_CONF" -batch -days $CA_CERT_VALIDITY_DAYS -selfsign -keyfile "$PRIVATE_KEY_LOCATION" -in "$REQUEST_LOCATION" -out "$TEMP_CERTIFICATE_LOCATION" -subj "$SUBJ" -extensions v3_ca || return 1
# Converting PEM certificate to DER format
openssl x509 -inform PEM -in "$TEMP_CERTIFICATE_LOCATION" -outform DER -out "$CERTIFICATE_LOCATION" || return 1
return 0
}
create_issued_ca()
{
if [ "$#" -ne 3 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
NAME=$1
SUBJ=$2
CA_NAME=$3
PRIVATE_KEY_LOCATION=$STORE_PATH/private/$NAME.pem
REQUEST_LOCATION=$STORE_PATH/request/$NAME.csr
CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.der
TEMP_CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.pem
CA_PEM_CERTIFICATE=$STORE_PATH/certs/$CA_NAME.pem
CA_PRIVATE_KEY=$STORE_PATH/private/$CA_NAME.pem
# These variables are referenced from the OpenSSL configuration file
export G_CA_DATABASE_LOCATION=$STORE_PATH/database_$NAME.txt
export G_CA_SERIAL_NUMBER_LOCATION=$STORE_PATH/serial_$NAME.txt
export G_CA_CRL_NUMBER_LOCATION=$STORE_PATH/crlnumber_$NAME.txt
# remove files to create when they already exist
if [ -f "$PRIVATE_KEY_LOCATION" ]; then rm "$PRIVATE_KEY_LOCATION" ; fi
if [ -f "$REQUEST_LOCATION" ]; then rm "$REQUEST_LOCATION" ; fi
if [ -f "$CERTIFICATE_LOCATION" ]; then rm "$CERTIFICATE_LOCATION" ; fi
if [ -f "$TEMP_CERTIFICATE_LOCATION" ]; then rm "$TEMP_CERTIFICATE_LOCATION" ; fi
if [ -f "$G_CA_DATABASE_LOCATION" ]; then rm "$G_CA_DATABASE_LOCATION"* ; fi
if [ -f "$G_CA_SERIAL_NUMBER_LOCATION" ]; then rm "$G_CA_SERIAL_NUMBER_LOCATION"* ; fi
if [ -f "$G_CA_CRL_NUMBER_LOCATION" ]; then rm "$G_CA_CRL_NUMBER_LOCATION"* ; fi
# Creating CA related files
# Generate an empty file
touch "$G_CA_DATABASE_LOCATION"
echo 00 > "$G_CA_SERIAL_NUMBER_LOCATION"
echo 00 > "$G_CA_CRL_NUMBER_LOCATION"
# Creating private key
openssl genrsa -out "$PRIVATE_KEY_LOCATION" $KEYSIZE || return 1
# Creating certificate request
openssl req -config "$OPENSSL_CONF" -new -key "$PRIVATE_KEY_LOCATION" -outform PEM -out "$REQUEST_LOCATION" || return 1
# Creating self signed cert
openssl ca -config "$OPENSSL_CONF" -batch -days $CA_CERT_VALIDITY_DAYS -in "$REQUEST_LOCATION" -extensions v3_ca -out "$TEMP_CERTIFICATE_LOCATION" -subj "$SUBJ" -keyfile "$CA_PRIVATE_KEY" -cert "$CA_PEM_CERTIFICATE" || return 1
# Converting PEM certificate to DER format
openssl x509 -inform PEM -in "$TEMP_CERTIFICATE_LOCATION" -outform DER -out "$CERTIFICATE_LOCATION" || return 1
return 0
}
copy_needed_files()
{
if [ "$#" -ne 2 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
export NAME=$1
export DEPLOYED_STORE_LOCATION=$2
export CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME
export TARGET_CERTIFICATE_LOCATION=$DEPLOYED_STORE_LOCATION/
cp "$CERTIFICATE_LOCATION" "$TARGET_CERTIFICATE_LOCATION" || process_end_error
}
create_issued_certificate()
{
if [ "$#" -ne 3 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
NAME=$1
SUBJ=$2
CA_NAME=$3
PRIVATE_KEY_LOCATION=$STORE_PATH/private/$NAME.pem
REQUEST_LOCATION=$STORE_PATH/request/$NAME.csr
CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.der
TEMP_CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.pem
CA_PEM_CERTIFICATE=$STORE_PATH/certs/$CA_NAME.pem
CA_PRIVATE_KEY=$STORE_PATH/private/$CA_NAME.pem
# These variables are referenced from the OpenSSL configuration file
export G_CA_DATABASE_LOCATION=$STORE_PATH/database_$CA_NAME.txt
export G_CA_SERIAL_NUMBER_LOCATION=$STORE_PATH/serial_$CA_NAME.txt
export G_CA_CRL_NUMBER_LOCATION=$STORE_PATH/crlnumber_$CA_NAME.txt
# remove files to create when they already exist
if [ -f "$PRIVATE_KEY_LOCATION" ]; then rm "$PRIVATE_KEY_LOCATION" ; fi
if [ -f "$REQUEST_LOCATION" ]; then rm "$REQUEST_LOCATION" ; fi
if [ -f "$CERTIFICATE_LOCATION" ]; then rm "$CERTIFICATE_LOCATION" ; fi
if [ -f "$TEMP_CERTIFICATE_LOCATION" ]; then rm "$TEMP_CERTIFICATE_LOCATION" ; fi
# Creating private key
openssl genrsa -out "$PRIVATE_KEY_LOCATION" $KEYSIZE || return 1
# Creating certificate request
openssl req -config "$OPENSSL_CONF" -new -key "$PRIVATE_KEY_LOCATION" -outform PEM -out "$REQUEST_LOCATION" || return 1
# Creating self signed cert
openssl ca -config "$OPENSSL_CONF" -batch -days $CERT_VALIDITY_DAYS -keyfile "$CA_PRIVATE_KEY" -in "$REQUEST_LOCATION" -out "$TEMP_CERTIFICATE_LOCATION" -subj "$SUBJ" -cert "$CA_PEM_CERTIFICATE" || return 1
# Converting PEM certificate to DER format
openssl x509 -inform PEM -in "$TEMP_CERTIFICATE_LOCATION" -outform DER -out "$CERTIFICATE_LOCATION" || return 1
return 0
}
revoke_certificate()
{
if [ "$#" -ne 2 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
NAME=$1
CA_NAME=$2
DER_CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.der
PEM_CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.pem
CA_CERTIFICATE=$STORE_PATH/certs/$CA_NAME.pem
CA_PRIVATE_KEY=$STORE_PATH/private/$CA_NAME.pem
# These variables are referenced from the OpenSSL configuration file
export G_CA_DATABASE_LOCATION=$STORE_PATH/database_$CA_NAME.txt
export G_CA_SERIAL_NUMBER_LOCATION=$STORE_PATH/serial_$CA_NAME.txt
export G_CA_CRL_NUMBER_LOCATION=$STORE_PATH/crlnumber_$CA_NAME.txt
# Converting DER certificate to PEM format
openssl x509 -inform DER -in "$DER_CERTIFICATE_LOCATION" -outform PEM -out "$PEM_CERTIFICATE_LOCATION" || return 1
# Revoking certificate
openssl ca -config "$OPENSSL_CONF" -revoke "$PEM_CERTIFICATE_LOCATION" -cert "$CA_CERTIFICATE" -keyfile "$CA_PRIVATE_KEY" || return 1
return 0
}
update_revocation_list()
{
if [ "$#" -ne 1 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
CA_NAME=$1
REVOCATION_LIST_LOCATION=$STORE_PATH/crl/$CA_NAME.crl
CA_CERTIFICATE=$STORE_PATH/certs/$CA_NAME.pem
CA_PRIVATE_KEY=$STORE_PATH/private/$CA_NAME.pem
# These variables are referenced from the OpenSSL configuration file
export G_CA_DATABASE_LOCATION=$STORE_PATH/database_$CA_NAME.txt
export G_CA_SERIAL_NUMBER_LOCATION=$STORE_PATH/serial_$CA_NAME.txt
export G_CA_CRL_NUMBER_LOCATION=$STORE_PATH/crlnumber_$CA_NAME.txt
# Generate CRL
openssl ca -config "$OPENSSL_CONF" -gencrl -crldays 1825 -out "$REVOCATION_LIST_LOCATION" -cert "$CA_CERTIFICATE" -keyfile "$CA_PRIVATE_KEY" || return 1
# Convert CRL from PEM to DER format
openssl crl -inform PEM -in "$REVOCATION_LIST_LOCATION" -outform DER -out "$REVOCATION_LIST_LOCATION" || return 1
return 0
}
deploy_certificate()
{
if [ "$#" -ne 2 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
NAME=$1
DEPLOYED_STORE_LOCATION=$2
CERTIFICATE_LOCATION=$STORE_PATH/certs/$NAME.der
PRIVATE_KEY_LOCATION=$STORE_PATH/private/$NAME.pem
TARGET_CERTIFICATE_LOCATION=$DEPLOYED_STORE_LOCATION/certs/$NAME.der
TARGET_PRIVATE_KEY_LOCATION=$DEPLOYED_STORE_LOCATION/private/$NAME.pem
cp "$CERTIFICATE_LOCATION" "$TARGET_CERTIFICATE_LOCATION" || { echo "Failed to copy certificate"; return 1; }
cp "$PRIVATE_KEY_LOCATION" "$TARGET_PRIVATE_KEY_LOCATION" || { echo "Failed to copy private key"; return 1; }
return 0
}
deploy_revocation_list()
{
if [ "$#" -ne 2 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
CA_NAME=$1
DEPLOYED_STORE_LOCATION=$2
REVOCATION_LIST_LOCATION=$STORE_PATH/crl/$CA_NAME.crl
TARGET_REVOCATION_LIST_LOCATION=$DEPLOYED_STORE_LOCATION/crl/$CA_NAME.crl
cp "$REVOCATION_LIST_LOCATION" "$TARGET_REVOCATION_LIST_LOCATION" || return 1
return 0;
}
create_all_issued_certificates()
{
if [ "$#" -ne 2 ]; then
echo "Invalid arguments when calling script function"
return 1
fi
CATOISSUECERTIFICATESFROM=$1
PATHTORI=$2
echo "Creating all issued certificates for $CATOISSUECERTIFICATESFROM which is $PATHORI"
echo ""
echo ""
echo "====================================="
