123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341 |
- #!/bin/sh
- # Script for generating RSA and ECC Intermediate CA and server/client certs based on it.
- # Result is chains that looks like:
- # RSA Server
- # ROOT: ./certs/ca-cert.pem
- # C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com)
- # INTERMEDIATE: ./certs/intermediate/ca-int-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate CA/emailAddress=info@wolfssl.com
- # INTERMEDIATE2: ./certs/intermediate/ca-int2-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate2 CA/emailAddress=info@wolfssl.com
- # SERVER: ./certs/intermediate/server-int-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Server Chain/emailAddress=info@wolfssl.com
- # RSA Client
- # ROOT: ./certs/ca-cert.pem
- # C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com)
- # INTERMEDIATE: ./certs/intermediate/ca-int-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate CA/emailAddress=info@wolfssl.com
- # INTERMEDIATE: ./certs/intermediate/ca-int2-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate2 CA/emailAddress=info@wolfssl.com
- # CLIENT: ./certs/intermediate/client-int-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Client Chain/emailAddress=info@wolfssl.com
- # ECC Server
- # ROOT: ./certs/ca-ecc-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
- # INTERMEDIATE: ./certs/intermediate/ca-int-ecc-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate CA ECC/emailAddress=info@wolfssl.com
- # INTERMEDIATE2: ./certs/intermediate/ca-int-ecc-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate2 CA ECC/emailAddress=info@wolfssl.com
- # SERVER: ./certs/intermediate/server-int-ecc-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Server Chain ECC/emailAddress=info@wolfssl.com
- # ECC Client
- # ROOT: ./certs/ca-ecc-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
- # INTERMEDIATE: ./certs/intermediate/ca-int-ecc-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate CA ECC/emailAddress=info@wolfssl.com
- # INTERMEDIATE2: ./certs/intermediate/ca-int2-ecc-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate2 CA ECC/emailAddress=info@wolfssl.com
- # CLIENT: ./certs/intermediate/client-int-ecc-cert.pem
- # C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Client Chain ECC/emailAddress=info@wolfssl.com
- # Run from wolfssl-root as `./certs/intermediate/genintcerts.sh`
- # To cleanup temp files use `./certs/intermediate/genintcerts.sh clean`
- # To cleanup all files use `./certs/intermediate/genintcerts.sh cleanall`
- dir="."
- cleanup_files(){
- rm -f ./certs/intermediate/index.*
- rm -f ./certs/intermediate/*.old
- rm -f ./certs/intermediate/serial
- rm -f ./certs/intermediate/crlnumber
- rm -f ./certs/intermediate/*.cnf
- rm -rf ./certs/intermediate/new_certs
- exit 0
- }
- check_result() {
- if [ $1 -ne 0 ]; then
- echo "Step Failed, Abort"
- exit 1
- else
- echo "Step Succeeded!"
- fi
- }
- # Args: 1=CnfFile, 2=Key, 3=Cert
- create_ca_config() {
- echo "# Generated openssl conf" > "$1"
- echo "[ ca ]" >> "$1"
- echo "default_ca = CA_default" >> "$1"
- echo "" >> "$1"
- echo "[ CA_default ]" >> "$1"
- echo "certs = $dir/certs/intermediate" >> "$1"
- echo "new_certs_dir = $dir/certs/intermediate/new_certs">> "$1"
- echo "database = $dir/certs/intermediate/index.txt">> "$1"
- echo "serial = $dir/certs/intermediate/serial" >> "$1"
- echo "RANDFILE = $dir/private/.rand" >> "$1"
- echo "" >> "$1"
- echo "private_key = $dir/$2" >> "$1"
- echo "certificate = $dir/$3" >> "$1"
- echo "" >> "$1"
- echo "crlnumber = $dir/certs/intermediate/crlnumber">> "$1"
- echo "crl_extensions = crl_ext" >> "$1"
