1178825Sdfr#!/bin/sh 2178825Sdfr# $Id: gen-req.sh 21786 2007-08-01 19:37:45Z lha $ 3178825Sdfr# 4178825Sdfr# This script need openssl 0.9.8a or newer, so it can parse the 5178825Sdfr# otherName section for pkinit certificates. 6178825Sdfr# 7178825Sdfr 8178825Sdfropenssl=$HOME/src/openssl/openssl-0.9.8e/apps/openssl 9178825Sdfr 10178825Sdfrgen_cert() 11178825Sdfr{ 12178825Sdfr ${openssl} req \ 13178825Sdfr -new \ 14178825Sdfr -subj "$1" \ 15178825Sdfr -config openssl.cnf \ 16178825Sdfr -newkey rsa:1024 \ 17178825Sdfr -sha1 \ 18178825Sdfr -nodes \ 19178825Sdfr -keyout out.key \ 20178825Sdfr -out cert.req > /dev/null 2>/dev/null 21178825Sdfr 22178825Sdfr if [ "$3" = "ca" ] ; then 23178825Sdfr ${openssl} x509 \ 24178825Sdfr -req \ 25178825Sdfr -days 3650 \ 26178825Sdfr -in cert.req \ 27178825Sdfr -extfile openssl.cnf \ 28178825Sdfr -extensions $4 \ 29178825Sdfr -signkey out.key \ 30178825Sdfr -out cert.crt 31178825Sdfr 32178825Sdfr ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0 33178825Sdfr 34178825Sdfr name=$3 35178825Sdfr 36178825Sdfr elif [ "$3" = "proxy" ] ; then 37178825Sdfr 38178825Sdfr ${openssl} x509 \ 39178825Sdfr -req \ 40178825Sdfr -in cert.req \ 41178825Sdfr -days 3650 \ 42178825Sdfr -out cert.crt \ 43178825Sdfr -CA $2.crt \ 44178825Sdfr -CAkey $2.key \ 45178825Sdfr -CAcreateserial \ 46178825Sdfr -extfile openssl.cnf \ 47178825Sdfr -extensions $4 48178825Sdfr 49178825Sdfr name=$5 50178825Sdfr else 51178825Sdfr 52178825Sdfr ${openssl} ca \ 53178825Sdfr -name $4 \ 54178825Sdfr -days 3650 \ 55178825Sdfr -cert $2.crt \ 56178825Sdfr -keyfile $2.key \ 57178825Sdfr -in cert.req \ 58178825Sdfr -out cert.crt \ 59178825Sdfr -outdir . \ 60178825Sdfr -batch \ 61178825Sdfr -config openssl.cnf 62178825Sdfr 63178825Sdfr name=$3 64178825Sdfr fi 65178825Sdfr 66178825Sdfr mv cert.crt $name.crt 67178825Sdfr mv out.key $name.key 68178825Sdfr} 69178825Sdfr 70178825Sdfrecho "01" > serial 71178825Sdfr> index.txt 72178825Sdfrrm -f *.0 73178825Sdfr 74178825Sdfrgen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca" 75178825Sdfrgen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp" 76178825Sdfrgen_cert "/CN=Test cert/C=SE" "ca" "test" "usr" 77178825Sdfrgen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr" 78178825Sdfrgen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke" 79178825Sdfrgen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds" 80178825Sdfrgen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client" 81178825Sdfrgen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy 82178825Sdfrgen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc" 83178825Sdfrgen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https" 84178825Sdfrgen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca" 85178825Sdfrgen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr" 86178825Sdfrgen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test 87178825Sdfrgen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test 88178825Sdfrgen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test 89178825Sdfrgen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test 90178825Sdfrgen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test 