. structure
. commonFunctions
+mkdir -p generated
+cd generated
####### create various extensions files for the various certificate types ######
cat <<TESTCA > ca.cnf
-basicConstraints = CA:true
-keyUsage = keyCertSign, cRLSign
+basicConstraints = critical,CA:true
+keyUsage =critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
-crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl
-authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt
+crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/root.crl
+authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/root.crt
TESTCA
-cat <<TESTCA > subca.cnf
-basicConstraints = CA:true
-keyUsage = keyCertSign, cRLSign
+
+rootSign(){ # csr
+ POLICY=ca.cnf
+ if [[ "$1" != "root" ]] ; then
+ KNAME=$1
+ POLICY=subca.cnf
+ . ../CAs/${KNAME}
+ cat <<TESTCA > subca.cnf
+
+basicConstraints =critical, CA:true
+keyUsage =critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
-crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/root.crl
-authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/root.crt
-TESTCA
+crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/root.crl
+authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/root.crt
+certificatePolicies=@polsect
-rootSign(){ # csr
- caSign "$1.ca/key" root subca.cnf
+[polsect]
+policyIdentifier = 1.3.6.1.4.1.18506.9.${CPSID}
+CPS.1="http://g2.cps.${DOMAIN}/g2/${KNAME}.cps"
+
+TESTCA
+ fi
+ caSign "$1.ca/key" root $POLICY
}
# generate the various sub-CAs
for ca in $STRUCT_CAS; do
- . CAs/$ca
+ . ../CAs/$ca
genca "/CN=$name" $ca
rootSign $ca
done