echo "= Issue a trusted Certificate from $CATOISSUECERTIFICATESFROM for the CTT"
echo "====================================="
CERTCN=$CATOISSUECERTIFICATESFROM\_appT
X509_SUBJ="/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_issued_certificate "$CERTCN" "$X509_SUBJ" "$CATOISSUECERTIFICATESFROM" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Issue a untrusted Certificate from $CATOISSUECERTIFICATESFROM for the CTT"
echo "====================================="
CERTCN=$CATOISSUECERTIFICATESFROM\_appU
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_issued_certificate "$CERTCN" "$X509_SUBJ" "$CATOISSUECERTIFICATESFROM" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Revoke an issued Certificate from $CATOISSUECERTIFICATESFROM for the trusted folder"
echo "====================================="
CERTCN=$CATOISSUECERTIFICATESFROM\_appTR
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_issued_certificate "$CERTCN" "$X509_SUBJ" "$CATOISSUECERTIFICATESFROM" || process_end_error
revoke_certificate "$CERTCN" "$CATOISSUECERTIFICATESFROM" || process_end_error
update_revocation_list "$CATOISSUECERTIFICATESFROM" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
deploy_revocation_list "$CATOISSUECERTIFICATESFROM" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Revoke a second issued Certificate from $CATOISSUECERTIFICATESFROM which is not trusted"
echo "====================================="
CERTCN=$CATOISSUECERTIFICATESFROM\_appUR
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_issued_certificate "$CERTCN" "$X509_SUBJ" "$CATOISSUECERTIFICATESFROM" || process_end_error
revoke_certificate "$CERTCN" "$CATOISSUECERTIFICATESFROM" || process_end_error
update_revocation_list "$CATOISSUECERTIFICATESFROM" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
deploy_revocation_list "$CATOISSUECERTIFICATESFROM" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
echo "Now lets issue the user certs for this ca"
export G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org
echo ""
echo ""
echo "====================================="
echo "= Issue a trusted User Certificate from $CATOISSUECERTIFICATESFROM for the CTT"
echo "====================================="
CERTCN=$CATOISSUECERTIFICATESFROM\_usrT
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_issued_certificate "$CERTCN" "$X509_SUBJ" "$CATOISSUECERTIFICATESFROM" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Issue a untrusted User Certificate from $CATOISSUECERTIFICATESFROM for the CTT"
echo "====================================="
CERTCN=$CATOISSUECERTIFICATESFROM\_usrU
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_issued_certificate "$CERTCN" "$X509_SUBJ" "$CATOISSUECERTIFICATESFROM" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Revoke an issued User Certificate from $CATOISSUECERTIFICATESFROM for the trusted folder"
echo "====================================="
CERTCN=$CATOISSUECERTIFICATESFROM\_usrTR
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_issued_certificate "$CERTCN" "$X509_SUBJ" "$CATOISSUECERTIFICATESFROM" || process_end_error
revoke_certificate "$CERTCN" "$CATOISSUECERTIFICATESFROM" || process_end_error
update_revocation_list "$CATOISSUECERTIFICATESFROM" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
deploy_revocation_list "$CATOISSUECERTIFICATESFROM" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Revoke a second issued Certificate from $CATOISSUECERTIFICATESFROM which is not trusted"
echo "====================================="
CERTCN=$CATOISSUECERTIFICATESFROM\_usrUR
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_issued_certificate "$CERTCN" "$X509_SUBJ" "$CATOISSUECERTIFICATESFROM" || process_end_error
revoke_certificate "$CERTCN" "$CATOISSUECERTIFICATESFROM" || process_end_error
update_revocation_list "$CATOISSUECERTIFICATESFROM" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
export G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
}
echo ""
echo ""
echo "======================================"
echo "= CTT Application Instance Certificate"
echo "======================================"
CERTCN=ctt_appT
X509_SUBJ="/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_self_signed_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_CLIENT_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= CTT Application Instance Certificate (Sha1, 1024 Bit)"
echo "====================================="
KEYSIZE=1024
CERTSIGNATUREALG=sha1
OPENSSL_CONF=$APPLICATION_DIR/openssl_sha1.cnf
CERTCN=ctt_appTSha1_1024
X509_SUBJ="/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_self_signed_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_CLIENT_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
export KEYSIZE=$DEFAULTKEYSIZE
export CERTSIGNATUREALG=sha256
export OPENSSL_CONF=$APPLICATION_DIR/openssl.cnf
echo ""
echo ""
echo "====================================="
echo "= CTT Application Instance Certificate (Sha1, 2048 Bit)"
echo "====================================="
KEYSIZE=2048
CERTSIGNATUREALG=sha1
OPENSSL_CONF=$APPLICATION_DIR/openssl_sha1.cnf
CERTCN=ctt_appTSha1_2048
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_self_signed_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_CLIENT_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
KEYSIZE=$DEFAULTKEYSIZE
CERTSIGNATUREALG=sha256
OPENSSL_CONF=$APPLICATION_DIR/openssl.cnf
echo ""
echo ""
echo "====================================="
echo "= CTT Application Instance Certificate (Sha256, 2048 Bit)"
echo "====================================="
KEYSIZE=2048
CERTSIGNATUREALG=sha256
CERTCN=ctt_appTSha256_2048
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_self_signed_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_CLIENT_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
KEYSIZE=$DEFAULTKEYSIZE
CERTSIGNATUREALG=sha256
echo ""
echo ""
echo "====================================="
echo "= CTT Application Instance Certificate (Sha256, 4096 Bit)"
echo "====================================="
KEYSIZE=4096
CERTSIGNATUREALG=sha256
CERTCN=ctt_appTSha256_4096
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_self_signed_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_CLIENT_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
KEYSIZE=$DEFAULTKEYSIZE
CERTSIGNATUREALG=sha256
echo ""
echo ""
echo "====================================================="
echo "= CTT Application Instance Certificate - Not Trusted!"
echo "====================================================="
CERTCN=ctt_appU
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_self_signed_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
echo ""
echo ""
echo "===================================================="
echo "= CTT Not Yet Valid Application Instance Certificate"
echo "===================================================="
CERTCN=ctt_appTV
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_self_signed_certificate_validity "$CERTCN" "$X509_SUBJ" $NEXTYEAR"0101120000Z" $NEXTYEAR"0601120000Z" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "========================================================="
echo "= CTT Expired Application Instance Certificate - Trusted!"
echo "========================================================="
CERTCN=ctt_appTE
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_self_signed_certificate_validity "$CERTCN" "$X509_SUBJ" $LASTYEAR"0101120000Z" $LASTYEAR"1206120000Z" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "============================================================="
echo "= CTT Expired Application Instance Certificate - Not Trusted!"