91178825Sdfrgen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test 92178825Sdfr 93178825Sdfr 94178825Sdfr# combine 95178825Sdfrcat sub-ca.crt ca.crt > sub-ca-combined.crt 96178825Sdfrcat test.crt test.key > test.combined.crt 97178825Sdfrcat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt 98178825Sdfr 99178825Sdfr# password protected key 100178825Sdfr${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key 101178825Sdfr${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key 102178825Sdfr 103178825Sdfr 104178825Sdfr${openssl} ca \ 105178825Sdfr -name usr \ 106178825Sdfr -cert ca.crt \ 107178825Sdfr -keyfile ca.key \ 108178825Sdfr -revoke revoke.crt \ 109178825Sdfr -config openssl.cnf 110178825Sdfr 111178825Sdfr${openssl} pkcs12 \ 112178825Sdfr -export \ 113178825Sdfr -in test.crt \ 114178825Sdfr -inkey test.key \ 115178825Sdfr -passout pass:foobar \ 116178825Sdfr -out test.p12 \ 117178825Sdfr -name "friendlyname-test" \ 118178825Sdfr -certfile ca.crt \ 119178825Sdfr -caname ca 120178825Sdfr 121178825Sdfr${openssl} pkcs12 \ 122178825Sdfr -export \ 123178825Sdfr -in sub-cert.crt \ 124178825Sdfr -inkey sub-cert.key \ 125178825Sdfr -passout pass:foobar \ 126178825Sdfr -out sub-cert.p12 \ 127178825Sdfr -name "friendlyname-sub-cert" \ 128178825Sdfr -certfile sub-ca-combined.crt \ 129178825Sdfr -caname sub-ca \ 130178825Sdfr -caname ca 131178825Sdfr 132178825Sdfr${openssl} pkcs12 \ 133178825Sdfr -keypbe NONE \ 134178825Sdfr -certpbe NONE \ 135178825Sdfr -export \ 136178825Sdfr -in test.crt \ 137178825Sdfr -inkey test.key \ 138178825Sdfr -passout pass:foobar \ 139178825Sdfr -out test-nopw.p12 \ 140178825Sdfr -name "friendlyname-cert" \ 141178825Sdfr -certfile ca.crt \ 142178825Sdfr -caname ca 143178825Sdfr 144178825Sdfr${openssl} smime \ 145178825Sdfr -sign \ 146178825Sdfr -nodetach \ 147178825Sdfr -binary \ 148178825Sdfr -in static-file \ 149178825Sdfr -signer test.crt \ 150178825Sdfr -inkey test.key \ 151178825Sdfr -outform DER \ 152178825Sdfr -out test-signed-data 153178825Sdfr 154178825Sdfr${openssl} smime \ 155178825Sdfr -sign \ 156178825Sdfr -nodetach \ 157178825Sdfr -binary \ 158178825Sdfr -in static-file \ 159178825Sdfr -signer test.crt \ 160178825Sdfr -inkey test.key \ 161178825Sdfr -noattr \ 162178825Sdfr -outform DER \ 163178825Sdfr -out test-signed-data-noattr 164178825Sdfr 165178825Sdfr${openssl} smime \ 166178825Sdfr -sign \ 167178825Sdfr -nodetach \ 168178825Sdfr -binary \ 169178825Sdfr -in static-file \ 170178825Sdfr -signer test.crt \ 171178825Sdfr -inkey test.key \ 172178825Sdfr -noattr \ 173178825Sdfr -nocerts \ 174178825Sdfr -outform DER \ 175178825Sdfr -out test-signed-data-noattr-nocerts 176178825Sdfr 177178825Sdfr${openssl} smime \ 178178825Sdfr -encrypt \ 179178825Sdfr -nodetach \ 180178825Sdfr -binary \ 181178825Sdfr -in static-file \ 182178825Sdfr -outform DER \ 183178825Sdfr -out test-enveloped-rc2-40 \ 184178825Sdfr -rc2-40 \ 185178825Sdfr test.crt 186178825Sdfr 187178825Sdfr${openssl} smime \ 188178825Sdfr -encrypt \ 189178825Sdfr -nodetach \ 190178825Sdfr -binary \ 191178825Sdfr -in static-file \ 192178825Sdfr -outform DER \ 193178825Sdfr -out