renew-rsapss-certs.sh 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
  1. #!/usr/bin/env bash
  2. check_result(){
  3. if [ $1 -ne 0 ]; then
  4. echo "Failed at \"$2\", Abort"
  5. exit 1
  6. else
  7. echo "Step Succeeded!"
  8. fi
  9. }
  10. ############################################################
  11. ####### update the self-signed root-rsapss.pem #############
  12. ############################################################
  13. echo "Updating root-rsapss.pem"
  14. echo ""
  15. #pipe the following arguments to openssl req...
  16. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSA-PSS\\nRoot-RSA-PSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \
  17. openssl req -new -key root-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-rsapss.csr
  18. check_result $? "Generate request"
  19. openssl x509 -req -in root-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-rsapss-priv.pem -out root-rsapss.pem
  20. check_result $? "Generate certificate"
  21. rm root-rsapss.csr
  22. openssl x509 -in root-rsapss.pem -outform DER > root-rsapss.der
  23. check_result $? "Convert to DER"
  24. openssl x509 -in root-rsapss.pem -text > tmp.pem
  25. check_result $? "Add text"
  26. mv tmp.pem root-rsapss.pem
  27. echo "End of section"
  28. echo "---------------------------------------------------------------------"
  29. ############################################################
  30. ####### update ca-rsapss.pem signed by root ################
  31. ############################################################
  32. echo "Updating ca-rsapss.pem"
  33. echo ""
  34. #pipe the following arguments to openssl req...
  35. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nCA-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-rsapss.csr
  36. check_result $? "Generate request"
  37. openssl x509 -req -in ca-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-rsapss.pem -CAkey root-rsapss-priv.pem -set_serial 01 -out ca-rsapss.pem
  38. check_result $? "Generate certificate"
  39. rm ca-rsapss.csr
  40. openssl x509 -in ca-rsapss.pem -outform DER > ca-rsapss.der
  41. check_result $? "Convert to DER"
  42. openssl x509 -in ca-rsapss.pem -text > tmp.pem
  43. check_result $? "Add text"
  44. mv tmp.pem ca-rsapss.pem
  45. echo "End of section"
  46. echo "---------------------------------------------------------------------"
  47. ############################################################
  48. ####### update server-mix-rsapss.pem signed by ca ##########
  49. ############################################################
  50. echo "Updating server-mix-rsapss.pem"
  51. echo ""
  52. #pipe the following arguments to openssl req...
  53. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nServer-MIX-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ../server-key.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-mix-rsapss.csr
  54. check_result $? "Generate request"
  55. openssl x509 -req -in server-mix-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ../ca-cert.pem -CAkey ../ca-key.pem -sigopt rsa_padding_mode:pss -set_serial 01 -out server-mix-rsapss-cert.pem
  56. check_result $? "Generate certificate"
  57. rm server-mix-rsapss.csr
  58. openssl x509 -in server-mix-rsapss-cert.pem -text > tmp.pem
  59. check_result $? "Add text"
  60. mv tmp.pem server-mix-rsapss-cert.pem
  61. echo "End of section"
  62. echo "---------------------------------------------------------------------"
  63. ############################################################
  64. ####### update server-rsapss.pem signed by ca ##############
  65. ############################################################
  66. echo "Updating server-rsapss.pem"
  67. echo ""
  68. #pipe the following arguments to openssl req...
  69. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nServer-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-rsapss.csr
  70. check_result $? "Generate request"
  71. openssl x509 -req -in server-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-rsapss.pem -CAkey ca-rsapss-priv.pem -set_serial 01 -out server-rsapss-cert.pem
  72. check_result $? "Generate certificate"
  73. rm server-rsapss.csr
  74. openssl x509 -in server-rsapss-cert.pem -outform DER > server-rsapss.der
  75. check_result $? "Convert to DER"
  76. openssl x509 -in server-rsapss-cert.pem -text > tmp.pem
  77. check_result $? "Add text"
  78. mv tmp.pem server-rsapss-cert.pem
  79. cat server-rsapss-cert.pem ca-rsapss.pem > server-rsapss.pem
  80. check_result $? "Add CA into server cert"
  81. echo "End of section"
  82. echo "---------------------------------------------------------------------"
  83. ############################################################
  84. ####### update the self-signed client-rsapss.pem ###########
  85. ############################################################
  86. echo "Updating client-rsapss.pem"
  87. echo ""
  88. #pipe the following arguments to openssl req...