echo "============================================================="
CERTCN=ctt_appUE
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_self_signed_certificate_validity "$CERTCN" "$X509_SUBJ" $LASTYEAR"0101120000Z" $LASTYEAR"1206120000Z" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= CTT Invalid IP Address"
echo "====================================="
CERTCN=ctt_appTSip
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
G_SUBJECT_ALTERNATIVE_NAME="URI:urn:noSuchHost:UA Compliance Test Tool"
create_self_signed_certificate "$CERTCN" "//C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=noSuchHost" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= CTT Incorrectly Signed"
echo "====================================="
CERTCN=ctt_appTSincorrect
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
create_self_signed_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
invalidate_certificate_signature "$CERTCN" || process_end_error
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= CTT Invalid ApplicationURI"
echo "====================================="
CERTCN=ctt_appTSuri
X509_SUBJ="/C=$CERTC/L=$CERTL\ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME"
G_SUBJECT_ALTERNATIVE_NAME="URI:urn:ThisIsAnInvalidUri"
create_self_signed_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Create a Certificate Authority (CA)"
echo "====================================="
CERTCN=ctt_ca1T
CURRENTCA=$CERTCN
X509_SUBJ=/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME
G_SUBJECT_ALTERNATIVE_NAME="URI:urn:$HOSTNAME:$CERTCN"
create_root_ca_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/trusted/certs" || process_end_error
create_all_issued_certificates $CURRENTCA "trusted"
copy_needed_files "../crl/$CURRENTCA.crl" "$CS_AI_PKI/trusted/crl" || process_end_error
copy_needed_files "../crl/$CURRENTCA.crl" "$CS_USER_PKI/trusted/crl" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Create a trusted root Certificate Authority (CA) where the revocation list is not available"
echo "====================================="
CERTCN=ctt_ca1TC
CURRENTCA=$CERTCN
X509_SUBJ=/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME
G_SUBJECT_ALTERNATIVE_NAME="URI:urn:$HOSTNAME:$CERTCN"
create_root_ca_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/trusted/certs" || process_end_error
create_all_issued_certificates $CURRENTCA "trusted"
deploy_revocation_list "$CURRENTCA" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Create a unknown root Certificate Authority (CA)"
echo "====================================="
CERTCN=ctt_ca1U
CURRENTCA=$CERTCN
X509_SUBJ=/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME
G_SUBJECT_ALTERNATIVE_NAME="URI:urn:$HOSTNAME:$CERTCN"
create_root_ca_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
create_all_issued_certificates $CURRENTCA "trusted"
echo ""
echo ""
echo "====================================="
echo "= Create a issuers root Certificate Authority (CA)"
echo "====================================="
CERTCN=ctt_ca1I
CURRENTCA=$CERTCN
X509_SUBJ=/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME
G_SUBJECT_ALTERNATIVE_NAME="URI:urn:$HOSTNAME:$CERTCN"
create_root_ca_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/issuers/certs" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/issuers/certs" || process_end_error
create_all_issued_certificates $CURRENTCA "issuers"
deploy_revocation_list "$CURRENTCA" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "../crl/$CURRENTCA.crl" "$CS_AI_PKI/issuers/crl" || process_end_error
copy_needed_files "../crl/$CURRENTCA.crl" "$CS_USER_PKI/issuers/crl" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Create a issuers root Certificate Authority (CA) where the revocation list is not known"
echo "====================================="
CERTCN=ctt_ca1IC
CURRENTCA=$CERTCN
X509_SUBJ=/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME
G_SUBJECT_ALTERNATIVE_NAME="URI:urn:$HOSTNAME:$CERTCN"
create_root_ca_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/issuers/certs" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/issuers/certs" || process_end_error
create_all_issued_certificates $CURRENTCA "issuers"
echo ""
echo ""
echo "====================================="
echo "= Create a untrusted secondary Certificate Authority (CA) from ctt_ca1T"
echo "====================================="
CERTCN=ctt_ca1T_ca2U
CURRENTCA=$CERTCN
X509_SUBJ=/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME
G_SUBJECT_ALTERNATIVE_NAME="URI:urn:$HOSTNAME:$CERTCN"
create_issued_ca "$CERTCN" "$X509_SUBJ" "ctt_ca1T" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
create_all_issued_certificates $CURRENTCA "trusted"
echo ""
echo ""
echo "====================================="
echo "= Create a trusted secondary Certificate Authority (CA) from ctt_ca1I"
echo "====================================="
CERTCN=ctt_ca1I_ca2T
CURRENTCA=$CERTCN
X509_SUBJ=/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME
G_SUBJECT_ALTERNATIVE_NAME="URI:urn:$HOSTNAME:$CERTCN"
create_issued_ca "$CERTCN" "$X509_SUBJ" "ctt_ca1I" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/trusted/certs" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/trusted/certs" || process_end_error
create_all_issued_certificates $CURRENTCA "trusted"
copy_needed_files "../crl/$CURRENTCA.crl" "$CS_AI_PKI/trusted/crl" || process_end_error
copy_needed_files "../crl/$CURRENTCA.crl" "$CS_USER_PKI/trusted/crl" || process_end_error
echo ""
echo ""
echo "====================================="
echo "= Create a issuers secondary Certificate Authority (CA) from ctt_ca1TC"
echo "====================================="
CERTCN=ctt_ca1TC_ca2I
CURRENTCA=$CERTCN
X509_SUBJ=/C=$CERTC/L=$CERTL/ST=$CERTS/O=$CERTO/CN=$CERTCN/DC=$HOSTNAME
G_SUBJECT_ALTERNATIVE_NAME="URI:urn:$HOSTNAME:$CERTCN"
create_issued_ca "$CERTCN" "$X509_SUBJ" "ctt_ca1TC" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_AI_PKI/issuers/certs" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/issuers/certs" || process_end_error
create_all_issued_certificates $CURRENTCA "issuers"
copy_needed_files "../crl/$CURRENTCA.crl" "$CS_AI_PKI/issuers/crl" || process_end_error
copy_needed_files "../crl/$CURRENTCA.crl" "$CS_USER_PKI/issuers/crl" || process_end_error
echo "Now we are starting to generate the user certificates"
echo ""
echo ""
echo "=========================================="
echo "= Creating a USER Certificate for the CTT"
echo "=========================================="
CERTCN=ctt_usrT
G_SUBJECT_ALTERNATIVE_NAME="URI:compliance@opcfoundation.org"
create_self_signed_certificate "$CERTCN" "//O=$CERTO/CN=$CERTCN/DC=$HOSTNAME" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "=========================================================="
echo "Creating a 2nd (not trusted) USER Certificate for the CTT"
echo "=========================================================="
CERTCN=ctt_usrU
G_SUBJECT_ALTERNATIVE_NAME="URI:compliance@opcfoundation.org"
create_self_signed_certificate "$CERTCN" "//O=$CERTO/CN=$CERTCN/DC=$HOSTNAME" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
echo ""
echo ""
echo "======================================="
echo "CTT Expired User Certificate - Trusted!"
echo "======================================="
CERTCN=ctt_usrTE
G_SUBJECT_ALTERNATIVE_NAME="URI:compliance@opcfoundation.org"
create_self_signed_certificate_validity "$CERTCN" "//O=$CERTO/CN=$CERTCN/DC=$HOSTNAME" $LASTYEAR"0101120000Z" $LASTYEAR"1206120000Z" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "======================================="
echo "CTT Expired User Certificate - Not Trusted!"
echo "======================================="
CERTCN=ctt_usrUE
G_SUBJECT_ALTERNATIVE_NAME="URI:compliance@opcfoundation.org"
create_self_signed_certificate_validity "$CERTCN" "//O=$CERTO/CN=$CERTCN/DC=$HOSTNAME" $LASTYEAR"0101120000Z" $LASTYEAR"1206120000Z" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
echo ""
echo ""
echo "======================================="
echo "CTT Not Yet Valid User Certificate!"
