]>
Commit | Line | Data |
---|---|---|
b6df360b DSH |
1 | #!/bin/sh |
2 | ||
ccd395cb DSH |
3 | OPENSSL=../../apps/openssl |
4 | OPENSSL_CONF=../../apps/openssl.cnf | |
5 | export OPENSSL_CONF | |
b6df360b DSH |
6 | |
7 | # Root CA: create certificate directly | |
8 | CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \ | |
9 | -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650 | |
b6df360b DSH |
10 | # Intermediate CA: request first |
11 | CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \ | |
12 | -keyout intkey.pem -out intreq.pem -newkey rsa:2048 | |
13 | # Sign request: CA extensions | |
14 | $OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \ | |
15 | -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem | |
79b184fb DSH |
16 | |
17 | # Server certificate: create request first | |
92821996 | 18 | CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ |
79b184fb DSH |
19 | -keyout skey.pem -out req.pem -newkey rsa:1024 |
20 | # Sign request: end entity extensions | |
21 | $OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ | |
22 | -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem | |
23 | ||
b6df360b DSH |
24 | # Client certificate: request first |
25 | CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ | |
26 | -keyout ckey.pem -out creq.pem -newkey rsa:1024 | |
27 | # Sign using intermediate CA | |
28 | $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ | |
29 | -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem | |
ccd395cb | 30 | |
226afe49 | 31 | # Revoked certificate: request first |
79b184fb DSH |
32 | CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \ |
33 | -keyout revkey.pem -out rreq.pem -newkey rsa:1024 | |
34 | # Sign using intermediate CA | |
35 | $OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ | |
36 | -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem | |
37 | ||
38 | # OCSP responder certificate: request first | |
39 | CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \ | |
40 | -keyout respkey.pem -out respreq.pem -newkey rsa:1024 | |
41 | # Sign using intermediate CA and responder extensions | |
42 | $OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ | |
43 | -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem | |
44 | ||
df443918 | 45 | # Example creating a PKCS#3 DH certificate. |
ccd395cb DSH |
46 | |
47 | # First DH parameters | |
48 | ||
57559471 | 49 | [ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem |
ccd395cb DSH |
50 | |
51 | # Now a DH private key | |
52 | $OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem | |
53 | # Create DH public key file | |
54 | $OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem | |
55 | # Certificate request, key just reuses old one as it is ignored when the | |
56 | # request is signed. | |
57 | CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \ | |
58 | -key skey.pem -out dhsreq.pem | |
59 | # Sign request: end entity DH extensions | |
60 | $OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \ | |
61 | -force_pubkey dhspub.pem \ | |
62 | -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem | |
63 | ||
64 | # DH client certificate | |
65 | ||
66 | $OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem | |
67 | $OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem | |
68 | CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \ | |
69 | -key skey.pem -out dhcreq.pem | |
70 | $OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \ | |
71 | -force_pubkey dhcpub.pem \ | |
72 | -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem | |
79b184fb DSH |
73 | |
74 | # Examples of CRL generation without the need to use 'ca' to issue | |
75 | # certificates. | |
76 | # Create zero length index file | |
77 | >index.txt | |
78 | # Create initial crl number file | |
79 | echo 01 >crlnum.txt | |
80 | # Add entries for server and client certs | |
81 | $OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \ | |
82 | -config ca.cnf -md sha1 | |
83 | $OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \ | |
84 | -config ca.cnf -md sha1 | |
85 | $OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \ | |
86 | -config ca.cnf -md sha1 | |
87 | # Generate a CRL. | |
88 | $OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ | |
89 | -md sha1 -crldays 1 -out crl1.pem | |
90 | # Revoke a certificate | |
91 | openssl ca -revoke rev.pem -crl_reason superseded \ | |
92 | -keyfile root.pem -cert root.pem -config ca.cnf -md sha1 | |
93 | # Generate another CRL | |
94 | $OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ | |
95 | -md sha1 -crldays 1 -out crl2.pem | |
96 |