]>
Commit | Line | Data |
---|---|---|
b6df360b DSH |
1 | #!/bin/sh |
2 | ||
bcd92754 JM |
3 | opensslcmd() { |
4 | LD_LIBRARY_PATH=../.. ../../apps/openssl $@ | |
5 | } | |
6 | ||
ccd395cb DSH |
7 | OPENSSL_CONF=../../apps/openssl.cnf |
8 | export OPENSSL_CONF | |
b6df360b | 9 | |
bcd92754 JM |
10 | opensslcmd version |
11 | ||
b6df360b | 12 | # Root CA: create certificate directly |
bcd92754 | 13 | CN="Test Root CA" opensslcmd req -config ca.cnf -x509 -nodes \ |
b6df360b | 14 | -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650 |
b6df360b | 15 | # Intermediate CA: request first |
bcd92754 | 16 | CN="Test Intermediate CA" opensslcmd req -config ca.cnf -nodes \ |
b6df360b DSH |
17 | -keyout intkey.pem -out intreq.pem -newkey rsa:2048 |
18 | # Sign request: CA extensions | |
bcd92754 | 19 | opensslcmd x509 -req -in intreq.pem -CA root.pem -days 3600 \ |
b6df360b | 20 | -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem |
79b184fb DSH |
21 | |
22 | # Server certificate: create request first | |
bcd92754 | 23 | CN="Test Server Cert" opensslcmd req -config ca.cnf -nodes \ |
79b184fb DSH |
24 | -keyout skey.pem -out req.pem -newkey rsa:1024 |
25 | # Sign request: end entity extensions | |
bcd92754 | 26 | opensslcmd x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ |
79b184fb DSH |
27 | -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem |
28 | ||
b6df360b | 29 | # Client certificate: request first |
bcd92754 | 30 | CN="Test Client Cert" opensslcmd req -config ca.cnf -nodes \ |
b6df360b DSH |
31 | -keyout ckey.pem -out creq.pem -newkey rsa:1024 |
32 | # Sign using intermediate CA | |
bcd92754 | 33 | opensslcmd x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ |
b6df360b | 34 | -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem |
ccd395cb | 35 | |
226afe49 | 36 | # Revoked certificate: request first |
bcd92754 | 37 | CN="Test Revoked Cert" opensslcmd req -config ca.cnf -nodes \ |
79b184fb DSH |
38 | -keyout revkey.pem -out rreq.pem -newkey rsa:1024 |
39 | # Sign using intermediate CA | |
bcd92754 | 40 | opensslcmd x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ |
79b184fb DSH |
41 | -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem |
42 | ||
43 | # OCSP responder certificate: request first | |
bcd92754 | 44 | CN="Test OCSP Responder Cert" opensslcmd req -config ca.cnf -nodes \ |
79b184fb DSH |
45 | -keyout respkey.pem -out respreq.pem -newkey rsa:1024 |
46 | # Sign using intermediate CA and responder extensions | |
bcd92754 | 47 | opensslcmd x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ |
79b184fb DSH |
48 | -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem |
49 | ||
df443918 | 50 | # Example creating a PKCS#3 DH certificate. |
ccd395cb DSH |
51 | |
52 | # First DH parameters | |
53 | ||
bcd92754 | 54 | [ -f dhp.pem ] || opensslcmd genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem |
ccd395cb DSH |
55 | |
56 | # Now a DH private key | |
bcd92754 | 57 | opensslcmd genpkey -paramfile dhp.pem -out dhskey.pem |
ccd395cb | 58 | # Create DH public key file |
bcd92754 | 59 | opensslcmd pkey -in dhskey.pem -pubout -out dhspub.pem |
ccd395cb DSH |
60 | # Certificate request, key just reuses old one as it is ignored when the |
61 | # request is signed. | |
bcd92754 | 62 | CN="Test Server DH Cert" opensslcmd req -config ca.cnf -new \ |
ccd395cb DSH |
63 | -key skey.pem -out dhsreq.pem |
64 | # Sign request: end entity DH extensions | |
bcd92754 | 65 | opensslcmd x509 -req -in dhsreq.pem -CA root.pem -days 3600 \ |
ccd395cb DSH |
66 | -force_pubkey dhspub.pem \ |
67 | -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem | |
68 | ||
69 | # DH client certificate | |
70 | ||
bcd92754 JM |
71 | opensslcmd genpkey -paramfile dhp.pem -out dhckey.pem |
72 | opensslcmd pkey -in dhckey.pem -pubout -out dhcpub.pem | |
73 | CN="Test Client DH Cert" opensslcmd req -config ca.cnf -new \ | |
ccd395cb | 74 | -key skey.pem -out dhcreq.pem |
bcd92754 | 75 | opensslcmd x509 -req -in dhcreq.pem -CA root.pem -days 3600 \ |
ccd395cb DSH |
76 | -force_pubkey dhcpub.pem \ |
77 | -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem | |
79b184fb DSH |
78 | |
79 | # Examples of CRL generation without the need to use 'ca' to issue | |
80 | # certificates. | |
81 | # Create zero length index file | |
82 | >index.txt | |
83 | # Create initial crl number file | |
84 | echo 01 >crlnum.txt | |
85 | # Add entries for server and client certs | |
bcd92754 | 86 | opensslcmd ca -valid server.pem -keyfile root.pem -cert root.pem \ |
79b184fb | 87 | -config ca.cnf -md sha1 |
bcd92754 | 88 | opensslcmd ca -valid client.pem -keyfile root.pem -cert root.pem \ |
79b184fb | 89 | -config ca.cnf -md sha1 |
bcd92754 | 90 | opensslcmd ca -valid rev.pem -keyfile root.pem -cert root.pem \ |
79b184fb DSH |
91 | -config ca.cnf -md sha1 |
92 | # Generate a CRL. | |
bcd92754 | 93 | opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ |
79b184fb DSH |
94 | -md sha1 -crldays 1 -out crl1.pem |
95 | # Revoke a certificate | |
96 | openssl ca -revoke rev.pem -crl_reason superseded \ | |
97 | -keyfile root.pem -cert root.pem -config ca.cnf -md sha1 | |
98 | # Generate another CRL | |
bcd92754 | 99 | opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ |
79b184fb DSH |
100 | -md sha1 -crldays 1 -out crl2.pem |
101 |