- echo "default_crl_days = 1000" >> "$1"
- echo "default_md = sha256" >> "$1"
- echo "" >> "$1"
- echo "name_opt = ca_default" >> "$1"
- echo "cert_opt = ca_default" >> "$1"
- echo "default_days = 3650" >> "$1"
- echo "preserve = no" >> "$1"
- echo "policy = policy_loose" >> "$1"
- echo "" >> "$1"
- echo "[ policy_strict ]" >> "$1"
- echo "countryName = match" >> "$1"
- echo "stateOrProvinceName = match" >> "$1"
- echo "organizationName = match" >> "$1"
- echo "organizationalUnitName = optional" >> "$1"
- echo "commonName = supplied" >> "$1"
- echo "emailAddress = optional" >> "$1"
- echo "" >> "$1"
- echo "[ policy_loose ]" >> "$1"
- echo "countryName = optional" >> "$1"
- echo "stateOrProvinceName = optional" >> "$1"
- echo "localityName = optional" >> "$1"
- echo "organizationName = optional" >> "$1"
- echo "organizationalUnitName = optional" >> "$1"
- echo "commonName = supplied" >> "$1"
- echo "emailAddress = optional" >> "$1"
- echo "" >> "$1"
- echo "[ req ]" >> "$1"
- echo "default_bits = 2048" >> "$1"
- echo "distinguished_name = req_distinguished_name" >> "$1"
- echo "string_mask = utf8only" >> "$1"
- echo "default_md = sha256" >> "$1"
- echo "x509_extensions = v3_ca" >> "$1"
- echo "" >> "$1"
- echo "[ req_distinguished_name ]" >> "$1"
- echo "countryName = US" >> "$1"
- echo "stateOrProvinceName = Washington" >> "$1"
- echo "localityName = Seattle" >> "$1"
- echo "organizationName = wolfSSL" >> "$1"
- echo "organizationalUnitName = Development" >> "$1"
- echo "commonName = www.wolfssl.com" >> "$1"
- echo "emailAddress = info@wolfssl.com" >> "$1"
- echo "" >> "$1"
- echo "[ v3_ca ]" >> "$1"
- echo "subjectKeyIdentifier = hash" >> "$1"
- echo "authorityKeyIdentifier = keyid:always,issuer" >> "$1"
- echo "basicConstraints = critical, CA:true" >> "$1"
- echo "keyUsage = critical, digitalSignature, cRLSign, keyCertSign">> "$1"
- echo "" >> "$1"
- echo "[ v3_intermediate_ca ]" >> "$1"
- echo "subjectKeyIdentifier = hash" >> "$1"
- echo "authorityKeyIdentifier = keyid:always,issuer" >> "$1"
- echo "basicConstraints = critical, CA:true, pathlen:1" >> "$1"
- echo "keyUsage = critical, digitalSignature, cRLSign, keyCertSign">> "$1"
- echo "" >> "$1"
- echo "[ v3_intermediate2_ca ]" >> "$1"
- echo "subjectKeyIdentifier = hash" >> "$1"
- echo "authorityKeyIdentifier = keyid:always,issuer" >> "$1"
- echo "basicConstraints = critical, CA:true, pathlen:1" >> "$1"
- echo "keyUsage = critical, digitalSignature, cRLSign, keyCertSign">> "$1"
- echo "" >> "$1"
- echo "[ usr_cert ]" >> "$1"
- echo "basicConstraints = CA:FALSE" >> "$1"
- echo "nsCertType = client, email" >> "$1"
- echo "subjectKeyIdentifier = hash" >> "$1"
- echo "authorityKeyIdentifier = keyid,issuer" >> "$1"
- echo "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment">> "$1"
- echo "extendedKeyUsage = clientAuth, emailProtection" >> "$1"
- echo "" >> "$1"
- echo "[ server_cert ]" >> "$1"
- echo "basicConstraints = CA:FALSE" >> "$1"
- echo "nsCertType = server" >> "$1"
- echo "subjectKeyIdentifier = hash" >> "$1"
- echo "authorityKeyIdentifier = keyid,issuer:always" >> "$1"
- echo "keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement">> "$1"
- echo "extendedKeyUsage = serverAuth" >> "$1"
- echo "" >> "$1"
- echo "[ crl_ext ]" >> "$1"
- echo "authorityKeyIdentifier=keyid:always" >> "$1"
- }
- # Args: 1=reqcnf, 2=signcnf, 3=keyfile, 4=certfile, 5=ext, 6=subj, 7=days
- create_cert() {
- openssl req -config ./certs/intermediate/$1.cnf -new -sha256 \
- -key $3 \
- -out ./certs/intermediate/tmp.csr \
- -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=$6/emailAddress=info@wolfssl.com"
- check_result $?
- openssl ca -config ./certs/intermediate/$2.cnf -extensions $5 -days $7 -notext -md sha256 \
- -in ./certs/intermediate/tmp.csr -out ./certs/intermediate/$4.pem -batch
- check_result $?
- rm ./certs/intermediate/tmp.csr
- # Convert Cert to DER
- openssl x509 -in ./certs/intermediate/$4.pem -inform PEM -out ./certs/intermediate/$4.der -outform DER
- check_result $?
- # Add text to cert PEM file
- openssl x509 -in ./certs/intermediate/$4.pem -text > ./certs/intermediate/tmp.pem
- check_result $?
- mv ./certs/intermediate/tmp.pem ./certs/intermediate/$4.pem
- }
- if [ "$1" = "clean" ]; then
- echo "Cleaning temp files"
- cleanup_files
- fi
- if [ "$1" = "cleanall" ]; then
- echo "Cleaning all files"
- rm -f ./certs/intermediate/*.pem
- rm -f ./certs/intermediate/*.der
- rm -f ./certs/intermediate/*.csr
- cleanup_files
- fi
- # Make sure required CA files exist and are populated
- rm -f ./certs/intermediate/index.*
- touch ./certs/intermediate/index.txt
- if [ ! -f ./certs/intermediate/serial ]; then
- echo 1000 > ./certs/intermediate/serial
- fi
- if [ ! -f ./certs/intermediate/crlnumber ]; then
- echo 2000 > ./certs/intermediate/crlnumber
- fi
- if [ ! -d ./certs/intermediate/new_certs ]; then
- mkdir ./certs/intermediate/new_certs
- fi
- # RSA
- echo "Creating RSA CA configuration cnf files"
- create_ca_config ./certs/intermediate/wolfssl_root.cnf certs/ca-key.pem certs/ca-cert.pem
- create_ca_config ./certs/intermediate/wolfssl_int.cnf certs/intermediate/ca-int-key.pem certs/intermediate/ca-int-cert.pem
- create_ca_config ./certs/intermediate/wolfssl_int2.cnf certs/intermediate/ca-int2-key.pem certs/intermediate/ca-int2-cert.pem
- if [ ! -f ./certs/intermediate/ca-int-key.pem ]; then
- echo "Make Intermediate RSA CA Key"
- openssl genrsa -out ./certs/intermediate/ca-int-key.pem 2048
- check_result $?
- openssl rsa -in ./certs/intermediate/ca-int-key.pem -inform PEM -out ./certs/intermediate/ca-int-key.der -outform DER
- check_result $?
- fi
- if [ ! -f ./certs/intermediate/ca-int2-key.pem ]; then
- echo "Make Intermediate2 RSA CA Key"
- openssl genrsa -out ./certs/intermediate/ca-int2-key.pem 2048
- check_result $?
- openssl rsa -in ./certs/intermediate/ca-int2-key.pem -inform PEM -out ./certs/intermediate/ca-int2-key.der -outform DER
- check_result $?
- fi
- echo "Create RSA Intermediate CA signed by root"
- create_cert wolfssl_int wolfssl_root ./certs/intermediate/ca-int-key.pem ca-int-cert v3_intermediate_ca "wolfSSL Intermediate CA" 7300
- echo "Create RSA Intermediate2 CA signed by RSA Intermediate"
- create_cert wolfssl_int2 wolfssl_int ./certs/intermediate/ca-int2-key.pem ca-int2-cert v3_intermediate2_ca "wolfSSL Intermediate2 CA" 7300
- echo "Create RSA Server Certificate signed by intermediate2"
- create_cert wolfssl_int2 wolfssl_int2 ./certs/server-key.pem server-int-cert server_cert "wolfSSL Server Chain" 3650
- echo "Create RSA Client Certificate signed by intermediate2"
- create_cert wolfssl_int2 wolfssl_int2 ./certs/client-key.pem client-int-cert usr_cert "wolfSSL Client Chain" 3650
- echo "Generate CRLs for new certificates"
- openssl ca -config ./certs/intermediate/wolfssl_root.cnf -gencrl -crldays 1000 -out ./certs/crl/ca-int.pem -keyfile ./certs/intermediate/ca-int-key.pem -cert ./certs/intermediate/ca-int-cert.pem
- check_result $?
- openssl ca -config ./certs/intermediate/wolfssl_int.cnf -gencrl -crldays 1000 -out ./certs/crl/ca-int2.pem -keyfile ./certs/intermediate/ca-int2-key.pem -cert ./certs/intermediate/ca-int2-cert.pem
- check_result $?
- openssl ca -config ./certs/intermediate/wolfssl_int2.cnf -gencrl -crldays 1000 -out ./certs/crl/server-int.pem -keyfile ./certs/server-key.pem -cert ./certs/intermediate/server-int-cert.pem
- check_result $?
- openssl ca -config ./certs/intermediate/wolfssl_int2.cnf -gencrl -crldays 1000 -out ./certs/crl/client-int.pem -keyfile ./certs/client-key.pem -cert ./certs/intermediate/client-int-cert.pem
- check_result $?
- echo "Assemble test chains - peer first, then intermediate2, then intermediate"
- openssl x509 -in ./certs/intermediate/server-int-cert.pem > ./certs/intermediate/server-chain.pem
- openssl x509 -in ./certs/intermediate/ca-int2-cert.pem >> ./certs/intermediate/server-chain.pem
- openssl x509 -in ./certs/intermediate/ca-int-cert.pem >> ./certs/intermediate/server-chain.pem
- openssl x509 -in ./certs/intermediate/server-int-cert.pem > ./certs/intermediate/server-chain-short.pem
- openssl x509 -in ./certs/intermediate/ca-int2-cert.pem >> ./certs/intermediate/server-chain-short.pem
- cat ./certs/intermediate/server-int-cert.der ./certs/intermediate/ca-int2-cert.der ./certs/intermediate/ca-int-cert.der > ./certs/intermediate/server-chain.der
- openssl x509 -in ./certs/intermediate/client-int-cert.pem > ./certs/intermediate/client-chain.pem
- openssl x509 -in ./certs/intermediate/ca-int2-cert.pem >> ./certs/intermediate/client-chain.pem
- openssl x509 -in ./certs/intermediate/ca-int-cert.pem >> ./certs/intermediate/client-chain.pem
- cat ./certs/intermediate/client-int-cert.der ./certs/intermediate/ca-int2-cert.der ./certs/intermediate/ca-int-cert.der > ./certs/intermediate/client-chain.der
- echo "Assemble cert chain with extra cert for testing alternate chains"
- cp ./certs/intermediate/server-chain.pem ./certs/intermediate/server-chain-alt.pem
- cp ./certs/intermediate/client-chain.pem ./certs/intermediate/client-chain-alt.pem
- openssl x509 -in ./certs/external/ca-google-root.pem >> ./certs/intermediate/server-chain-alt.pem
- openssl x509 -in ./certs/external/ca-google-root.pem >> ./certs/intermediate/client-chain-alt.pem
- # ECC
- echo "Creating ECC CA configuration cnf files"
- create_ca_config ./certs/intermediate/wolfssl_root_ecc.cnf certs/ca-ecc-key.pem certs/ca-ecc-cert.pem
- create_ca_config ./certs/intermediate/wolfssl_int_ecc.cnf certs/intermediate/ca-int-ecc-key.pem certs/intermediate/ca-int-ecc-cert.pem
- create_ca_config ./certs/intermediate/wolfssl_int2_ecc.cnf certs/intermediate/ca-int2-ecc-key.pem certs/intermediate/ca-int2-ecc-cert.pem
- if [ ! -f ./certs/intermediate/ca-int-ecc-key.pem ]; then
- echo "Make Intermediate ECC CA Key"
- openssl ecparam -name prime256v1 -genkey -noout -out ./certs/intermediate/ca-int-ecc-key.pem
- check_result $?
- openssl ec -in ./certs/intermediate/ca-int-ecc-key.pem -inform PEM -out ./certs/intermediate/ca-int-ecc-key.der -outform DER
- check_result $?
- fi
- if [ ! -f ./certs/intermediate/ca-int2-ecc-key.pem ]; then
- echo "Make Intermediate2 ECC CA Key"
- openssl ecparam -name prime256v1 -genkey -noout -out ./certs/intermediate/ca-int2-ecc-key.pem
- check_result $?
- openssl ec -in ./certs/intermediate/ca-int2-ecc-key.pem -inform PEM -out ./certs/intermediate/ca-int2-ecc-key.der -outform DER
- check_result $?
- fi
- echo "Create ECC Intermediate CA signed by root"
- create_cert wolfssl_int_ecc wolfssl_root_ecc ./certs/intermediate/ca-int-ecc-key.pem ca-int-ecc-cert v3_intermediate_ca "wolfSSL Intermediate CA ECC" 7300
- echo "Create ECC Intermediate2 CA signed by Intermediate"
- create_cert wolfssl_int2_ecc wolfssl_int_ecc ./certs/intermediate/ca-int2-ecc-key.pem ca-int2-ecc-cert v3_intermediate2_ca "wolfSSL Intermediate2 CA ECC" 7300
- echo "Create ECC Server Certificate signed by intermediate2"
- create_cert wolfssl_int2_ecc wolfssl_int2_ecc ./certs/ecc-key.pem server-int-ecc-cert server_cert "wolfSSL Server Chain ECC" 3650
- echo "Create ECC Client Certificate signed by intermediate2"
- create_cert wolfssl_int2_ecc wolfssl_int2_ecc ./certs/ecc-client-key.pem client-int-ecc-cert usr_cert "wolfSSL Client Chain ECC" 3650
- echo "Generate CRLs for new certificates"
- openssl ca -config ./certs/intermediate/wolfssl_root_ecc.cnf -gencrl -crldays 1000 -out ./certs/crl/ca-int-ecc.pem -keyfile ./certs/intermediate/ca-int-ecc-key.pem -cert ./certs/intermediate/ca-int-ecc-cert.pem
- check_result $?
- openssl ca -config ./certs/intermediate/wolfssl_int_ecc.cnf -gencrl -crldays 1000 -out ./certs/crl/ca-int2-ecc.pem -keyfile ./certs/intermediate/ca-int2-ecc-key.pem -cert ./certs/intermediate/ca-int2-ecc-cert.pem
- check_result $?
- openssl ca -config ./certs/intermediate/wolfssl_int2_ecc.cnf -gencrl -crldays 1000 -out ./certs/crl/server-int-ecc.pem -keyfile ./certs/ecc-key.pem -cert ./certs/intermediate/server-int-ecc-cert.pem
- check_result $?
- openssl ca -config ./certs/intermediate/wolfssl_int2_ecc.cnf -gencrl -crldays 1000 -out ./certs/crl/client-int-ecc.pem -keyfile ./certs/ecc-client-key.pem -cert ./certs/intermediate/client-int-ecc-cert.pem
- check_result $?
- echo "Assemble test chains - peer first, then intermediate2, then intermediate"
- openssl x509 -in ./certs/intermediate/server-int-ecc-cert.pem > ./certs/intermediate/server-chain-ecc.pem
- openssl x509 -in ./certs/intermediate/ca-int2-ecc-cert.pem >> ./certs/intermediate/server-chain-ecc.pem
- openssl x509 -in ./certs/intermediate/ca-int-ecc-cert.pem >> ./certs/intermediate/server-chain-ecc.pem
- cat ./certs/intermediate/server-int-ecc-cert.der ./certs/intermediate/ca-int2-ecc-cert.der ./certs/intermediate/ca-int-ecc-cert.der > ./certs/intermediate/server-chain-ecc.der
- openssl x509 -in ./certs/intermediate/client-int-ecc-cert.pem > ./certs/intermediate/client-chain-ecc.pem
- openssl x509 -in ./certs/intermediate/ca-int2-ecc-cert.pem >> ./certs/intermediate/client-chain-ecc.pem
- openssl x509 -in ./certs/intermediate/ca-int-ecc-cert.pem >> ./certs/intermediate/client-chain-ecc.pem
- cat ./certs/intermediate/client-int-ecc-cert.der ./certs/intermediate/ca-int2-ecc-cert.der ./certs/intermediate/ca-int-ecc-cert.der > ./certs/intermediate/client-chain-ecc.der
- echo "Assemble cert chain with extra untrusted cert for testing alternate chains"
- cp ./certs/intermediate/server-chain-ecc.pem ./certs/intermediate/server-chain-alt-ecc.pem
- cp ./certs/intermediate/client-chain-ecc.pem ./certs/intermediate/client-chain-alt-ecc.pem
- openssl x509 -in ./certs/external/ca-google-root.pem >> ./certs/intermediate/server-chain-alt-ecc.pem
- openssl x509 -in ./certs/external/ca-google-root.pem >> ./certs/intermediate/client-chain-alt-ecc.pem
|