2
0

mkcerts.sh 3.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101
  1. #!/bin/sh
  2. opensslcmd() {
  3. LD_LIBRARY_PATH=../.. ../../apps/openssl $@
  4. }
  5. OPENSSL_CONF=../../apps/openssl.cnf
  6. export OPENSSL_CONF
  7. opensslcmd version
  8. # Root CA: create certificate directly
  9. CN="Test Root CA" opensslcmd req -config ca.cnf -x509 -nodes \
  10. -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
  11. # Intermediate CA: request first
  12. CN="Test Intermediate CA" opensslcmd req -config ca.cnf -nodes \
  13. -keyout intkey.pem -out intreq.pem -newkey rsa:2048
  14. # Sign request: CA extensions
  15. opensslcmd x509 -req -in intreq.pem -CA root.pem -days 3600 \
  16. -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
  17. # Server certificate: create request first
  18. CN="Test Server Cert" opensslcmd req -config ca.cnf -nodes \
  19. -keyout skey.pem -out req.pem -newkey rsa:1024
  20. # Sign request: end entity extensions
  21. opensslcmd x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
  22. -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
  23. # Client certificate: request first
  24. CN="Test Client Cert" opensslcmd req -config ca.cnf -nodes \
  25. -keyout ckey.pem -out creq.pem -newkey rsa:1024
  26. # Sign using intermediate CA
  27. opensslcmd x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
  28. -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
  29. # Revoked certificate: request first
  30. CN="Test Revoked Cert" opensslcmd req -config ca.cnf -nodes \
  31. -keyout revkey.pem -out rreq.pem -newkey rsa:1024
  32. # Sign using intermediate CA
  33. opensslcmd x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
  34. -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
  35. # OCSP responder certificate: request first
  36. CN="Test OCSP Responder Cert" opensslcmd req -config ca.cnf -nodes \
  37. -keyout respkey.pem -out respreq.pem -newkey rsa:1024
  38. # Sign using intermediate CA and responder extensions
  39. opensslcmd x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
  40. -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
  41. # Example creating a PKCS#3 DH certificate.
  42. # First DH parameters
  43. [ -f dhp.pem ] || opensslcmd genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
  44. # Now a DH private key
  45. opensslcmd genpkey -paramfile dhp.pem -out dhskey.pem
  46. # Create DH public key file
  47. opensslcmd pkey -in dhskey.pem -pubout -out dhspub.pem
  48. # Certificate request, key just reuses old one as it is ignored when the
  49. # request is signed.
  50. CN="Test Server DH Cert" opensslcmd req -config ca.cnf -new \
  51. -key skey.pem -out dhsreq.pem
  52. # Sign request: end entity DH extensions
  53. opensslcmd x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
  54. -force_pubkey dhspub.pem \
  55. -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
  56. # DH client certificate
  57. opensslcmd genpkey -paramfile dhp.pem -out dhckey.pem
  58. opensslcmd pkey -in dhckey.pem -pubout -out dhcpub.pem
  59. CN="Test Client DH Cert" opensslcmd req -config ca.cnf -new \
  60. -key skey.pem -out dhcreq.pem
  61. opensslcmd x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
  62. -force_pubkey dhcpub.pem \
  63. -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
  64. # Examples of CRL generation without the need to use 'ca' to issue
  65. # certificates.
  66. # Create zero length index file
  67. >index.txt
  68. # Create initial crl number file
  69. echo 01 >crlnum.txt
  70. # Add entries for server and client certs
  71. opensslcmd ca -valid server.pem -keyfile root.pem -cert root.pem \
  72. -config ca.cnf -md sha1
  73. opensslcmd ca -valid client.pem -keyfile root.pem -cert root.pem \
  74. -config ca.cnf -md sha1
  75. opensslcmd ca -valid rev.pem -keyfile root.pem -cert root.pem \
  76. -config ca.cnf -md sha1
  77. # Generate a CRL.
  78. opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
  79. -md sha1 -crldays 1 -out crl1.pem
  80. # Revoke a certificate
  81. openssl ca -revoke rev.pem -crl_reason superseded \
  82. -keyfile root.pem -cert root.pem -config ca.cnf -md sha1
  83. # Generate another CRL
  84. opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
  85. -md sha1 -crldays 1 -out crl2.pem