echo "======================================="
CERTCN=ctt_usrTV
G_SUBJECT_ALTERNATIVE_NAME="URI:compliance@opcfoundation.org"
create_self_signed_certificate_validity "$CERTCN" "//O=$CERTO/CN=$CERTCN/DC=$HOSTNAME" $NEXTYEAR"0101120000Z" $NEXTYEAR"0601120000Z" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/trusted/certs" || process_end_error
echo ""
echo ""
echo "======================================="
echo "CTT Incorrectly Signed USER certificate"
echo "======================================="
CERTCN=ctt_usrTSincorrect
G_SUBJECT_ALTERNATIVE_NAME="URI:compliance@opcfoundation.org"
create_self_signed_certificate "$CERTCN" "$X509_SUBJ" || process_end_error
invalidate_certificate_signature "$CERTCN" || process_end_error
G_SUBJECT_ALTERNATIVE_NAME=$SUBJECT_ALTERNATIVE_NAME
deploy_certificate "$CERTCN" "$DEPLOYED_SERVER_STORE_PATH" || process_end_error
copy_needed_files "$CERTCN.der" "$CS_USER_PKI/trusted/certs" || process_end_error
process_end_success
|
|
|
Certificate creation bash scripts have been updated to calculate the "not yet valid" with CurrentYear + 1 and the "expired" certificates with CurrentYear - 1. This will ensure this does not happen again in the future. |
|
|
Proposed fixes are not working on windows systems with other locales than EN. |
|
|
New fix for windows systems which is supposed to work with any language and local Windows system. create_ctt_pki-2.bat (50,101 bytes)
@ECHO off
REM %1 -> KEYSIZE
REM %2 -> CURRENT_DIR
REM %3 -> IS_PROJECT_DIR
SETLOCAL ENABLEDELAYEDEXPANSION
SET CURRENT_DIR=%~dp0
IF NOT "%2"=="" SET CURRENT_DIR=%2
SET STORE_PATH=%CURRENT_DIR%\TMPPKI
SET DEPLOYED_SERVER_PKI_PATH=%CURRENT_DIR%ServerProjects\PKI
IF "%3" == "true" SET DEPLOYED_SERVER_PKI_PATH=%CURRENT_DIR%\PKI
SET DEPLOYED_SERVER_PKI_PATH=%CURRENT_DIR%ServerProjects\PKI
IF "%3" == "true" SET DEPLOYED_SERVER_PKI_PATH=%CURRENT_DIR%\PKI
SET DEPLOYED_CLIENT_PKI_PATH=%CURRENT_DIR%ClientProjects\PKI
IF "%3" == "true" SET DEPLOYED_CLIENT_PKI_PATH=%CURRENT_DIR%\PKI
SET DEPLOYED_SERVER_STORE_PATH=%DEPLOYED_SERVER_PKI_PATH%\CA
SET DEPLOYED_CLIENT_STORE_PATH=%DEPLOYED_CLIENT_PKI_PATH%\CA
SET HOSTNAME=%COMPUTERNAME%
REM Initialize certificate subject fields
SET KEYSIZE=2048
SET CERTSIGNATUREALG=sha256
IF NOT "%1"=="" SET KEYSIZE=%1
SET DEFAULTKEYSIZE=%KEYSIZE%
SET CERTCN=UA\ Compliance\ Test\ Tool
SET CERTO=OPC\ Foundation
SET CERTL=Scottsdale
SET CERTS=Arizona
SET CERTC=US
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:OPCFoundation:UaComplianceTestTool
SET CERT_VALIDITY_DAYS=365
SET CA_CERT_VALIDITY_DAYS=1825
REM Environment variable used by OpenSSL
SET OPENSSL_CONF=openssl.cnf
set X=
for /f "skip=1 delims=" %%x in ('wmic os get localdatetime') do if not defined X set X=%%x
echo.%X%
REM dissect into parts
set DATE.YEAR=%X:~0,4%
set DATE.MONTH=%X:~4,2%
set DATE.DAY=%X:~6,2%
set DATE.HOUR=%X:~8,2%
set DATE.MINUTE=%X:~10,2%
set DATE.SECOND=%X:~12,2%
set DATE.FRACTIONS=%X:~15,6%s
set DATE.OFFSET=%X:~21,4%
echo Current DateTime is %DATE.YEAR%-%DATE.MONTH%-%DATE.DAY% %DATE.HOUR%:%DATE.MINUTE%:%DATE.SECOND%.%DATE.FRACTIONS%
SET /a YEAR=%DATE.YEAR%
SET /a MONTH=%DATE.MONTH%
SET /a DAY=%DATE.DAY%
SET /a LASTYEAR=%YEAR%-1
SET /a NEXTYEAR=%YEAR%+1
REM These variables are referenced from the OpenSSL configuration file
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
SET G_STORE_PATH=%STORE_PATH%
ECHO Initialize folder structures
REM Temporary PKI store (working directory)
IF NOT EXIST "%STORE_PATH%\certs" MKDIR "%STORE_PATH%\certs"
IF NOT EXIST "%STORE_PATH%\crl" MKDIR "%STORE_PATH%\crl"
IF NOT EXIST "%STORE_PATH%\private" MKDIR "%STORE_PATH%\private"
IF NOT EXIST "%STORE_PATH%\request" MKDIR "%STORE_PATH%\request"
REM ServerProject PKI store
IF NOT EXIST "%DEPLOYED_SERVER_STORE_PATH%\certs" MKDIR "%DEPLOYED_SERVER_STORE_PATH%\certs"
IF NOT EXIST "%DEPLOYED_SERVER_STORE_PATH%\crl" MKDIR "%DEPLOYED_SERVER_STORE_PATH%\crl"
IF NOT EXIST "%DEPLOYED_SERVER_STORE_PATH%\private" MKDIR "%DEPLOYED_SERVER_STORE_PATH%\private"
REM ClientProject PKI store
IF NOT EXIST "%DEPLOYED_CLIENT_STORE_PATH%\certs" MKDIR "%DEPLOYED_CLIENT_STORE_PATH%\certs"
IF NOT EXIST "%DEPLOYED_CLIENT_STORE_PATH%\crl" MKDIR "%DEPLOYED_CLIENT_STORE_PATH%\crl"
IF NOT EXIST "%DEPLOYED_CLIENT_STORE_PATH%\private" MKDIR "%DEPLOYED_CLIENT_STORE_PATH%\private"
REM ServerProject PKI copy_needed_files
SET COPYTOSERVER_PATH=%DEPLOYED_SERVER_PKI_PATH%\copyToServer
SET CS_AI_PKI=%COPYTOSERVER_PATH%\ApplicationInstance_PKI
SET CS_USER_PKI=%COPYTOSERVER_PATH%\X509UserIdentity_PKI
IF NOT EXIST "%COPYTOSERVER_PATH%" MKDIR "%COPYTOSERVER_PATH%"
IF NOT EXIST "%CS_AI_PKI%" MKDIR "%CS_AI_PKI%"
IF NOT EXIST "%CS_USER_PKI%" MKDIR "%CS_USER_PKI%"
IF NOT EXIST "%CS_AI_PKI%\trusted" MKDIR "%CS_AI_PKI%\trusted"
IF NOT EXIST "%CS_AI_PKI%\trusted\certs" MKDIR "%CS_AI_PKI%\trusted\certs"
IF NOT EXIST "%CS_AI_PKI%\trusted\crl" MKDIR "%CS_AI_PKI%\trusted\crl"
IF NOT EXIST "%CS_AI_PKI%\issuers" MKDIR "%CS_AI_PKI%\issuers"
IF NOT EXIST "%CS_AI_PKI%\issuers\certs" MKDIR "%CS_AI_PKI%\issuers\certs"
IF NOT EXIST "%CS_AI_PKI%\issuers\crl" MKDIR "%CS_AI_PKI%\issuers\crl"
IF NOT EXIST "%CS_USER_PKI%\trusted" MKDIR "%CS_USER_PKI%\trusted"
IF NOT EXIST "%CS_USER_PKI%\trusted\certs" MKDIR "%CS_USER_PKI%\trusted\certs"
IF NOT EXIST "%CS_USER_PKI%\trusted\crl" MKDIR "%CS_USER_PKI%\trusted\crl"
IF NOT EXIST "%CS_USER_PKI%\issuers" MKDIR "%CS_USER_PKI%\issuers"
IF NOT EXIST "%CS_USER_PKI%\issuers\certs" MKDIR "%CS_USER_PKI%\issuers\certs"
IF NOT EXIST "%CS_USER_PKI%\issuers\crl" MKDIR "%CS_USER_PKI%\issuers\crl"
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Application Instance Certificate
ECHO =====================================
SET CERTCN=ctt_appT
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_CLIENT_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Application Instance Certificate (Sha1, 1024 Bit)
ECHO =====================================
SET KEYSIZE=1024
SET CERTSIGNATUREALG=sha1
SET OPENSSL_CONF=openssl_sha1.cnf
SET CERTCN=ctt_appTSha1_1024
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_CLIENT_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
SET KEYSIZE=%DEFAULTKEYSIZE%
SET CERTSIGNATUREALG=sha256
SET OPENSSL_CONF=openssl.cnf
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Application Instance Certificate (Sha1, 2048 Bit)
ECHO =====================================
SET KEYSIZE=2048
SET CERTSIGNATUREALG=sha1
SET OPENSSL_CONF=openssl_sha1.cnf
SET CERTCN=ctt_appTSha1_2048
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_CLIENT_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
SET KEYSIZE=%DEFAULTKEYSIZE%
SET CERTSIGNATUREALG=sha256
SET OPENSSL_CONF=openssl.cnf
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Application Instance Certificate (Sha256, 2048 Bit)
ECHO =====================================
SET KEYSIZE=2048
SET CERTSIGNATUREALG=sha256
SET CERTCN=ctt_appTSha256_2048
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_CLIENT_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
SET KEYSIZE=%DEFAULTKEYSIZE%
SET CERTSIGNATUREALG=sha256
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Application Instance Certificate (Sha256, 4096 Bit)
ECHO =====================================
SET KEYSIZE=4096
SET CERTSIGNATUREALG=sha256
SET CERTCN=ctt_appTSha256_4096
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_CLIENT_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
SET KEYSIZE=%DEFAULTKEYSIZE%
SET CERTSIGNATUREALG=sha256
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Application Instance Certificate - Not Trusted!
ECHO =====================================
SET CERTCN=ctt_appU
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Not Yet Valid Application Instance Certificate
ECHO =====================================
SET CERTCN=ctt_appTV
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate_validity "%CERTCN%" "%X509_SUBJ%" "%NEXTYEAR%0101120000Z" "%NEXTYEAR%0601120000Z" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Expired Application Instance Certificate - Trusted!
ECHO =====================================
SET CERTCN=ctt_appTE
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate_validity "%CERTCN%" "%X509_SUBJ%" "%LASTYEAR%0101120000Z" "%LASTYEAR%0106120000Z" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Expired Application Instance Certificate - Not Trusted!
ECHO =====================================
SET CERTCN=ctt_appUE
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate_validity "%CERTCN%" "%X509_SUBJ%" "%LASTYEAR%0101120000Z" "%LASTYEAR%1206120000Z" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Invalid IP Address
ECHO =====================================
SET CERTCN=ctt_appTSip
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:noSuchHost:UA Compliance Test Tool
CALL:create_self_signed_certificate "%CERTCN%" "/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=noSuchHost" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Incorrectly Signed
ECHO =====================================
SET CERTCN=ctt_appTSincorrect
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
CALL:invalidate_certificate_signature "%CERTCN%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Incorrect App URI
ECHO =====================================
SET CERTCN=ctt_appTSuri
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:ThisIsAnInvalidUri
CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Create a trusted root Certificate Authority (CA)
ECHO =====================================
SET CERTCN=ctt_ca1T
SET CURRENTCA=%CERTCN%
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
CALL:create_root_ca_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
CALL:create_all_issued_certificates %CURRENTCA% "trusted"
CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_AI_PKI%\trusted\crl" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_USER_PKI%\trusted\crl" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Create a trusted root Certificate Authority (CA) where the revocation list is not available
ECHO =====================================
SET CERTCN=ctt_ca1TC
SET CURRENTCA=%CERTCN%
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
CALL:create_root_ca_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
CALL:create_all_issued_certificates %CURRENTCA% "trusted"
CALL:deploy_revocation_list "%CURRENTCA%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Create a unknown root Certificate Authority (CA)
ECHO =====================================
SET CERTCN=ctt_ca1U
SET CURRENTCA=%CERTCN%
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
CALL:create_root_ca_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:create_all_issued_certificates %CURRENTCA% "trusted"
ECHO.
ECHO.
ECHO =====================================
ECHO = Create a issuers root Certificate Authority (CA)
ECHO =====================================
SET CERTCN=ctt_ca1I
SET CURRENTCA=%CERTCN%
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
CALL:create_root_ca_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\issuers\certs" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\issuers\certs" || GOTO BATCH_END_ERROR
CALL:create_all_issued_certificates %CURRENTCA% "issuers"
CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_AI_PKI%\issuers\crl" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_USER_PKI%\issuers\crl" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Create a issuers root Certificate Authority (CA) where the revocation list is not known
ECHO =====================================
SET CERTCN=ctt_ca1IC
SET CURRENTCA=%CERTCN%
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
CALL:create_root_ca_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\issuers\certs" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\issuers\certs" || GOTO BATCH_END_ERROR
CALL:create_all_issued_certificates %CURRENTCA% "issuers"
REM ECHO.
REM ECHO.
REM ECHO =====================================
REM ECHO = Create a trusted secondary Certificate Authority (CA) from ctt_ca1T
REM ECHO =====================================
REM SET CERTCN=ctt_ca1T_ca2T
REM SET CURRENTCA=%CERTCN%
REM SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
REM SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
REM CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1T" || GOTO BATCH_END_ERROR
REM SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
REM CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
REM CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
REM CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
REM CALL:create_all_issued_certificates %CURRENTCA% "trusted"
ECHO.
ECHO.
ECHO =====================================
ECHO = Create a untrusted secondary Certificate Authority (CA) from ctt_ca1T
ECHO =====================================
SET CERTCN=ctt_ca1T_ca2U
SET CURRENTCA=%CERTCN%
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1T" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:create_all_issued_certificates %CURRENTCA% "trusted"
REM ECHO.
REM ECHO.
REM ECHO =====================================
REM ECHO = Create a issuers secondary Certificate Authority (CA) from ctt_ca1T
REM ECHO =====================================
REM SET CERTCN=ctt_ca1T_ca2I
REM SET CURRENTCA=%CERTCN%
REM SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
REM SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
REM CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1T" || GOTO BATCH_END_ERROR
REM SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
REM CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
REM CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\issuers\certs" || GOTO BATCH_END_ERROR
REM CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\issuers\certs" || GOTO BATCH_END_ERROR
REM CALL:create_all_issued_certificates %CURRENTCA% "issuers"
ECHO.
ECHO.
ECHO =====================================
ECHO = Create a trusted secondary Certificate Authority (CA) from ctt_ca1I
ECHO =====================================
SET CERTCN=ctt_ca1I_ca2T
SET CURRENTCA=%CERTCN%
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1I" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
CALL:create_all_issued_certificates %CURRENTCA% "trusted"
CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_AI_PKI%\trusted\crl" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_USER_PKI%\trusted\crl" || GOTO BATCH_END_ERROR
REM ECHO.
REM ECHO.
REM ECHO =====================================
REM ECHO = Create a issuers secondary Certificate Authority (CA) from ctt_ca1I
REM ECHO =====================================
REM SET CERTCN=ctt_ca1I_ca2I
REM SET CURRENTCA=%CERTCN%
REM SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
REM SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
REM CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1I" || GOTO BATCH_END_ERROR
REM SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
REM CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
REM CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\issuers\certs" || GOTO BATCH_END_ERROR
REM CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\issuers\certs" || GOTO BATCH_END_ERROR
REM CALL:create_all_issued_certificates %CURRENTCA% "issuers"
ECHO.
ECHO.
ECHO =====================================
ECHO = Create a issuers secondary Certificate Authority (CA) from ctt_ca1TC
ECHO =====================================
SET CERTCN=ctt_ca1TC_ca2I
SET CURRENTCA=%CERTCN%
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1TC" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\issuers\certs" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\issuers\certs" || GOTO BATCH_END_ERROR
CALL:create_all_issued_certificates %CURRENTCA% "issuers"
CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_AI_PKI%\issuers\crl" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "..\crl\%CURRENTCA%.crl" "%CS_USER_PKI%\issuers\crl" || GOTO BATCH_END_ERROR
REM ECHO.
REM ECHO.
REM ECHO =====================================
REM ECHO = Create a trusted thrid Certificate Authority (CA) from ctt_ca1T_ca2T
REM ECHO =====================================
REM SET CERTCN=ctt_ca1T_ca2T_ca3T
REM SET CURRENTCA=%CERTCN%
REM SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
REM SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
REM CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1T_ca2T" || GOTO BATCH_END_ERROR
REM SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
REM CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
REM CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
REM CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
REM CALL:create_all_issued_certificates %CURRENTCA% "trusted"
REM ECHO.
REM ECHO.
REM ECHO =====================================
REM ECHO = Create a trusted thrid Certificate Authority (CA) from ctt_ca1T_ca2I
REM ECHO =====================================
REM SET CERTCN=ctt_ca1T_ca2I_ca3T
REM SET CURRENTCA=%CERTCN%
REM SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
REM SET G_SUBJECT_ALTERNATIVE_NAME=URI:urn:%HOSTNAME%:%CERTCN%
REM CALL:create_issued_ca "%CERTCN%" "%X509_SUBJ%" "ctt_ca1T_ca2I" || GOTO BATCH_END_ERROR
REM SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
REM CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
REM CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
REM CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
REM CALL:create_all_issued_certificates %CURRENTCA% "trusted"
ECHO Now we are starting to generate the user certificates
ECHO.
ECHO.
ECHO =====================================
ECHO = Creating a USER Certificate for the CTT
ECHO =====================================
SET CERTCN=ctt_usrT
SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org
CALL:create_self_signed_certificate "%CERTCN%" "/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Creating a 2nd (not trusted) USER Certificate for the CTT
ECHO =====================================
SET CERTCN=ctt_usrU
SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org
CALL:create_self_signed_certificate "%CERTCN%" "/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Expired USER Certificate - Trusted!
ECHO =====================================
SET CERTCN=ctt_usrTE
SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org
CALL:create_self_signed_certificate_validity "%CERTCN%" "/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" "%LASTYEAR%0101120000Z" "%LASTYEAR%1206120000Z" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Expired USER Certificate - Not Trusted!
