[thirdparty/openvpn.git] / sample / sample-keys / gen-sample-keys.sh

#!/bin/sh
#
# Run this script to set up a test CA, and test key-certificate pair for a
# server, and various clients.
#
# Copyright (C) 2014-2024 Steffan Karger <steffan@karger.me>
set -eu

command -v openssl >/dev/null 2>&1 || { echo >&2 "Unable to find openssl. Please make sure openssl is installed and in your path."; exit 1; }

if [ ! -f openssl.cnf ]
then
    echo "Please run this script from the sample directory"
    exit 1
fi

# Generate static key for tls-auth (or static key mode)
top_builddir="${top_builddir:-$(dirname ${0})/../..}"
${top_builddir}/src/openvpn/openvpn --genkey tls-auth ta.key

# Create required directories and files
mkdir -p sample-ca
rm -f sample-ca/index.txt
touch sample-ca/index.txt
echo "01" > sample-ca/serial

# Generate CA key and cert
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
    -extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \
    -subj "/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain" \
    -config openssl.cnf

# Create server key and cert
openssl req -new -nodes -config openssl.cnf -extensions server \
    -keyout sample-ca/server.key -out sample-ca/server.csr \
    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain"
openssl ca -batch -config openssl.cnf -extensions server \
    -out sample-ca/server.crt -in sample-ca/server.csr

# Create client key and cert
openssl req -new -nodes -config openssl.cnf \
    -keyout sample-ca/client.key -out sample-ca/client.csr \
    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain"
openssl ca -batch -config openssl.cnf \
    -out sample-ca/client.crt -in sample-ca/client.csr

# Create password protected key file
openssl rsa -aes256 -passout pass:password \
    -in sample-ca/client.key -out sample-ca/client-pass.key

# Create pkcs#12 client bundle
openssl pkcs12 -export -nodes -password pass:password \
    -out sample-ca/client.p12 -inkey sample-ca/client.key \
    -in sample-ca/client.crt -certfile sample-ca/ca.crt

# Create a client cert, revoke it, generate CRL
openssl req -new -nodes -config openssl.cnf \
    -keyout sample-ca/client-revoked.key -out sample-ca/client-revoked.csr \
    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=client-revoked/emailAddress=me@myhost.mydomain"
openssl ca -batch -config openssl.cnf \
    -out sample-ca/client-revoked.crt -in sample-ca/client-revoked.csr
openssl ca -config openssl.cnf -revoke sample-ca/client-revoked.crt
openssl ca -config openssl.cnf -gencrl -out sample-ca/ca.crl

# Create DSA server and client cert (signed by 'regular' RSA CA)
openssl dsaparam -out sample-ca/dsaparams.pem 2048

openssl req -new -newkey dsa:sample-ca/dsaparams.pem -nodes -config openssl.cnf \
    -extensions server \
    -keyout sample-ca/server-dsa.key -out sample-ca/server-dsa.csr \
    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-DSA/emailAddress=me@myhost.mydomain"
openssl ca -batch -config openssl.cnf -extensions server \
    -out sample-ca/server-dsa.crt -in sample-ca/server-dsa.csr

openssl req -new -newkey dsa:sample-ca/dsaparams.pem -nodes -config openssl.cnf \
    -keyout sample-ca/client-dsa.key -out sample-ca/client-dsa.csr \
    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-DSA/emailAddress=me@myhost.mydomain"
openssl ca -batch -config openssl.cnf \
    -out sample-ca/client-dsa.crt -in sample-ca/client-dsa.csr

# Create EC server and client cert (signed by 'regular' RSA CA)
openssl ecparam -out sample-ca/secp256k1.pem -name secp256k1

openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
    -extensions server \
    -keyout sample-ca/server-ec.key -out sample-ca/server-ec.csr \
    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-EC/emailAddress=me@myhost.mydomain"
openssl ca -batch -config openssl.cnf -extensions server \
    -out sample-ca/server-ec.crt -in sample-ca/server-ec.csr

openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
    -keyout sample-ca/client-ec.key -out sample-ca/client-ec.csr \
    -subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-EC/emailAddress=me@myhost.mydomain"
openssl ca -batch -config openssl.cnf \
    -out sample-ca/client-ec.crt -in sample-ca/client-ec.csr

