jstests/ssl/x509/mkcrl.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

#!/bin/bash
set -e

# This script uses the openssl command line tool to create CRLs.

OUTPUT_PATH="jstests/libs/"

crl() {
    CADB=$(mktemp -d)
    CA="jstests/libs/ca.pem"
    CONFIG="${CADB}/config"
    DEST="${OUTPUT_PATH}/$1"
    echo '01' > "$CADB/serial"
    touch "$CADB/index.txt" "$CADB/index.txt.attr"
    echo -e "[ ca ]\ndefault_ca	= CA_default\n" > "$CONFIG"
    echo -e "[ CA_default ]\ndatabase = ${CADB}/index.txt\n" >> "$CONFIG"
    echo -e "certificate = $CA\nprivate_key = $CA\ndefault_md = sha256" >> "$CONFIG"

    DAYS="3651"
    CRLDAYS="3650"
    if [ "$2" = "expired" ]; then
        DAYS="1"
        CRLDAYS="1"
    elif [ "$2" = "revoked" ]; then
        openssl ca -config "$CADB/config" -revoke "jstests/libs/client_revoked.pem"
    fi
    openssl ca -config "$CADB/config" -gencrl -out "$DEST" -md sha256 -days "$DAYS" -crldays "$CRLDAYS"
}
crl crl.pem empty
crl crl_expired.pem expired
crl crl_client_revoked.pem revoked