  89. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nClient-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-rsapss.csr
  90. check_result $? "Generate request"
  91. openssl x509 -req -in client-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-rsapss-priv.pem -out client-rsapss.pem
  92. check_result $? "Generate certificate"
  93. rm client-rsapss.csr
  94. openssl x509 -in client-rsapss.pem -outform DER > client-rsapss.der
  95. check_result $? "Convert to DER"
  96. openssl x509 -in client-rsapss.pem -text > tmp.pem
  97. check_result $? "Add text"
  98. mv tmp.pem client-rsapss.pem
  99. echo "End of section"
  100. echo "---------------------------------------------------------------------"
  101. ################################################################################
  102. # 3072-bit keys. RSA-PSS with SHA-384
  103. ################################################################################
  104. ############################################################
  105. ###### update the self-signed root-3072-rsapss.pem #########
  106. ############################################################
  107. echo "Updating root-3072-rsapss.pem"
  108. echo ""
  109. #pipe the following arguments to openssl req...
  110. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSA-PSS\\nRoot-RSA-PSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \
  111. openssl req -new -key root-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-3072-rsapss.csr
  112. check_result $? "Generate request"
  113. openssl x509 -req -in root-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-3072-rsapss-priv.pem -sha384 -out root-3072-rsapss.pem
  114. check_result $? "Generate certificate"
  115. rm root-3072-rsapss.csr
  116. openssl x509 -in root-3072-rsapss.pem -outform DER > root-3072-rsapss.der
  117. check_result $? "Convert to DER"
  118. openssl x509 -in root-3072-rsapss.pem -text > tmp.pem
  119. check_result $? "Add text"
  120. mv tmp.pem root-3072-rsapss.pem
  121. echo "End of section"
  122. echo "---------------------------------------------------------------------"
  123. ############################################################
  124. ###### update ca-3072-rsapss.pem signed by root ############
  125. ############################################################
  126. echo "Updating ca-3072-rsapss.pem"
  127. echo ""
  128. #pipe the following arguments to openssl req...
  129. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nCA-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-3072-rsapss.csr
  130. check_result $? "Generate request"
  131. openssl x509 -req -in ca-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-3072-rsapss.pem -CAkey root-3072-rsapss-priv.pem -sha384 -set_serial 01 -out ca-3072-rsapss.pem
  132. check_result $? "Generate certificate"
  133. rm ca-3072-rsapss.csr
  134. openssl x509 -in ca-3072-rsapss.pem -outform DER > ca-3072-rsapss.der
  135. check_result $? "Convert to DER"
  136. openssl x509 -in ca-3072-rsapss.pem -text > tmp.pem
  137. check_result $? "Add text"
  138. mv tmp.pem ca-3072-rsapss.pem
  139. echo "End of section"
  140. echo "---------------------------------------------------------------------"
  141. ############################################################
  142. ###### update server-3072-rsapss.pem signed by ca ##########
  143. ############################################################
  144. echo "Updating server-3072-rsapss.pem"
  145. echo ""
  146. #pipe the following arguments to openssl req...
  147. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nServer-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-3072-rsapss.csr
  148. check_result $? "Generate request"
  149. openssl x509 -req -in server-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-3072-rsapss.pem -CAkey ca-3072-rsapss-priv.pem -sha384 -set_serial 01 -out server-3072-rsapss-cert.pem
  150. check_result $? "Generate certificate"
  151. rm server-3072-rsapss.csr
  152. openssl x509 -in server-3072-rsapss-cert.pem -outform DER > server-3072-rsapss.der
  153. check_result $? "Convert to DER"
  154. openssl x509 -in server-3072-rsapss-cert.pem -text > tmp.pem
  155. check_result $? "Add text"
  156. mv tmp.pem server-3072-rsapss-cert.pem
  157. cat server-3072-rsapss-cert.pem ca-3072-rsapss.pem > server-3072-rsapss.pem
  158. check_result $? "Add CA into server cert"
  159. echo "End of section"
  160. echo "---------------------------------------------------------------------"
  161. ############################################################
  162. ###### update the self-signed client-3072-rsapss.pem #######
  163. ############################################################
  164. echo "Updating client-3072-rsapss.pem"
  165. echo ""
  166. #pipe the following arguments to openssl req...
  167. echo -e "US\\nMontana\\nBozeman\\nwolfSSL_RSAPSS\\nClient-RSAPSS\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-3072-rsapss-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-3072-rsapss.csr
  168. check_result $? "Generate request"
  169. openssl x509 -req -in client-3072-rsapss.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-3072-rsapss-priv.pem -sha384 -out client-3072-rsapss.pem
  170. check_result $? "Generate certificate"
  171. rm client-3072-rsapss.csr
  172. openssl x509 -in client-3072-rsapss.pem -outform DER > client-3072-rsapss.der
  173. check_result $? "Convert to DER"
  174. openssl x509 -in client-3072-rsapss.pem -text > tmp.pem
  175. check_result $? "Add text"
  176. mv tmp.pem client-3072-rsapss.pem
  177. echo "End of section"
  178. echo "---------------------------------------------------------------------"