mkcerts.sh 3.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596
  1. #!/bin/sh
  2. OPENSSL=../../apps/openssl
  3. OPENSSL_CONF=../../apps/openssl.cnf
  4. export OPENSSL_CONF
  5. # Root CA: create certificate directly
  6. CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \
  7. -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
  8. # Intermediate CA: request first
  9. CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \
  10. -keyout intkey.pem -out intreq.pem -newkey rsa:2048
  11. # Sign request: CA extensions
  12. $OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \
  13. -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
  14. # Server certificate: create request first
  15. CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \
  16. -keyout skey.pem -out req.pem -newkey rsa:1024
  17. # Sign request: end entity extensions
  18. $OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
  19. -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
  20. # Client certificate: request first
  21. CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \
  22. -keyout ckey.pem -out creq.pem -newkey rsa:1024
  23. # Sign using intermediate CA
  24. $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
  25. -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
  26. # Revoked certificate: request first
  27. CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \
  28. -keyout revkey.pem -out rreq.pem -newkey rsa:1024
  29. # Sign using intermediate CA
  30. $OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
  31. -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
  32. # OCSP responder certificate: request first
  33. CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \
  34. -keyout respkey.pem -out respreq.pem -newkey rsa:1024
  35. # Sign using intermediate CA and responder extensions
  36. $OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
  37. -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
  38. # Example creating a PKCS#3 DH certificate.
  39. # First DH parameters
  40. [ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
  41. # Now a DH private key
  42. $OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem
  43. # Create DH public key file
  44. $OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem
  45. # Certificate request, key just reuses old one as it is ignored when the
  46. # request is signed.
  47. CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \
  48. -key skey.pem -out dhsreq.pem
  49. # Sign request: end entity DH extensions
  50. $OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
  51. -force_pubkey dhspub.pem \
  52. -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
  53. # DH client certificate
  54. $OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem
  55. $OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem
  56. CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \
  57. -key skey.pem -out dhcreq.pem
  58. $OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
  59. -force_pubkey dhcpub.pem \
  60. -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
  61. # Examples of CRL generation without the need to use 'ca' to issue
  62. # certificates.
  63. # Create zero length index file
  64. >index.txt
  65. # Create initial crl number file
  66. echo 01 >crlnum.txt
  67. # Add entries for server and client certs
  68. $OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \
  69. -config ca.cnf -md sha1
  70. $OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \
  71. -config ca.cnf -md sha1
  72. $OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \
  73. -config ca.cnf -md sha1
  74. # Generate a CRL.
  75. $OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
  76. -md sha1 -crldays 1 -out crl1.pem
  77. # Revoke a certificate
  78. openssl ca -revoke rev.pem -crl_reason superseded \
  79. -keyfile root.pem -cert root.pem -config ca.cnf -md sha1
  80. # Generate another CRL
  81. $OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
  82. -md sha1 -crldays 1 -out crl2.pem