[thirdparty/openssl.git] / demos / certs / mkcerts.sh

#!/bin/sh

opensslcmd() {
    LD_LIBRARY_PATH=../.. ../../apps/openssl $@
}

OPENSSL_CONF=../../apps/openssl.cnf
export OPENSSL_CONF

opensslcmd version

# Root CA: create certificate directly
CN="Test Root CA" opensslcmd req -config ca.cnf -x509 -nodes \
	-keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
# Intermediate CA: request first
CN="Test Intermediate CA" opensslcmd req -config ca.cnf -nodes \
	-keyout intkey.pem -out intreq.pem -newkey rsa:2048
# Sign request: CA extensions
opensslcmd x509 -req -in intreq.pem -CA root.pem -days 3600 \
	-extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem

# Server certificate: create request first
CN="Test Server Cert" opensslcmd req -config ca.cnf -nodes \
	-keyout skey.pem -out req.pem -newkey rsa:1024
# Sign request: end entity extensions
opensslcmd x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem

# Client certificate: request first
CN="Test Client Cert" opensslcmd req -config ca.cnf -nodes \
	-keyout ckey.pem -out creq.pem -newkey rsa:1024
# Sign using intermediate CA
opensslcmd x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem

# Revoked certificate: request first
CN="Test Revoked Cert" opensslcmd req -config ca.cnf -nodes \
	-keyout revkey.pem -out rreq.pem -newkey rsa:1024
# Sign using intermediate CA
opensslcmd x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem

# OCSP responder certificate: request first
CN="Test OCSP Responder Cert" opensslcmd req -config ca.cnf -nodes \
	-keyout respkey.pem -out respreq.pem -newkey rsa:1024
# Sign using intermediate CA and responder extensions
opensslcmd x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
	-extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem

# Example creating a PKCS#3 DH certificate.

# First DH parameters

[ -f dhp.pem ] || opensslcmd genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem

# Now a DH private key
opensslcmd genpkey -paramfile dhp.pem -out dhskey.pem
# Create DH public key file
opensslcmd pkey -in dhskey.pem -pubout -out dhspub.pem
# Certificate request, key just reuses old one as it is ignored when the
# request is signed.
CN="Test Server DH Cert" opensslcmd req -config ca.cnf -new \
	-key skey.pem -out dhsreq.pem
# Sign request: end entity DH extensions
opensslcmd x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
	-force_pubkey dhspub.pem \
	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem

# DH client certificate

opensslcmd genpkey -paramfile dhp.pem -out dhckey.pem
opensslcmd pkey -in dhckey.pem -pubout -out dhcpub.pem
CN="Test Client DH Cert" opensslcmd req -config ca.cnf -new \
	-key skey.pem -out dhcreq.pem
opensslcmd x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
	-force_pubkey dhcpub.pem \
	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem

# Examples of CRL generation without the need to use 'ca' to issue
# certificates.
# Create zero length index file
>index.txt
# Create initial crl number file
echo 01 >crlnum.txt
# Add entries for server and client certs
opensslcmd ca -valid server.pem -keyfile root.pem -cert root.pem \
		-config ca.cnf -md sha1
opensslcmd ca -valid client.pem -keyfile root.pem -cert root.pem \
		-config ca.cnf -md sha1
opensslcmd ca -valid rev.pem -keyfile root.pem -cert root.pem \
		-config ca.cnf -md sha1
# Generate a CRL.
opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
		-md sha1 -crldays 1 -out crl1.pem
# Revoke a certificate
openssl ca -revoke rev.pem -crl_reason superseded \
		-keyfile root.pem -cert root.pem -config ca.cnf -md sha1
# Generate another CRL
opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
		-md sha1 -crldays 1 -out crl2.pem
Commit	Line	Data
b6df360b DSH	1	#!/bin/sh
b6df360b DSH	2
bcd92754 JM	3	opensslcmd() {
	4	LD_LIBRARY_PATH=../.. ../../apps/openssl $@
	5	}
	6
ccd395cb DSH	7	OPENSSL_CONF=../../apps/openssl.cnf
ccd395cb DSH	8	export OPENSSL_CONF
b6df360b	9
bcd92754 JM	10	opensslcmd version
bcd92754 JM	11
b6df360b	12	# Root CA: create certificate directly
bcd92754	13	CN="Test Root CA" opensslcmd req -config ca.cnf -x509 -nodes \
b6df360b	14	-keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
b6df360b	15	# Intermediate CA: request first
bcd92754	16	CN="Test Intermediate CA" opensslcmd req -config ca.cnf -nodes \
b6df360b DSH	17	-keyout intkey.pem -out intreq.pem -newkey rsa:2048
b6df360b DSH	18	# Sign request: CA extensions
bcd92754	19	opensslcmd x509 -req -in intreq.pem -CA root.pem -days 3600 \
b6df360b	20	-extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
79b184fb DSH	21
79b184fb DSH	22	# Server certificate: create request first
bcd92754	23	CN="Test Server Cert" opensslcmd req -config ca.cnf -nodes \
79b184fb DSH	24	-keyout skey.pem -out req.pem -newkey rsa:1024
79b184fb DSH	25	# Sign request: end entity extensions
bcd92754	26	opensslcmd x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
79b184fb DSH	27	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
79b184fb DSH	28
b6df360b	29	# Client certificate: request first
bcd92754	30	CN="Test Client Cert" opensslcmd req -config ca.cnf -nodes \
b6df360b DSH	31	-keyout ckey.pem -out creq.pem -newkey rsa:1024
b6df360b DSH	32	# Sign using intermediate CA
bcd92754	33	opensslcmd x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
b6df360b	34	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
ccd395cb	35
226afe49	36	# Revoked certificate: request first
bcd92754	37	CN="Test Revoked Cert" opensslcmd req -config ca.cnf -nodes \
79b184fb DSH	38	-keyout revkey.pem -out rreq.pem -newkey rsa:1024
79b184fb DSH	39	# Sign using intermediate CA
bcd92754	40	opensslcmd x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
79b184fb DSH	41	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
	42
	43	# OCSP responder certificate: request first
bcd92754	44	CN="Test OCSP Responder Cert" opensslcmd req -config ca.cnf -nodes \
79b184fb DSH	45	-keyout respkey.pem -out respreq.pem -newkey rsa:1024
79b184fb DSH	46	# Sign using intermediate CA and responder extensions
bcd92754	47	opensslcmd x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
79b184fb DSH	48	-extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
79b184fb DSH	49
df443918	50	# Example creating a PKCS#3 DH certificate.
ccd395cb DSH	51
	52	# First DH parameters
	53
bcd92754	54	[ -f dhp.pem ] \|\| opensslcmd genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
ccd395cb DSH	55
ccd395cb DSH	56	# Now a DH private key
bcd92754	57	opensslcmd genpkey -paramfile dhp.pem -out dhskey.pem
ccd395cb	58	# Create DH public key file
bcd92754	59	opensslcmd pkey -in dhskey.pem -pubout -out dhspub.pem
ccd395cb DSH	60	# Certificate request, key just reuses old one as it is ignored when the
ccd395cb DSH	61	# request is signed.
bcd92754	62	CN="Test Server DH Cert" opensslcmd req -config ca.cnf -new \
ccd395cb DSH	63	-key skey.pem -out dhsreq.pem
ccd395cb DSH	64	# Sign request: end entity DH extensions
bcd92754	65	opensslcmd x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
ccd395cb DSH	66	-force_pubkey dhspub.pem \
	67	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
	68
	69	# DH client certificate
	70
bcd92754 JM	71	opensslcmd genpkey -paramfile dhp.pem -out dhckey.pem
	72	opensslcmd pkey -in dhckey.pem -pubout -out dhcpub.pem
	73	CN="Test Client DH Cert" opensslcmd req -config ca.cnf -new \
ccd395cb	74	-key skey.pem -out dhcreq.pem
bcd92754	75	opensslcmd x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
ccd395cb DSH	76	-force_pubkey dhcpub.pem \
ccd395cb DSH	77	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
79b184fb DSH	78
	79	# Examples of CRL generation without the need to use 'ca' to issue
	80	# certificates.
	81	# Create zero length index file
	82	>index.txt
	83	# Create initial crl number file
	84	echo 01 >crlnum.txt
	85	# Add entries for server and client certs
bcd92754	86	opensslcmd ca -valid server.pem -keyfile root.pem -cert root.pem \
79b184fb	87	-config ca.cnf -md sha1
bcd92754	88	opensslcmd ca -valid client.pem -keyfile root.pem -cert root.pem \
79b184fb	89	-config ca.cnf -md sha1
bcd92754	90	opensslcmd ca -valid rev.pem -keyfile root.pem -cert root.pem \
79b184fb DSH	91	-config ca.cnf -md sha1
79b184fb DSH	92	# Generate a CRL.
bcd92754	93	opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
79b184fb DSH	94	-md sha1 -crldays 1 -out crl1.pem
	95	# Revoke a certificate
	96	openssl ca -revoke rev.pem -crl_reason superseded \
	97	-keyfile root.pem -cert root.pem -config ca.cnf -md sha1
	98	# Generate another CRL
bcd92754	99	opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
79b184fb DSH	100	-md sha1 -crldays 1 -out crl2.pem
79b184fb DSH	101