# Generate DH parameters
openssl dhparam -out dh2048.pem 2048

# Copy keys and certs to working directory
cp sample-ca/*.key .
cp sample-ca/*.crt .
cp sample-ca/*.p12 .
cp sample-ca/*.crl .
Commit	Line	Data
13b2313a SK	1	#!/bin/sh
	2	#
	3	# Run this script to set up a test CA, and test key-certificate pair for a
	4	# server, and various clients.
	5	#
b25c6d7e	6	# Copyright (C) 2014-2024 Steffan Karger <steffan@karger.me>
13b2313a SK	7	set -eu
	8
	9	command -v openssl >/dev/null 2>&1 \|\| { echo >&2 "Unable to find openssl. Please make sure openssl is installed and in your path."; exit 1; }
	10
	11	if [ ! -f openssl.cnf ]
	12	then
	13	echo "Please run this script from the sample directory"
	14	exit 1
	15	fi
	16
513eef48	17	# Generate static key for tls-auth (or static key mode)
78e0c5f2 FL	18	top_builddir="${top_builddir:-$(dirname ${0})/../..}"
78e0c5f2 FL	19	${top_builddir}/src/openvpn/openvpn --genkey tls-auth ta.key
513eef48	20
13b2313a SK	21	# Create required directories and files
	22	mkdir -p sample-ca
	23	rm -f sample-ca/index.txt
	24	touch sample-ca/index.txt
	25	echo "01" > sample-ca/serial
	26
	27	# Generate CA key and cert
	28	openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \
	29	-extensions easyrsa_ca -keyout sample-ca/ca.key -out sample-ca/ca.crt \
	30	-subj "/C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain" \
	31	-config openssl.cnf
	32
	33	# Create server key and cert
	34	openssl req -new -nodes -config openssl.cnf -extensions server \
	35	-keyout sample-ca/server.key -out sample-ca/server.csr \
	36	-subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain"
	37	openssl ca -batch -config openssl.cnf -extensions server \
	38	-out sample-ca/server.crt -in sample-ca/server.csr
	39
	40	# Create client key and cert
	41	openssl req -new -nodes -config openssl.cnf \
	42	-keyout sample-ca/client.key -out sample-ca/client.csr \
	43	-subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client/emailAddress=me@myhost.mydomain"
	44	openssl ca -batch -config openssl.cnf \
	45	-out sample-ca/client.crt -in sample-ca/client.csr
	46
	47	# Create password protected key file
	48	openssl rsa -aes256 -passout pass:password \
	49	-in sample-ca/client.key -out sample-ca/client-pass.key
	50
	51	# Create pkcs#12 client bundle
	52	openssl pkcs12 -export -nodes -password pass:password \
	53	-out sample-ca/client.p12 -inkey sample-ca/client.key \
	54	-in sample-ca/client.crt -certfile sample-ca/ca.crt
	55
a64d76e2 SK	56	# Create a client cert, revoke it, generate CRL
	57	openssl req -new -nodes -config openssl.cnf \
	58	-keyout sample-ca/client-revoked.key -out sample-ca/client-revoked.csr \
	59	-subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=client-revoked/emailAddress=me@myhost.mydomain"
	60	openssl ca -batch -config openssl.cnf \
	61	-out sample-ca/client-revoked.crt -in sample-ca/client-revoked.csr
	62	openssl ca -config openssl.cnf -revoke sample-ca/client-revoked.crt
	63	openssl ca -config openssl.cnf -gencrl -out sample-ca/ca.crl
13b2313a	64
3d215d4c SK	65	# Create DSA server and client cert (signed by 'regular' RSA CA)
	66	openssl dsaparam -out sample-ca/dsaparams.pem 2048
	67
	68	openssl req -new -newkey dsa:sample-ca/dsaparams.pem -nodes -config openssl.cnf \
	69	-extensions server \
	70	-keyout sample-ca/server-dsa.key -out sample-ca/server-dsa.csr \
	71	-subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-DSA/emailAddress=me@myhost.mydomain"
	72	openssl ca -batch -config openssl.cnf -extensions server \
	73	-out sample-ca/server-dsa.crt -in sample-ca/server-dsa.csr
	74
	75	openssl req -new -newkey dsa:sample-ca/dsaparams.pem -nodes -config openssl.cnf \
	76	-keyout sample-ca/client-dsa.key -out sample-ca/client-dsa.csr \
	77	-subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-DSA/emailAddress=me@myhost.mydomain"
	78	openssl ca -batch -config openssl.cnf \
	79	-out sample-ca/client-dsa.crt -in sample-ca/client-dsa.csr
	80
13b2313a SK	81	# Create EC server and client cert (signed by 'regular' RSA CA)
	82	openssl ecparam -out sample-ca/secp256k1.pem -name secp256k1
	83
	84	openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
	85	-extensions server \
	86	-keyout sample-ca/server-ec.key -out sample-ca/server-ec.csr \
	87	-subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server-EC/emailAddress=me@myhost.mydomain"
	88	openssl ca -batch -config openssl.cnf -extensions server \
	89	-out sample-ca/server-ec.crt -in sample-ca/server-ec.csr
	90
	91	openssl req -new -newkey ec:sample-ca/secp256k1.pem -nodes -config openssl.cnf \
	92	-keyout sample-ca/client-ec.key -out sample-ca/client-ec.csr \
	93	-subj "/C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Client-EC/emailAddress=me@myhost.mydomain"
	94	openssl ca -batch -config openssl.cnf \
	95	-out sample-ca/client-ec.crt -in sample-ca/client-ec.csr
	96
	97	# Generate DH parameters
	98	openssl dhparam -out dh2048.pem 2048
	99
	100	# Copy keys and certs to working directory
	101	cp sample-ca/*.key .
	102	cp sample-ca/*.crt .
	103	cp sample-ca/*.p12 .
a64d76e2	104	cp sample-ca/*.crl .