ECCcertgen.sh 7.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164
  1. #!/bin/sh
  2. # For a list of supported curves, use "apps/openssl ecparam -list_curves".
  3. # Path to the openssl distribution
  4. OPENSSL_DIR=../..
  5. # Path to the openssl program
  6. OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
  7. # Option to find configuration file
  8. OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
  9. # Directory where certificates are stored
  10. CERTS_DIR=./Certs
  11. # Directory where private key files are stored
  12. KEYS_DIR=$CERTS_DIR
  13. # Directory where combo files (containing a certificate and corresponding
  14. # private key together) are stored
  15. COMBO_DIR=$CERTS_DIR
  16. # cat command
  17. CAT=/bin/cat
  18. # rm command
  19. RM=/bin/rm
  20. # mkdir command
  21. MKDIR=/bin/mkdir
  22. # The certificate will expire these many days after the issue date.
  23. DAYS=1500
  24. TEST_CA_CURVE=secp160r1
  25. TEST_CA_FILE=secp160r1TestCA
  26. TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"
  27. TEST_SERVER_CURVE=secp160r2
  28. TEST_SERVER_FILE=secp160r2TestServer
  29. TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"
  30. TEST_CLIENT_CURVE=secp160r2
  31. TEST_CLIENT_FILE=secp160r2TestClient
  32. TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"
  33. # Generating an EC certificate involves the following main steps
  34. # 1. Generating curve parameters (if needed)
  35. # 2. Generating a certificate request
  36. # 3. Signing the certificate request
  37. # 4. [Optional] One can combine the cert and private key into a single
  38. # file and also delete the certificate request
  39. $MKDIR -p $CERTS_DIR
  40. $MKDIR -p $KEYS_DIR
  41. $MKDIR -p $COMBO_DIR
  42. echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"
  43. echo "==============================================================="
  44. $OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem
  45. # Generate a new certificate request in $TEST_CA_FILE.req.pem. A
  46. # new ecdsa (actually ECC) key pair is generated on the parameters in
  47. # $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem
  48. # WARNING: By using the -nodes option, we force the private key to be
  49. # stored in the clear (rather than encrypted with a password).
  50. $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
  51. -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
  52. -newkey ec:$TEST_CA_CURVE.pem -new \
  53. -out $CERTS_DIR/$TEST_CA_FILE.req.pem
  54. # Sign the certificate request in $TEST_CA_FILE.req.pem using the
  55. # private key in $TEST_CA_FILE.key.pem and include the CA extension.
  56. # Make the certificate valid for 1500 days from the time of signing.
  57. # The certificate is written into $TEST_CA_FILE.cert.pem
  58. $OPENSSL_CMD x509 -req -days $DAYS \
  59. -in $CERTS_DIR/$TEST_CA_FILE.req.pem \
  60. -extfile $OPENSSL_DIR/apps/openssl.cnf \
  61. -extensions v3_ca \
  62. -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
  63. -out $CERTS_DIR/$TEST_CA_FILE.cert.pem
  64. # Display the certificate
  65. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
  66. # Place the certificate and key in a common file
  67. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
  68. > $COMBO_DIR/$TEST_CA_FILE.pem
  69. $CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
  70. # Remove the cert request file (no longer needed)
  71. $RM $CERTS_DIR/$TEST_CA_FILE.req.pem
  72. echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
  73. echo "=========================================================================="
  74. # Generate parameters for curve $TEST_SERVER_CURVE, if needed
  75. $OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
  76. # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A
  77. # new ecdsa (actually ECC) key pair is generated on the parameters in
  78. # $TEST_SERVER_CURVE.pem and the private key is saved in
  79. # $TEST_SERVER_FILE.key.pem
  80. # WARNING: By using the -nodes option, we force the private key to be
  81. # stored in the clear (rather than encrypted with a password).
  82. $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
  83. -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
  84. -newkey ec:$TEST_SERVER_CURVE.pem -new \
  85. -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
  86. # Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
  87. # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
  88. # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
  89. # file for this CA, create one. Make the certificate valid for $DAYS days
  90. # from the time of signing. The certificate is written into
  91. # $TEST_SERVER_FILE.cert.pem
  92. $OPENSSL_CMD x509 -req -days $DAYS \
  93. -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
  94. -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
  95. -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
  96. -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
  97. # Display the certificate
  98. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
  99. # Place the certificate and key in a common file
  100. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
  101. > $COMBO_DIR/$TEST_SERVER_FILE.pem
  102. $CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
  103. # Remove the cert request file (no longer needed)
  104. $RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
  105. echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
  106. echo "=========================================================================="
  107. # Generate parameters for curve $TEST_CLIENT_CURVE, if needed
  108. $OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
  109. # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A
  110. # new ecdsa (actually ECC) key pair is generated on the parameters in
  111. # $TEST_CLIENT_CURVE.pem and the private key is saved in
  112. # $TEST_CLIENT_FILE.key.pem
  113. # WARNING: By using the -nodes option, we force the private key to be
  114. # stored in the clear (rather than encrypted with a password).
  115. $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
  116. -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
  117. -newkey ec:$TEST_CLIENT_CURVE.pem -new \
  118. -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
  119. # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
  120. # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
  121. # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
  122. # file for this CA, create one. Make the certificate valid for $DAYS days
  123. # from the time of signing. The certificate is written into
  124. # $TEST_CLIENT_FILE.cert.pem
  125. $OPENSSL_CMD x509 -req -days $DAYS \
  126. -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
  127. -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
  128. -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
  129. -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
  130. # Display the certificate
  131. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
  132. # Place the certificate and key in a common file
  133. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
  134. > $COMBO_DIR/$TEST_CLIENT_FILE.pem
  135. $CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
  136. # Remove the cert request file (no longer needed)
  137. $RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem