wolfssl/certs/renewcerts.sh

#!/bin/bash
# renewcerts.sh
#
# renews the following certs:
#                       client-cert.pem
#                       client-cert.der
#                       client-ecc-cert.pem
#                       client-ecc-cert.der
#                       ca-cert.pem
#                       ca-cert.der
#                       ca-ecc-cert.pem
#                       ca-ecc-cert.der
#                       ca-ecc384-cert.pem
#                       ca-ecc384-cert.der
#                       server-cert.pem
#                       server-cert.der
#                       server-cert-chain.der
#                       server-ecc-rsa.pem
#                       server-ecc.pem
#                       1024/client-cert.der
#                       1024/client-cert.pem
#                       server-ecc-comp.pem
#                       client-ca.pem
#                       test/digsigku.pem
#                       ecc-privOnlyCert.pem
#                       client-uri-cert.pem
#                       client-relative-uri.pem
#                       client-crl-dist.pem
#                       entity-no-ca-bool-cert.pem
#                       fpki-cert.der
# updates the following crls:
#                       crl/cliCrl.pem
#                       crl/crl.pem
#                       crl/crl.revoked
#                       crl/eccCliCRL.pem
#                       crl/eccSrvCRL.pem
#
#                       pkcs7:
#                       test-degenerate.p7b
###############################################################################
######################## FUNCTIONS SECTION ####################################
###############################################################################

#function for restoring a previous configure state
restore_config(){
    mv tmp.status config.status
    mv tmp.options.h wolfssl/options.h
    make clean
    make -j 8
}

check_result(){
    if [ $1 -ne 0 ]; then
        echo "Failed at \"$2\", Abort"
        exit 1
    else
        echo "Step Succeeded!"
    fi
}

#the function that will be called when we are ready to renew the certs.
run_renewcerts(){

    #call update for some ecc certs
    ./certs/ecc/genecc.sh
    check_result $? "Step 0"

    cd certs/ || { echo "Couldn't cd to certs directory"; exit 1; }
    echo ""

    #move the custom cnf into our working directory
    cp renewcerts/wolfssl.cnf wolfssl.cnf || exit 1

    # To generate these all in sha1 add the flag "-sha1" on appropriate lines
    # That is all lines beginning with:  "openssl req"

    ############################################################
    #### update the self-signed (2048-bit) client-uri-cert.pem #
    ############################################################
    echo "Updating 2048-bit client-uri-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nURI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
    check_result $? "Step 1"

    openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions uri -signkey client-key.pem -out client-uri-cert.pem
    check_result $? "Step 2"
    rm client-cert.csr

    openssl x509 -in client-uri-cert.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem client-uri-cert.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"

    ############################################################
    # Public Versions of client-key.pem
    ############################################################
    openssl rsa -inform pem -in certs/client-key.pem -outform der -out certs/client-keyPub.der -pubout
    openssl rsa -inform pem -in certs/client-key.pem -outform pem -out certs/client-keyPub.pem -pubout

    ############################################################
    # Public Versions of server-key.pem
    ############################################################
    #openssl rsa -inform pem -in certs/server-key.pem -outform der -out certs/server-keyPub.der -pubout
    openssl rsa -inform pem -in certs/server-key.pem -outform pem -out certs/server-keyPub.pem -pubout

    ############################################################
    # Public Versions of ecc-key.pem
    ############################################################
    #openssl ec -inform pem -in certs/ecc-key.pem -outform der -out certs/ecc-keyPub.der -pubout
    openssl ec -inform pem -in certs/ecc-key.pem -outform pem -out certs/ecc-keyPub.pem -pubout

    ############################################################
    #### update the self-signed (2048-bit) client-relative-uri.pem
    ############################################################
    echo "Updating 2048-bit client-relative-uri.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nRELATIVE_URI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
    check_result $? "Step 1"


    openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions relative_uri -signkey client-key.pem -out client-relative-uri.pem
    check_result $? "Step 2"
    rm client-cert.csr

    openssl x509 -in client-relative-uri.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem client-relative-uri.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    #### update the self-signed (2048-bit) client-cert-ext.pem
    ############################################################
    echo "Updating 2048-bit client-cert-ext.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
    check_result $? "Step 1"


    openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions client_cert_ext -signkey client-key.pem -out client-cert-ext.pem
    check_result $? "Step 2"
    rm client-cert.csr

    openssl x509 -in client-cert-ext.pem -outform DER -out client-cert-ext.der
    check_result $? "Step 3"
    openssl x509 -in client-cert-ext.pem -text > tmp.pem
    check_result $? "Step 4"
    mv tmp.pem client-cert-ext.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    #### update the self-signed (2048-bit) client-crl-dist.pem
    ############################################################
    echo "Updating 2048-bit client-crl-dist.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nCRL_DIST\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
    check_result $? "Step 1"


    openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions crl_dist_points -signkey client-key.pem -out client-crl-dist.pem
    check_result $? "Step 2"
    rm client-cert.csr

    openssl x509 -in client-crl-dist.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem client-crl-dist.pem

    openssl x509 -in client-crl-dist.pem -outform der -out client-crl-dist.der
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    #### update the self-signed (2048-bit) client-cert.pem #####
    ############################################################
    echo "Updating 2048-bit client-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes -out client-cert.csr
    check_result $? "Step 1"


    openssl x509 -req -in client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey client-key.pem -out client-cert.pem
    check_result $? "Step 2"
    rm client-cert.csr

    openssl x509 -in client-cert.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem client-cert.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"

    ############################################################
    #### update the self-signed (1024-bit) client-cert.pem #####
    ############################################################
    echo "Updating 1024-bit client-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_1024\\nProgramming-1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/client-key.pem -config ./wolfssl.cnf -nodes -out ./1024/client-cert.csr
    check_result $? "Step 1"


    openssl x509 -req -in ./1024/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/client-key.pem -out ./1024/client-cert.pem
    check_result $? "Step 2"
    rm ./1024/client-cert.csr

    openssl x509 -in ./1024/client-cert.pem -text > ./1024/tmp.pem
    check_result $? "Step 3"
    mv ./1024/tmp.pem ./1024/client-cert.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    #### update the self-signed (3072-bit) client-cert.pem #####
    ############################################################
    echo "Updating 3072-bit client-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_3072\\nProgramming-3072\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./3072/client-key.pem -config ./wolfssl.cnf -nodes -out ./3072/client-cert.csr
    check_result $? "Step 1"

    openssl x509 -req -in ./3072/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./3072/client-key.pem -out ./3072/client-cert.pem
    check_result $? "Step 2"
    rm ./3072/client-cert.csr

    openssl x509 -in ./3072/client-cert.pem -text > ./3072/tmp.pem
    check_result $? "Step 3"
    mv ./3072/tmp.pem ./3072/client-cert.pem

    openssl rsa -in ./3072/client-key.pem -outform der -out ./3072/client-key.der
    openssl rsa -inform pem -in ./3072/client-key.pem -outform der -out ./3072/client-keyPub.der -pubout
    openssl x509 -in ./3072/client-cert.pem -outform der -out ./3072/client-cert.der

    echo "End of section"
    echo "---------------------------------------------------------------------"

    ############################################################
    #### update the self-signed (4096-bit) client-cert.pem #####
    ############################################################
    echo "Updating 4096-bit client-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_4096\\nProgramming-4096\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./4096/client-key.pem -config ./wolfssl.cnf -nodes -out ./4096/client-cert.csr
    check_result $? "Step 1"

    openssl x509 -req -in ./4096/client-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./4096/client-key.pem -out ./4096/client-cert.pem
    check_result $? "Step 2"
    rm ./4096/client-cert.csr

    openssl x509 -in ./4096/client-cert.pem -text > ./4096/tmp.pem
    check_result $? "Step 3"
    mv ./4096/tmp.pem ./4096/client-cert.pem

    openssl rsa -in ./4096/client-key.pem -outform der -out ./4096/client-key.der
    openssl rsa -inform pem -in ./4096/client-key.pem -outform der -out ./4096/client-keyPub.der -pubout
    openssl x509 -in ./4096/client-cert.pem -outform der -out ./4096/client-cert.der
    echo "End of section"
    echo "---------------------------------------------------------------------"

    ############################################################
    ########## update the self-signed ca-cert.pem ##############
    ############################################################
    echo "Updating ca-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e  "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr
    check_result $? "Step 1"

    openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ca-key.pem -out ca-cert.pem
    check_result $? "Step 2"
    rm ca-cert.csr

    openssl x509 -in ca-cert.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem ca-cert.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ########## update the self-signed ca-cert-chain.der ########
    ############################################################
    echo "Updating ca-cert-chain.der"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e  "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key 1024/ca-key.pem -config ./wolfssl.cnf -nodes -out ca-cert.csr
    check_result $? "Step 1"

    openssl x509 -req -in ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey 1024/ca-key.pem -outform DER -out ca-cert-chain.der
    check_result $? "Step 2"
    rm ca-cert.csr
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ########## update the self-signed ca-ecc-cert.pem ##########
    ############################################################
    echo "Updating ca-ecc-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e  "US\\nWashington\\nSeattle\\nwolfSSL\\nDevelopment\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-ecc-key.pem -config ./wolfssl.cnf -nodes -out ca-ecc-cert.csr
    check_result $? "Step 1"

    openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem
    check_result $? "Step 2"
    rm ca-ecc-cert.csr

    openssl x509 -in ca-ecc-cert.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem ca-ecc-cert.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ########## update the self-signed ca-ecc384-cert.pem #######
    ############################################################
    echo "Updating ca-ecc384-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e  "US\\nWashington\\nSeattle\\nwolfSSL\\nDevelopment\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ca-ecc384-key.pem -config ./wolfssl.cnf -nodes -sha384 -out ca-ecc384-cert.csr
    check_result $? "Step 1"

    openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem
    check_result $? "Step 2"
    rm ca-ecc384-cert.csr

    openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem ca-ecc384-cert.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ##### update the self-signed (1024-bit) ca-cert.pem ########
    ############################################################
    echo "Updating 1024-bit ca-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e  "US\\nMontana\\nBozeman\\nSawtooth\\nConsulting_1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/ca-key.pem -config ./wolfssl.cnf -nodes -sha1 -out ./1024/ca-cert.csr
    check_result $? "Step 1"

    openssl x509 -req -in ./1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ./1024/ca-key.pem -out ./1024/ca-cert.pem
    check_result $? "Step 2"
    rm ./1024/ca-cert.csr

    openssl x509 -in ./1024/ca-cert.pem -text > ./1024/tmp.pem
    check_result $? "Step 3"
    mv ./1024/tmp.pem ./1024/ca-cert.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ###########################################################
    ########## update and sign fpki-cert.der ################
    ###########################################################
    echo "Updating fpki-cert.der"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-req.pem
    check_result $? "Step 1"

    openssl x509 -req -in fpki-req.pem -extfile wolfssl.cnf -extensions fpki_ext -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-cert.der -outform DER
    check_result $? "Step 2"
    rm fpki-req.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ###########################################################
    ########## update and sign server-cert.pem ################
    ###########################################################
    echo "Updating server-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nSupport\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > server-req.pem
    check_result $? "Step 1"

    openssl x509 -req -in server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
    check_result $? "Step 2"

    rm server-req.pem

    openssl x509 -in ca-cert.pem -text > ca_tmp.pem
    check_result $? "Step 3"
    openssl x509 -in server-cert.pem -text > srv_tmp.pem
    check_result $? "Step 4"
    mv srv_tmp.pem server-cert.pem
    cat ca_tmp.pem >> server-cert.pem
    rm ca_tmp.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ###########################################################
    ########## update and sign server-revoked-key.pem #########
    ###########################################################
    echo "Updating server-revoked-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_revoked\\nSupport_revoked\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-revoked-key.pem -config ./wolfssl.cnf -nodes > server-revoked-req.pem
    check_result $? "Step 1"

    openssl x509 -req -in server-revoked-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > server-revoked-cert.pem
    check_result $? "Step 2"
    rm server-revoked-req.pem

    openssl x509 -in ca-cert.pem -text > ca_tmp.pem
    check_result $? "Step 3"
    openssl x509 -in server-revoked-cert.pem -text > srv_tmp.pem
    check_result $? "Step 4"
    mv srv_tmp.pem server-revoked-cert.pem
    cat ca_tmp.pem >> server-revoked-cert.pem
    rm ca_tmp.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ###########################################################
    ########## update and sign server-duplicate-policy.pem ####
    ###########################################################
    echo "Updating server-duplicate-policy.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\ntesting duplicate policy\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > ./test/server-duplicate-policy-req.pem
    check_result $? "Step 1"

    openssl x509 -req -in ./test/server-duplicate-policy-req.pem -extfile wolfssl.cnf -extensions policy_test -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 > ./test/server-duplicate-policy.pem
    check_result $? "Step 2"
    rm ./test/server-duplicate-policy-req.pem

    openssl x509 -in ca-cert.pem -text > ca_tmp.pem
    check_result $? "Step 3"
    openssl x509 -in ./test/server-duplicate-policy.pem -text > srv_tmp.pem
    check_result $? "Step 4"
    mv srv_tmp.pem ./test/server-duplicate-policy.pem
    cat ca_tmp.pem >> ./test/server-duplicate-policy.pem
    rm ca_tmp.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ###########################################################
    #### update and sign (1024-bit) server-cert.pem ###########
    ###########################################################
    echo "Updating 1024-bit server-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nSupport_1024\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ./1024/server-key.pem -config ./wolfssl.cnf -nodes -sha1 > ./1024/server-req.pem
    check_result $? "Step 1"

    openssl x509 -req -in ./1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ./1024/ca-cert.pem -CAkey ./1024/ca-key.pem -set_serial 01 > ./1024/server-cert.pem
    check_result $? "Step 2"
    rm ./1024/server-req.pem

    openssl x509 -in ./1024/ca-cert.pem -text > ./1024/ca_tmp.pem
    check_result $? "Step 3"
    openssl x509 -in ./1024/server-cert.pem -text > ./1024/srv_tmp.pem
    check_result $? "Step 4"
    mv ./1024/srv_tmp.pem ./1024/server-cert.pem
    cat ./1024/ca_tmp.pem >> ./1024/server-cert.pem
    rm ./1024/ca_tmp.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ########## update and sign the server-ecc-rsa.pem ##########
    ############################################################
    echo "Updating server-ecc-rsa.pem"
    echo ""
    echo -e "US\\nMontana\\nBozeman\\nElliptic - RSAsig\\nECC-RSAsig\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes > server-ecc-req.pem
    check_result $? "Step 1"

    openssl x509 -req -in server-ecc-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-ecc-rsa.pem
    check_result $? "Step 2"
    rm server-ecc-req.pem

    openssl x509 -in server-ecc-rsa.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem server-ecc-rsa.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ####### update the self-signed client-ecc-cert.pem #########
    ############################################################
    echo "Updating client-ecc-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nOregon\\nSalem\\nClient ECC\\nFast\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-client-key.pem -config ./wolfssl.cnf -nodes -out client-ecc-cert.csr
    check_result $? "Step 1"

    openssl x509 -req -in client-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-client-key.pem -out client-ecc-cert.pem
    check_result $? "Step 2"
    rm client-ecc-cert.csr

    openssl x509 -in client-ecc-cert.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem client-ecc-cert.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ########## update the server-ecc.pem #######################
    ############################################################
    echo "Updating server-ecc.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nWashington\\nSeattle\\nEliptic\\nECC\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -out server-ecc.csr
    check_result $? "Step 1"

    openssl x509 -req -in server-ecc.csr -days 1000 -extfile wolfssl.cnf -extensions server_ecc -CA ca-ecc-cert.pem -CAkey ca-ecc-key.pem -set_serial 03 -out server-ecc.pem
    check_result $? "Step 2"
    rm server-ecc.csr

    openssl x509 -in server-ecc.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem server-ecc.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ###### update the self-signed server-ecc-comp.pem ##########
    ############################################################
    echo "Updating server-ecc-comp.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nElliptic - comp\\nServer ECC-comp\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key ecc-key-comp.pem -config ./wolfssl.cnf -nodes -out server-ecc-comp.csr
    check_result $? "Step 1"

    openssl x509 -req -in server-ecc-comp.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey ecc-key-comp.pem -out server-ecc-comp.pem
    check_result $? "Step 2"
    rm server-ecc-comp.csr

    openssl x509 -in server-ecc-comp.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem server-ecc-comp.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ############## create the client-ca.pem file ###############
    ############################################################
    echo "Updating client-ca.pem"
    echo ""
    cat client-cert.pem client-ecc-cert.pem > client-ca.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ###### update the self-signed ecc-privOnlyCert.pem #########
    ############################################################
    echo "Updating ecc-privOnlyCert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e ".\\n.\\n.\\nWR\\n.\\nDE\\n.\\n.\\n.\\n" | openssl req -new -key ecc-privOnlyKey.pem -config ./wolfssl.cnf -nodes -out ecc-privOnly.csr
    check_result $? "Step 1"

    openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem
    check_result $? "Step 2"
    rm ecc-privOnly.csr
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ###### update the self-signed test/digsigku.pem   ##########
    ############################################################
    echo "Updating test/digsigku.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nWashington\\nSeattle\\nFoofarah\\nArglebargle\\nfoobarbaz\\ninfo@worlss.com\\n.\\n.\\n" | openssl req -new -key ecc-key.pem -config ./wolfssl.cnf -nodes -sha1 -out digsigku.csr
    check_result $? "Step 1"

    openssl x509 -req -in digsigku.csr -days 1000 -extfile wolfssl.cnf -extensions digsigku -signkey ecc-key.pem -sha1 -set_serial 16393466893990650224 -out digsigku.pem
    check_result $? "Step 2"
    rm digsigku.csr

    openssl x509 -in digsigku.pem -text > tmp.pem
    check_result $? "Step 3"
    mv tmp.pem digsigku.pem
    mv digsigku.pem test/digsigku.pem
    echo "End of section"
    echo "---------------------------------------------------------------------"


    ###########################################################
    #### update and sign entity-no-ca-bool-cert.pem ###########
    ###########################################################
    echo "Updating entity-no-ca-bool-cert.pem"
    echo ""
    #pipe the following arguments to openssl req...
    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nNoCaBool\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key entity-no-ca-bool-key.pem -config ./wolfssl.cnf  -nodes > entity-no-ca-bool-req.pem
    check_result $? "Step 1"

    openssl x509 -req -in entity-no-ca-bool-req.pem -extfile ./wolfssl.cnf -extensions "entity_no_CA_BOOL" -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > entity-no-ca-bool-cert.pem
    check_result $? "Step 2"

    rm entity-no-ca-bool-req.pem

    openssl x509 -in ca-cert.pem -text > ca_tmp.pem
    check_result $? "Step 3"
    openssl x509 -in entity-no-ca-bool-cert.pem -text > entity_tmp.pem
    check_result $? "Step 4"
    mv entity_tmp.pem entity-no-ca-bool-cert.pem
    cat ca_tmp.pem >> entity-no-ca-bool-cert.pem
    rm ca_tmp.pem
    echo "End of section"

    ############################################################
    ########## make .der files from .pem files #################
    ############################################################
    echo "Creating der formatted certs..."
    echo ""
    openssl x509 -inform PEM -in ./1024/client-cert.pem -outform DER -out ./1024/client-cert.der
    check_result $? "Der Cert 1"
    openssl x509 -inform PEM -in ./1024/server-cert.pem -outform DER -out ./1024/server-cert.der
    check_result $? "Der Cert 2"
    openssl x509 -inform PEM -in ./1024/ca-cert.pem -outform DER -out ./1024/ca-cert.der
    check_result $? "Der Cert 3"

    openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der
    check_result $? "Der Cert 4"
    openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der
    check_result $? "Der Cert 5"
    openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der
    check_result $? "Der Cert 6"
    openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der
    check_result $? "Der Cert 7"
    openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der
    check_result $? "Der Cert 8"
    openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der
    check_result $? "Der Cert 9"
    openssl x509 -inform PEM -in server-ecc-rsa.pem -outform DER -out server-ecc-rsa.der
    check_result $? "Der Cert 10"
    openssl x509 -inform PEM -in server-ecc.pem -outform DER -out server-ecc.der
    check_result $? "Der Cert 11"
    openssl x509 -inform PEM -in server-ecc-comp.pem -outform DER -out server-ecc-comp.der
    check_result $? "Der Cert 12"
    cat server-cert.der ca-cert.der >server-cert-chain.der
    check_result $? "Der Cert 13"
    echo "End of section"
    echo "---------------------------------------------------------------------"

    ############################################################
    ########## generate RSA-PSS certificates ###################
    ############################################################
    echo "Renewing RSA-PSS certificates"
    cd rsapss
    ./renew-rsapss-certs.sh
    cd ..
    echo "End of section"
    echo "---------------------------------------------------------------------"

    ############################################################
    ########## generate Ed25519 certificates ###################
    ############################################################
    echo "Renewing Ed25519 certificates"
    cd ed25519
    ./gen-ed25519-certs.sh
    cd ..
    echo "End of section"
    echo "---------------------------------------------------------------------"

    ############################################################
    ########## generate Ed448 certificates #####################
    ############################################################
    echo "Renewing Ed448 certificates"
    cd ed448
    ./gen-ed448-certs.sh
    cd ..
    echo "End of section"
    echo "---------------------------------------------------------------------"

    ############################################################
    ########## generate P-521 certificates #####################
    ############################################################
    echo "Renewing Ed448 certificates"
    cd p521
    ./gen-p521-certs.sh
    cd ..
    echo "End of section"
    echo "---------------------------------------------------------------------"

    ############################################################
    ###### update the ecc-rsa-server.p12 file ##################
    ############################################################
    echo "Updating ecc-rsa-server.p12 (password is \"\")"
    echo ""
    echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
    check_result $? "Step 1"
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ###### update the test-servercert.p12 file #################
    ############################################################
    echo "Updating test-servercert.p12 (password is \"wolfSSL test\")"
    echo ""
    echo "wolfSSL test" | openssl pkcs12 -des3 -descert -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert.p12 -password stdin
    check_result $? "Step 1"
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ###### update the test-servercert-rc2.p12 file #############
    ############################################################
    echo "Updating test-servercert-rc2.p12 (password is \"wolfSSL test\")"
    echo ""
    echo "wolfSSL test" | openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out test-servercert-rc2.p12 -password stdin
    check_result $? "Step 1"
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ###### calling gen-ext-certs.sh           ##################
    ############################################################
    echo "Calling gen-ext-certs.sh"
    echo ""
    cd .. || exit 1
    ./certs/test/gen-ext-certs.sh
    check_result $? "gen-ext-certs.sh"
    cd ./certs || { echo "Couldn't cd to certs directory"; exit 1; }
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ###### calling gen-badsig.sh              ##################
    ############################################################
    echo "Calling gen-badsig.sh"
    echo ""
    cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
    ./gen-badsig.sh
    check_result $? "gen-badsig.sh"
    cd ../ || exit 1
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ###### calling gen-testcerts.sh           ##################
    ############################################################
    echo "Calling gen-testcerts.sh"
    echo ""
    cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
    ./gen-testcerts.sh
    check_result $? "gen-testcerts.sh"
    cd ../ || exit 1
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ###### generate cms bundles in test directory ##############
    ############################################################
    echo "Generating CMS bundle"
    echo ""
    cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
    echo "test" | openssl cms -encrypt -binary -keyid -out ktri-keyid-cms.msg -outform der -recip ../client-cert.pem -nocerts
    check_result $? "generate ktri-keyid-cms.msg"
    cd ../ || exit 1
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ########## generate ocsp certs        ######################
    ############################################################
    echo "Changing directory to ocsp..."
    echo ""