ECHO =====================================
SET CERTCN=ctt_usrUE
SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_self_signed_certificate_validity "%CERTCN%" "/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" "%LASTYEAR%0101120000Z" "%LASTYEAR%1206120000Z" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Not Yet Valid USER Certificate
ECHO =====================================
SET CERTCN=ctt_usrTV
SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org
CALL:create_self_signed_certificate_validity "%CERTCN%" "/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" "%NEXTYEAR%0101120000Z" "%NEXTYEAR%0601120000Z" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = CTT Incorrectly Signed USER certificate
ECHO =====================================
SET CERTCN=ctt_usrTSincorrect
SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org
CALL:create_self_signed_certificate "%CERTCN%" "%X509_SUBJ%" || GOTO BATCH_END_ERROR
CALL:invalidate_certificate_signature "%CERTCN%" || GOTO BATCH_END_ERROR
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
GOTO BATCH_END_SUCCESS
REM ================================================================
REM ====================== Helper functions ========================
REM ================================================================
:create_self_signed_certificate
IF %1.==. GOTO function_arguments_error
IF %2.==. GOTO function_arguments_error
SET NAME=%~1
SET SUBJ=%~2
SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem
SET REQUEST_LOCATION=%STORE_PATH%\request\%NAME%.csr
SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der
SET TEMP_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem
REM These variables are referenced from the OpenSSL configuration file
SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%NAME%.txt
SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%NAME%.txt
SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%NAME%.txt
REM remove files to create when they already exist
IF exist "%PRIVATE_KEY_LOCATION%" del "%PRIVATE_KEY_LOCATION%"
IF exist "%REQUEST_LOCATION%" del "%REQUEST_LOCATION%"
IF exist "%CERTIFICATE_LOCATION%" del "%CERTIFICATE_LOCATION%"
IF exist "%TEMP_CERTIFICATE_LOCATION%" del "%TEMP_CERTIFICATE_LOCATION%"
IF exist "%G_CA_DATABASE_LOCATION%" del "%G_CA_DATABASE_LOCATION%"*
IF exist "%G_CA_SERIAL_NUMBER_LOCATION%" del "%G_CA_SERIAL_NUMBER_LOCATION%"*
IF exist "%G_CA_CRL_NUMBER_LOCATION%" del "%G_CA_CRL_NUMBER_LOCATION%"*
REM Creating CA related files
REM Generate an empty file
ECHO. 2> "%G_CA_DATABASE_LOCATION%"
ECHO 00 > "%G_CA_SERIAL_NUMBER_LOCATION%"
ECHO 00 > "%G_CA_CRL_NUMBER_LOCATION%"
REM Creating private key
openssl genrsa -out "%PRIVATE_KEY_LOCATION%" %KEYSIZE% || GOTO SUBR_OPENSSL_ERROR
REM Creating certificate request
openssl req -config "%OPENSSL_CONF%" -new -%CERTSIGNATUREALG% -key "%PRIVATE_KEY_LOCATION%" -outform PEM -out "%REQUEST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
REM Creating self signed cert
openssl ca -config "%OPENSSL_CONF%" -batch -days %CERT_VALIDITY_DAYS% -selfsign -keyfile "%PRIVATE_KEY_LOCATION%" -in "%REQUEST_LOCATION%" -out "%TEMP_CERTIFICATE_LOCATION%" -subj "%SUBJ%" -extensions v3_self_signed || GOTO SUBR_OPENSSL_ERROR
REM Converting PEM certificate to DER format
openssl x509 -inform PEM -in "%TEMP_CERTIFICATE_LOCATION%" -outform DER -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
GOTO:EOF
REM ================================================================
:create_self_signed_certificate_validity
IF %1.==. GOTO function_arguments_error
IF %2.==. GOTO function_arguments_error
IF %3.==. GOTO function_arguments_error
IF %4.==. GOTO function_arguments_error
SET NAME=%~1
SET SUBJ=%~2
SET STARTDATE=%~3
SET ENDDATE=%~4
SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem
SET REQUEST_LOCATION=%STORE_PATH%\request\%NAME%.csr
SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der
SET TEMP_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem
REM These variables are referenced from the OpenSSL configuration file
SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%NAME%.txt
SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%NAME%.txt
SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%NAME%.txt
REM remove files to create when they already exist
IF exist "%PRIVATE_KEY_LOCATION%" del "%PRIVATE_KEY_LOCATION%"
IF exist "%REQUEST_LOCATION%" del "%REQUEST_LOCATION%"
IF exist "%CERTIFICATE_LOCATION%" del "%CERTIFICATE_LOCATION%"
IF exist "%TEMP_CERTIFICATE_LOCATION%" del "%TEMP_CERTIFICATE_LOCATION%"
IF exist "%G_CA_DATABASE_LOCATION%" del "%G_CA_DATABASE_LOCATION%"*
IF exist "%G_CA_SERIAL_NUMBER_LOCATION%" del "%G_CA_SERIAL_NUMBER_LOCATION%"*
IF exist "%G_CA_CRL_NUMBER_LOCATION%" del "%G_CA_CRL_NUMBER_LOCATION%"*
REM Creating CA related files
REM Generate an empty file
ECHO. 2> "%G_CA_DATABASE_LOCATION%"
ECHO 00 > "%G_CA_SERIAL_NUMBER_LOCATION%"
ECHO 00 > "%G_CA_CRL_NUMBER_LOCATION%"
REM Creating private key
openssl genrsa -out "%PRIVATE_KEY_LOCATION%" %KEYSIZE% || GOTO SUBR_OPENSSL_ERROR
REM Creating certificate request
openssl req -config "%OPENSSL_CONF%" -new -key "%PRIVATE_KEY_LOCATION%" -outform PEM -out "%REQUEST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
REM Creating self signed cert
openssl ca -config "%OPENSSL_CONF%" -batch -startdate %STARTDATE% -enddate %ENDDATE% -selfsign -keyfile "%PRIVATE_KEY_LOCATION%" -in "%REQUEST_LOCATION%" -out "%TEMP_CERTIFICATE_LOCATION%" -subj "%SUBJ%" -extensions v3_self_signed || GOTO SUBR_OPENSSL_ERROR
REM Converting PEM certificate to DER format
openssl x509 -inform PEM -in "%TEMP_CERTIFICATE_LOCATION%" -outform DER -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
GOTO:EOF
REM ================================================================
:invalidate_certificate_signature
IF %1.==. GOTO function_arguments_error
SET NAME=%~1
SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der
openssl enc -e -base64 -in "%CERTIFICATE_LOCATION%" -out "%CERTIFICATE_LOCATION%.b64" || GOTO SUBR_OPENSSL_ERROR
CSCRIPT "fupfile.vbs" "%CERTIFICATE_LOCATION%.b64" || EXIT /B 1
openssl enc -d -base64 -in "%CERTIFICATE_LOCATION%.b64" -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
GOTO:EOF
REM ================================================================
:create_root_ca_certificate
IF %1.==. GOTO function_arguments_error
IF %2.==. GOTO function_arguments_error
SET NAME=%~1
SET SUBJ=%~2
SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem
SET REQUEST_LOCATION=%STORE_PATH%\request\%NAME%.csr
SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der
SET TEMP_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem
REM These variables are referenced from the OpenSSL configuration file
SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%NAME%.txt
SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%NAME%.txt
SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%NAME%.txt
REM remove files to create when they already exist
IF exist "%PRIVATE_KEY_LOCATION%" del "%PRIVATE_KEY_LOCATION%"
IF exist "%REQUEST_LOCATION%" del "%REQUEST_LOCATION%"
IF exist "%CERTIFICATE_LOCATION%" del "%CERTIFICATE_LOCATION%"
IF exist "%TEMP_CERTIFICATE_LOCATION%" del "%TEMP_CERTIFICATE_LOCATION%"
IF exist "%G_CA_DATABASE_LOCATION%" del "%G_CA_DATABASE_LOCATION%"*
IF exist "%G_CA_SERIAL_NUMBER_LOCATION%" del "%G_CA_SERIAL_NUMBER_LOCATION%"*
IF exist "%G_CA_CRL_NUMBER_LOCATION%" del "%G_CA_CRL_NUMBER_LOCATION%"*
REM Creating CA related files
REM Generate an empty file
ECHO. 2> "%G_CA_DATABASE_LOCATION%"
ECHO 00 > "%G_CA_SERIAL_NUMBER_LOCATION%"
ECHO 00 > "%G_CA_CRL_NUMBER_LOCATION%"
REM Creating private key
openssl genrsa -out "%PRIVATE_KEY_LOCATION%" %KEYSIZE% || GOTO SUBR_OPENSSL_ERROR
REM Creating certificate request
openssl req -config "%OPENSSL_CONF%" -new -key "%PRIVATE_KEY_LOCATION%" -outform PEM -out "%REQUEST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
REM Creating self signed cert
openssl ca -config "%OPENSSL_CONF%" -batch -days %CA_CERT_VALIDITY_DAYS% -selfsign -keyfile "%PRIVATE_KEY_LOCATION%" -in "%REQUEST_LOCATION%" -extensions v3_ca -out "%TEMP_CERTIFICATE_LOCATION%" -subj "%SUBJ%" || GOTO SUBR_OPENSSL_ERROR
REM Converting PEM certificate to DER format
openssl x509 -inform PEM -in "%TEMP_CERTIFICATE_LOCATION%" -outform DER -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
GOTO:EOF
REM ================================================================
:create_issued_ca
IF %1.==. GOTO function_arguments_error
IF %2.==. GOTO function_arguments_error
IF %3.==. GOTO function_arguments_error
SET NAME=%~1
SET SUBJ=%~2
SET CA_NAME=%~3
SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem
SET REQUEST_LOCATION=%STORE_PATH%\request\%NAME%.csr
SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der
SET TEMP_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem
SET CA_PEM_CERTIFICATE=%STORE_PATH%\certs\%CA_NAME%.pem
SET CA_PRIVATE_KEY=%STORE_PATH%\private\%CA_NAME%.pem
REM These variables are referenced from the OpenSSL configuration file
SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%NAME%.txt
SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%NAME%.txt
SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%NAME%.txt
REM remove files to create when they already exist
IF exist "%PRIVATE_KEY_LOCATION%" del "%PRIVATE_KEY_LOCATION%"
IF exist "%REQUEST_LOCATION%" del "%REQUEST_LOCATION%"
IF exist "%CERTIFICATE_LOCATION%" del "%CERTIFICATE_LOCATION%"
IF exist "%TEMP_CERTIFICATE_LOCATION%" del "%TEMP_CERTIFICATE_LOCATION%"
IF exist "%G_CA_DATABASE_LOCATION%" del "%G_CA_DATABASE_LOCATION%"*
IF exist "%G_CA_SERIAL_NUMBER_LOCATION%" del "%G_CA_SERIAL_NUMBER_LOCATION%"*
IF exist "%G_CA_CRL_NUMBER_LOCATION%" del "%G_CA_CRL_NUMBER_LOCATION%"*
REM Creating CA related files
REM Generate an empty file
ECHO. 2> "%G_CA_DATABASE_LOCATION%"
ECHO 00 > "%G_CA_SERIAL_NUMBER_LOCATION%"
ECHO 00 > "%G_CA_CRL_NUMBER_LOCATION%"
ECHO Creating private key
openssl genrsa -out "%PRIVATE_KEY_LOCATION%" %KEYSIZE% || GOTO SUBR_OPENSSL_ERROR
ECHO Creating certificate request
openssl req -config "%OPENSSL_CONF%" -new -key "%PRIVATE_KEY_LOCATION%" -outform PEM -out "%REQUEST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
ECHO Creating self signed cert
openssl ca -config "%OPENSSL_CONF%" -batch -days %CERT_VALIDITY_DAYS% -in "%REQUEST_LOCATION%" -extensions v3_ca -out "%TEMP_CERTIFICATE_LOCATION%" -subj "%SUBJ%" -keyfile "%CA_PRIVATE_KEY%" -cert "%CA_PEM_CERTIFICATE%" || GOTO SUBR_OPENSSL_ERROR
ECHO Converting PEM certificate to DER format
openssl x509 -inform PEM -in "%TEMP_CERTIFICATE_LOCATION%" -outform DER -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
GOTO:EOF
REM ================================================================
:create_issued_certificate
IF %1.==. GOTO function_arguments_error
IF %2.==. GOTO function_arguments_error
IF %3.==. GOTO function_arguments_error
SET NAME=%~1
SET SUBJ=%~2
SET CA_NAME=%~3
SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem
SET REQUEST_LOCATION=%STORE_PATH%\request\%NAME%.csr
SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der
SET TEMP_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem
SET CA_PEM_CERTIFICATE=%STORE_PATH%\certs\%CA_NAME%.pem
SET CA_PRIVATE_KEY=%STORE_PATH%\private\%CA_NAME%.pem
REM These variables are referenced from the OpenSSL configuration file
SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%CA_NAME%.txt
SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%CA_NAME%.txt
SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%CA_NAME%.txt
REM remove files to create when they already exist
IF exist "%PRIVATE_KEY_LOCATION%" del "%PRIVATE_KEY_LOCATION%"
IF exist "%REQUEST_LOCATION%" del "%REQUEST_LOCATION%"
IF exist "%CERTIFICATE_LOCATION%" del "%CERTIFICATE_LOCATION%"
IF exist "%TEMP_CERTIFICATE_LOCATION%" del "%TEMP_CERTIFICATE_LOCATION%"
REM Creating private key
openssl genrsa -out "%PRIVATE_KEY_LOCATION%" %KEYSIZE% || GOTO SUBR_OPENSSL_ERROR
REM Creating certificate request
openssl req -config "%OPENSSL_CONF%" -new -key "%PRIVATE_KEY_LOCATION%" -outform PEM -out "%REQUEST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
REM Creating self signed cert
openssl ca -config "%OPENSSL_CONF%" -batch -days %CERT_VALIDITY_DAYS% -in "%REQUEST_LOCATION%" -out "%TEMP_CERTIFICATE_LOCATION%" -subj "%SUBJ%" -keyfile "%CA_PRIVATE_KEY%" -cert "%CA_PEM_CERTIFICATE%" || GOTO SUBR_OPENSSL_ERROR
REM Converting PEM certificate to DER format
openssl x509 -inform PEM -in "%TEMP_CERTIFICATE_LOCATION%" -outform DER -out "%CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
GOTO:EOF
REM ================================================================
:revoke_certificate
IF %1.==. GOTO function_arguments_error
IF %2.==. GOTO function_arguments_error
SET NAME=%~1
SET CA_NAME=%~2
SET DER_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der
SET PEM_CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.pem
SET CA_CERTIFICATE=%STORE_PATH%\certs\%CA_NAME%.pem
SET CA_PRIVATE_KEY=%STORE_PATH%\private\%CA_NAME%.pem
REM These variables are referenced from the OpenSSL configuration file
SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%CA_NAME%.txt
SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%CA_NAME%.txt
SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%CA_NAME%.txt
REM Converting DER certificate to PEM format
openssl x509 -inform DER -in "%DER_CERTIFICATE_LOCATION%" -outform PEM -out "%PEM_CERTIFICATE_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
REM Revoking certificate
openssl ca -config "%OPENSSL_CONF%" -revoke "%PEM_CERTIFICATE_LOCATION%" -cert "%CA_CERTIFICATE%" -keyfile "%CA_PRIVATE_KEY%" || GOTO SUBR_OPENSSL_ERROR
GOTO:EOF
REM ================================================================
:update_revocation_list
IF %1.==. GOTO function_arguments_error
SET CA_NAME=%~1
SET REVOCATION_LIST_LOCATION=%STORE_PATH%\crl\%CA_NAME%.crl
SET CA_CERTIFICATE=%STORE_PATH%\certs\%CA_NAME%.pem
SET CA_PRIVATE_KEY=%STORE_PATH%\private\%CA_NAME%.pem
REM These variables are referenced from the OpenSSL configuration file
SET G_CA_DATABASE_LOCATION=%STORE_PATH%\database_%CA_NAME%.txt
SET G_CA_SERIAL_NUMBER_LOCATION=%STORE_PATH%\serial_%CA_NAME%.txt
SET G_CA_CRL_NUMBER_LOCATION=%STORE_PATH%\crlnumber_%CA_NAME%.txt
REM Generate CRL
openssl ca -config "%OPENSSL_CONF%" -gencrl -crldays 1825 -out "%REVOCATION_LIST_LOCATION%" -cert "%CA_CERTIFICATE%" -keyfile "%CA_PRIVATE_KEY%" || GOTO SUBR_OPENSSL_ERROR
REM Convert CRL from PEM to DER format
openssl crl -inform PEM -in "%REVOCATION_LIST_LOCATION%" -outform DER -out "%REVOCATION_LIST_LOCATION%" || GOTO SUBR_OPENSSL_ERROR
GOTO:EOF
REM ================================================================
:deploy_certificate
IF %1.==. GOTO function_arguments_error
IF %2.==. GOTO function_arguments_error
SET NAME=%~1
SET DEPLOYED_STORE_LOCATION=%~2
SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%.der
SET PRIVATE_KEY_LOCATION=%STORE_PATH%\private\%NAME%.pem
SET TARGET_CERTIFICATE_LOCATION=%DEPLOYED_STORE_LOCATION%\certs\%NAME%.der
SET TARGET_PRIVATE_KEY_LOCATION=%DEPLOYED_STORE_LOCATION%\private\%NAME%.pem
COPY /Y "%CERTIFICATE_LOCATION%" "%TARGET_CERTIFICATE_LOCATION%" || GOTO SUBR_DEPLOY_FILE_ERROR
COPY /Y "%PRIVATE_KEY_LOCATION%" "%TARGET_PRIVATE_KEY_LOCATION%" || GOTO SUBR_DEPLOY_FILE_ERROR
GOTO:EOF
REM ================================================================
:deploy_revocation_list
IF %1.==. GOTO function_arguments_error
IF %2.==. GOTO function_arguments_error
SET CA_NAME=%~1
SET DEPLOYED_STORE_LOCATION=%~2
SET REVOCATION_LIST_LOCATION=%STORE_PATH%\crl\%CA_NAME%.crl
SET TARGET_REVOCATION_LIST_LOCATION=%DEPLOYED_STORE_LOCATION%\crl\%CA_NAME%.crl
COPY /Y "%REVOCATION_LIST_LOCATION%" "%TARGET_REVOCATION_LIST_LOCATION%" || GOTO SUBR_DEPLOY_FILE_ERROR
GOTO:EOF
REM ================================================================
:copy_needed_files
IF %1.==. GOTO function_arguments_error
IF %2.==. GOTO function_arguments_error
SET NAME=%~1
SET DEPLOYED_STORE_LOCATION=%~2
SET CERTIFICATE_LOCATION=%STORE_PATH%\certs\%NAME%
SET TARGET_CERTIFICATE_LOCATION=%DEPLOYED_STORE_LOCATION%\%NAME%
COPY /Y "%CERTIFICATE_LOCATION%" "%TARGET_CERTIFICATE_LOCATION%" || GOTO SUBR_DEPLOY_FILE_ERROR
GOTO:EOF
REM ================================================================
:create_all_issued_certificates
IF %1.==. GOTO function_arguments_error
IF %2.==. GOTO function_arguments_error
SET CATOISSUECERTIFICATESFROM=%~1
SET PATHTORI=%~2
ECHO Creating all issued certificates for %CATOISSUECERTIFICATESFROM% which is %PATHORI%
ECHO.
