1#!/bin/sh 2# $Id: gen-req.sh 21786 2007-08-01 19:37:45Z lha $ 3# 4# This script need openssl 0.9.8a or newer, so it can parse the 5# otherName section for pkinit certificates. 6# 7 8openssl=$HOME/src/openssl/openssl-0.9.8e/apps/openssl 9 10gen_cert() 11{ 12 ${openssl} req \ 13 -new \ 14 -subj "$1" \ 15 -config openssl.cnf \ 16 -newkey rsa:1024 \ 17 -sha1 \ 18 -nodes \ 19 -keyout out.key \ 20 -out cert.req > /dev/null 2>/dev/null 21 22 if [ "$3" = "ca" ] ; then 23 ${openssl} x509 \ 24 -req \ 25 -days 3650 \ 26 -in cert.req \ 27 -extfile openssl.cnf \ 28 -extensions $4 \ 29 -signkey out.key \ 30 -out cert.crt 31 32 ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0 33 34 name=$3 35 36 elif [ "$3" = "proxy" ] ; then 37 38 ${openssl} x509 \ 39 -req \ 40 -in cert.req \ 41 -days 3650 \ 42 -out cert.crt \ 43 -CA $2.crt \ 44 -CAkey $2.key \ 45 -CAcreateserial \ 46 -extfile openssl.cnf \ 47 -extensions $4 48 49 name=$5 50 else 51 52 ${openssl} ca \ 53 -name $4 \ 54 -days 3650 \ 55 -cert $2.crt \ 56 -keyfile $2.key \ 57 -in cert.req \ 58 -out cert.crt \ 59 -outdir . \ 60 -batch \ 61 -config openssl.cnf 62 63 name=$3 64 fi 65 66 mv cert.crt $name.crt 67 mv out.key $name.key 68} 69 70echo "01" > serial 71> index.txt 72rm -f *.0 73 74gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca" 75gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp" 76gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr" 77gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr" 78gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke" 79gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds" 80gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client" 81gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy 82gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc" 83gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https" 84gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca" 85gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr" 86gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test 87gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test 88gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test 89gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test 90gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test 91gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test 92 93 94# combine 95cat sub-ca.crt ca.crt > sub-ca-combined.crt 96cat test.crt test.key > test.combined.crt 97cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt 98 99# password protected key 100${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key 101${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key 102 103 104${openssl} ca \ 105 -name usr \ 106 -cert ca.crt \ 107 -keyfile ca.key \ 108 -revoke revoke.crt \ 109 -config openssl.cnf 110 111${openssl} pkcs12 \ 112 -export \ 113 -in test.crt \ 114 -inkey test.key \ 115 -passout pass:foobar \ 116 -out test.p12 \ 117 -name "friendlyname-test" \ 118 -certfile ca.crt \ 119 -caname ca 120 121${openssl} pkcs12 \ 122 -export \ 123 -in sub-cert.crt \ 124 -inkey sub-cert.key \ 125 -passout pass:foobar \ 126 -out sub-cert.p12 \ 127 -name "friendlyname-sub-cert" \ 128 -certfile sub-ca-combined.crt \ 129 -caname sub-ca \ 130 -caname ca 131 132${openssl} pkcs12 \ 133 -keypbe NONE \ 134 -certpbe NONE \ 135 -export \ 136 -in test.crt \ 137 -inkey test.key \ 138 -passout pass:foobar \ 139 -out test-nopw.p12 \ 140 -name "friendlyname-cert" \ 141 -certfile ca.crt \ 142 -caname ca 143 144${openssl} smime \ 145 -sign \ 146 -nodetach \ 147 -binary \ 148 -in static-file \ 149 -signer test.crt \ 150 -inkey test.key \ 151 -outform DER \ 152 -out test-signed-data 153 154${openssl} smime \ 155 -sign \ 156 -nodetach \ 157 -binary \ 158 -in static-file \ 159 -signer test.crt \ 160 -inkey test.key \ 161 -noattr \ 162 -outform DER \ 163 -out test-signed-data-noattr 164 165${openssl} smime \ 166 -sign \ 167 -nodetach \ 168 -binary \ 169 -in static-file \ 170 -signer test.crt \ 171 -inkey test.key \ 172 -noattr \ 173 -nocerts \ 174 -outform DER \ 175 -out test-signed-data-noattr-nocerts 176 177${openssl} smime \ 178 -encrypt \ 179 -nodetach \ 180 -binary \ 181 -in static-file \ 182 -outform DER \ 183 -out test-enveloped-rc2-40 \ 184 -rc2-40 \ 185 test.crt 186 187${openssl} smime \ 188 -encrypt \ 189 -nodetach \ 190 -binary \ 191 -in static-file \ 192 -outform DER \ 193 -out test-enveloped-rc2-64 \ 194 -rc2-64 \ 195 test.crt 196 197${openssl} smime \ 198 -encrypt \ 199 -nodetach \ 200 -binary \ 201 -in static-file \ 202 -outform DER \ 203 -out test-enveloped-rc2-128 \ 204 -rc2-128 \ 205 test.crt 206 207${openssl} smime \ 208 -encrypt \ 209 -nodetach \ 210 -binary \ 211 -in static-file \ 212 -outform DER \ 213 -out test-enveloped-des \ 214 -des \ 215 test.crt 216 217${openssl} smime \ 218 -encrypt \ 219 -nodetach \ 220 -binary \ 221 -in static-file \ 222 -outform DER \ 223 -out test-enveloped-des-ede3 \ 224 -des3 \ 225 test.crt 226 227${openssl} smime \ 228 -encrypt \ 229 -nodetach \ 230 -binary \ 231 -in static-file \ 232 -outform DER \ 233 -out test-enveloped-aes-128 \ 234 -aes128 \ 235 test.crt 236 237${openssl} smime \ 238 -encrypt \ 239 -nodetach \ 240 -binary \ 241 -in static-file \ 242 -outform DER \ 243 -out test-enveloped-aes-256 \ 244 -aes256 \ 245 test.crt 246 247echo ocsp requests 248 249${openssl} ocsp \ 250 -issuer ca.crt \ 251 -cert test.crt \ 252 -reqout ocsp-req1.der 253 254${openssl} ocsp \ 255 -index index.txt \ 256 -rsigner ocsp-responder.crt \ 257 -rkey ocsp-responder.key \ 258 -CA ca.crt \ 259 -reqin ocsp-req1.der \ 260 -noverify \ 261 -respout ocsp-resp1-ocsp.der 262 263${openssl} ocsp \ 264 -index index.txt \ 265 -rsigner ca.crt \ 266 -rkey ca.key \ 267 -CA ca.crt \ 268 -reqin ocsp-req1.der \ 269 -noverify \ 270 -respout ocsp-resp1-ca.der 271 272${openssl} ocsp \ 273 -index index.txt \ 274 -rsigner ocsp-responder.crt \ 275 -rkey ocsp-responder.key \ 276 -CA ca.crt \ 277 -resp_no_certs \ 278 -reqin ocsp-req1.der \ 279 -noverify \ 280 -respout ocsp-resp1-ocsp-no-cert.der 281 282${openssl} ocsp \ 283 -index index.txt \ 284 -rsigner ocsp-responder.crt \ 285 -rkey ocsp-responder.key \ 286 -CA ca.crt \ 287 -reqin ocsp-req1.der \ 288 -resp_key_id \ 289 -noverify \ 290 -respout ocsp-resp1-keyhash.der 291 292${openssl} ocsp \ 293 -issuer ca.crt \ 294 -cert revoke.crt \ 295 -reqout ocsp-req2.der 296 297${openssl} ocsp \ 298 -index index.txt \ 299 -rsigner ocsp-responder.crt \ 300 -rkey ocsp-responder.key \ 301 -CA ca.crt \ 302 -reqin ocsp-req2.der \ 303 -noverify \ 304 -respout ocsp-resp2.der 305 306${openssl} ca \ 307 -gencrl \ 308 -name usr \ 309 -crldays 3600 \ 310 -keyfile ca.key \ 311 -cert ca.crt \ 312 -crl_reason superseded \ 313 -out crl1.crl \ 314 -config openssl.cnf 315 316${openssl} crl -in crl1.crl -outform der -out crl1.der 317