    # guard against recursive calls to renewcerts.sh
    if [ -d ocsp ]; then
        cd ./ocsp || { echo "Failed to switch to dir ./ocsp"; exit 1; }
        echo "Execute ocsp/renewcerts.sh..."
        ./renewcerts.sh
        check_result $? "renewcerts.sh"
        cd ../ || exit 1
    else
        echo "Error could not find ocsp directory"
        exit 1
    fi
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ###### calling assemble-chains.sh         ##################
    ############################################################
    echo "Calling assemble-chains.sh"
    echo ""
    cd ./test-pathlen || { echo "Failed to switch to dir ./test-pathlen";
                           exit 1; }
    ./assemble-chains.sh
    check_result $? "assemble-chains.sh"
    cd ../ || exit 1
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ########## store DER files as buffers ######################
    ############################################################
    echo "Changing directory to wolfssl root..."
    echo ""
    cd ../ || exit 1
    echo "Execute ./gencertbuf.pl..."
    echo ""
    ./gencertbuf.pl
    check_result $? "gencertbuf.pl"
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ############################################################
    ########## generate the new crls ###########################
    ############################################################

    echo "Change directory to wolfssl/certs"
    echo ""
    cd ./certs || { echo "Failed to switch to dir ./certs"; exit 1; }
    echo "We are back in the certs directory"
    echo ""

    echo "Updating the crls..."
    echo ""
    cd ./crl || { echo "Failed to switch to dir ./crl"; exit 1; }
    echo "changed directory: cd/crl"
    echo ""
    ./gencrls.sh
    check_result $? "gencrls.sh"
    echo "ran ./gencrls.sh"
    echo ""

    ############################################################
    ########## generate PKCS7 bundles ##########################
    ############################################################
    echo "Changing directory to wolfssl certs..."
    echo ""
    cd ../ || exit 1
    echo "Creating test-degenerate.p7b..."
    echo ""
    openssl crl2pkcs7 -nocrl -certfile ./client-cert.pem -out test-degenerate.p7b -outform DER
    check_result $? ""
    echo "End of section"
    echo "---------------------------------------------------------------------"

    #cleanup the file system now that we're done
    echo "Performing final steps, cleaning up the file system..."
    echo ""

    rm ../wolfssl.cnf
    echo "End of Updates. Everything was successfully updated!"
    echo "---------------------------------------------------------------------"
}

###############################################################################
##################### THE EXECUTABLE BODY #####################################
###############################################################################

#start in root.
cd ../ || exit 1

#if there was an argument given, check it for validity or print out error
if [ ! -z "$1" ]; then
    #valid argument print out other valid arguments
    if [ "$1" == "-h" ] || [ "$1" == "-help" ]; then
        echo ""
        echo "\"no argument\"        will attempt to update all certificates"
        echo "-h or -help          display this menu"
        echo ""
        echo ""
    #else the argument was invalid, tell user to use -h or -help
    else
        echo ""
        echo "That is not a valid option."
        echo ""
        echo "use -h or -help for a list of available options."
        echo ""
    fi
else
    echo "Saving the configure state"
    echo ""
    cp config.status tmp.status || exit 1
    cp wolfssl/options.h tmp.options.h || exit 1

    echo "Running make clean"
    echo ""
    make clean
    check_result $? "make clean"

    run_renewcerts
    cd ../ || exit 1
    rm ./certs/wolfssl.cnf

    # restore previous configure state
    restore_config
    check_result $? "restoring old configuration"

fi #END already defined

exit 0