ECHO.
ECHO =====================================
ECHO = Issue a trusted Certificate from %CATOISSUECERTIFICATESFROM% for the CTT
ECHO =====================================
SET CERTCN=%CATOISSUECERTIFICATESFROM%_appT
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Issue a untrusted Certificate from %CATOISSUECERTIFICATESFROM% for the CTT
ECHO =====================================
SET CERTCN=%CATOISSUECERTIFICATESFROM%_appU
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Revoke an issued Certificate from %CATOISSUECERTIFICATESFROM% for the trusted folder
ECHO =====================================
SET CERTCN=%CATOISSUECERTIFICATESFROM%_appTR
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:revoke_certificate "%CERTCN%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:update_revocation_list "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:deploy_revocation_list "%CATOISSUECERTIFICATESFROM%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_AI_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Revoke a second issued Certificate from %CATOISSUECERTIFICATESFROM% which is not trusted
ECHO =====================================
SET CERTCN=%CATOISSUECERTIFICATESFROM%_appUR
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:revoke_certificate "%CERTCN%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:update_revocation_list "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:deploy_revocation_list "%CATOISSUECERTIFICATESFROM%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
REM Now lets issue the user certs for this ca
SET G_SUBJECT_ALTERNATIVE_NAME=URI:compliance@opcfoundation.org
ECHO.
ECHO.
ECHO =====================================
ECHO = Issue a trusted User Certificate from %CATOISSUECERTIFICATESFROM% for the CTT
ECHO =====================================
SET CERTCN=%CATOISSUECERTIFICATESFROM%_usrT
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_issued_certificate "%CERTCN%" "/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Issue a untrusted User Certificate from %CATOISSUECERTIFICATESFROM% for the CTT
ECHO =====================================
SET CERTCN=%CATOISSUECERTIFICATESFROM%_usrU
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_issued_certificate "%CERTCN%" "/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Revoke an issued User Certificate from %CATOISSUECERTIFICATESFROM% for the trusted folder
ECHO =====================================
SET CERTCN=%CATOISSUECERTIFICATESFROM%_usrTR
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:revoke_certificate "%CERTCN%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:update_revocation_list "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:deploy_revocation_list "%CATOISSUECERTIFICATESFROM%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
CALL:copy_needed_files "%CERTCN%.der" "%CS_USER_PKI%\trusted\certs" || GOTO BATCH_END_ERROR
ECHO.
ECHO.
ECHO =====================================
ECHO = Revoke a second issued Certificate from %CATOISSUECERTIFICATESFROM% which is not trusted
ECHO =====================================
SET CERTCN=%CATOISSUECERTIFICATESFROM%_usrUR
SET X509_SUBJ=/C=%CERTC%/L=%CERTL%/ST=%CERTS%/O=%CERTO%/CN=%CERTCN%/DC=%HOSTNAME%
CALL:create_issued_certificate "%CERTCN%" "%X509_SUBJ%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:revoke_certificate "%CERTCN%" "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:update_revocation_list "%CATOISSUECERTIFICATESFROM%" || GOTO BATCH_END_ERROR
CALL:deploy_certificate "%CERTCN%" "%DEPLOYED_SERVER_STORE_PATH%" || GOTO BATCH_END_ERROR
REM Reset the Subject alternative name
SET G_SUBJECT_ALTERNATIVE_NAME=%SUBJECT_ALTERNATIVE_NAME%
GOTO:EOF
REM ================================================================
:function_arguments_error
ECHO Invalid arguments when calling script function
EXIT /B 1
:SUBR_OPENSSL_ERROR
ECHO OpenSSL exited with an error
EXIT /B 1
:SUBR_DEPLOY_FILE_ERROR
ECHO Failed to deploy file
EXIT /B 1
:BATCH_END_SUCCESS
REM Delete temporary store location
RMDIR "%STORE_PATH%" /S /Q
ECHO.
ECHO.
ECHO ~~~ Certificates successfully created ~~~
ENDLOCAL
EXIT /B 0
:BATCH_END_ERROR
REM Delete PKI folder
RMDIR "%STORE_PATH%" /S /Q
RMDIR "%DEPLOYED_SERVER_PKI_PATH%" /S /Q
RMDIR "%DEPLOYED_CLIENT_PKI_PATH%" /S /Q
ECHO.
ECHO.
ECHO ~~~ Failed to create certificates ~~~
ENDLOCAL
EXIT /B 1
|
|
|
Fixed windows certificate generation batch to be locality independent. |
|
|
reviewed in CMP call - agreed to change and closed |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-01-14 09:35 | Uwe Stadelmann | New Issue | |
| 2021-01-15 06:10 | Paul Hunkar | Assigned To | => Alexander Allmendinger |
| 2021-01-15 06:10 | Paul Hunkar | Status | new => assigned |
| 2021-01-17 00:44 | Alexander Allmendinger | File Added: create_ctt_pki.bat | |
| 2021-01-17 00:44 | Alexander Allmendinger | Note Added: 0013530 | |
| 2021-01-17 20:03 | Alexander Allmendinger | File Added: create_ctt_pki.sh | |
| 2021-01-17 20:03 | Alexander Allmendinger | Note Added: 0013531 | |
| 2021-01-17 20:10 | Alexander Allmendinger | Status | assigned => resolved |
| 2021-01-17 20:10 | Alexander Allmendinger | Resolution | open => fixed |
| 2021-01-17 20:10 | Alexander Allmendinger | Fixed in Version | => 1.03.341.398 |
| 2021-01-17 20:10 | Alexander Allmendinger | Note Added: 0013532 | |
| 2021-01-25 09:29 | Alexander Allmendinger | Status | resolved => feedback |
| 2021-01-25 09:29 | Alexander Allmendinger | Resolution | fixed => reopened |
| 2021-01-25 09:29 | Alexander Allmendinger | Note Added: 0013599 | |
| 2021-01-25 10:41 | Alexander Allmendinger | File Added: create_ctt_pki-2.bat | |
| 2021-01-25 10:41 | Alexander Allmendinger | Note Added: 0013600 | |
| 2021-01-25 10:41 | Alexander Allmendinger | Status | feedback => resolved |
| 2021-01-25 10:41 | Alexander Allmendinger | Resolution | reopened => fixed |
| 2021-01-25 10:41 | Alexander Allmendinger | Note Added: 0013601 | |
| 2021-02-09 16:13 | Alexander Allmendinger | Relationship added | has duplicate 0006471 |
| 2021-03-25 14:24 | Paul Hunkar | Relationship added | related to 0006704 |
| 2021-03-25 14:25 | Paul Hunkar | Status | resolved => closed |
| 2021-03-25 14:25 | Paul Hunkar | Note Added: 0014065 |