test-enveloped-rc2-64 \ 194178825Sdfr -rc2-64 \ 195178825Sdfr test.crt 196178825Sdfr 197178825Sdfr${openssl} smime \ 198178825Sdfr -encrypt \ 199178825Sdfr -nodetach \ 200178825Sdfr -binary \ 201178825Sdfr -in static-file \ 202178825Sdfr -outform DER \ 203178825Sdfr -out test-enveloped-rc2-128 \ 204178825Sdfr -rc2-128 \ 205178825Sdfr test.crt 206178825Sdfr 207178825Sdfr${openssl} smime \ 208178825Sdfr -encrypt \ 209178825Sdfr -nodetach \ 210178825Sdfr -binary \ 211178825Sdfr -in static-file \ 212178825Sdfr -outform DER \ 213178825Sdfr -out test-enveloped-des \ 214178825Sdfr -des \ 215178825Sdfr test.crt 216178825Sdfr 217178825Sdfr${openssl} smime \ 218178825Sdfr -encrypt \ 219178825Sdfr -nodetach \ 220178825Sdfr -binary \ 221178825Sdfr -in static-file \ 222178825Sdfr -outform DER \ 223178825Sdfr -out test-enveloped-des-ede3 \ 224178825Sdfr -des3 \ 225178825Sdfr test.crt 226178825Sdfr 227178825Sdfr${openssl} smime \ 228178825Sdfr -encrypt \ 229178825Sdfr -nodetach \ 230178825Sdfr -binary \ 231178825Sdfr -in static-file \ 232178825Sdfr -outform DER \ 233178825Sdfr -out test-enveloped-aes-128 \ 234178825Sdfr -aes128 \ 235178825Sdfr test.crt 236178825Sdfr 237178825Sdfr${openssl} smime \ 238178825Sdfr -encrypt \ 239178825Sdfr -nodetach \ 240178825Sdfr -binary \ 241178825Sdfr -in static-file \ 242178825Sdfr -outform DER \ 243178825Sdfr -out test-enveloped-aes-256 \ 244178825Sdfr -aes256 \ 245178825Sdfr test.crt 246178825Sdfr 247178825Sdfrecho ocsp requests 248178825Sdfr 249178825Sdfr${openssl} ocsp \ 250178825Sdfr -issuer ca.crt \ 251178825Sdfr -cert test.crt \ 252178825Sdfr -reqout ocsp-req1.der 253178825Sdfr 254178825Sdfr${openssl} ocsp \ 255178825Sdfr -index index.txt \ 256178825Sdfr -rsigner ocsp-responder.crt \ 257178825Sdfr -rkey ocsp-responder.key \ 258178825Sdfr -CA ca.crt \ 259178825Sdfr -reqin ocsp-req1.der \ 260178825Sdfr -noverify \ 261178825Sdfr -respout ocsp-resp1-ocsp.der 262178825Sdfr 263178825Sdfr${openssl} ocsp \ 264178825Sdfr -index index.txt \ 265178825Sdfr -rsigner ca.crt \ 266178825Sdfr -rkey ca.key \ 267178825Sdfr -CA ca.crt \ 268178825Sdfr -reqin ocsp-req1.der \ 269178825Sdfr -noverify \ 270178825Sdfr -respout ocsp-resp1-ca.der 271178825Sdfr 272178825Sdfr${openssl} ocsp \ 273178825Sdfr -index index.txt \ 274178825Sdfr -rsigner ocsp-responder.crt \ 275178825Sdfr -rkey ocsp-responder.key \ 276178825Sdfr -CA ca.crt \ 277178825Sdfr -resp_no_certs \ 278178825Sdfr -reqin ocsp-req1.der \ 279178825Sdfr -noverify \ 280178825Sdfr -respout ocsp-resp1-ocsp-no-cert.der 281178825Sdfr 282178825Sdfr${openssl} ocsp \ 283178825Sdfr -index index.txt \ 284178825Sdfr -rsigner ocsp-responder.crt \ 285178825Sdfr -rkey ocsp-responder.key \ 286178825Sdfr -CA ca.crt \ 287178825Sdfr -reqin ocsp-req1.der \ 288178825Sdfr -resp_key_id \ 289178825Sdfr -noverify \ 290178825Sdfr -respout ocsp-resp1-keyhash.der 291178825Sdfr 292178825Sdfr${openssl} ocsp \ 293178825Sdfr -issuer ca.crt \ 294178825Sdfr -cert revoke.crt \ 295178825Sdfr -reqout ocsp-req2.der 296178825Sdfr 297178825Sdfr${openssl} ocsp \ 298178825Sdfr -index index.txt \ 299178825Sdfr -rsigner ocsp-responder.crt \ 300178825Sdfr -rkey ocsp-responder.key \ 301178825Sdfr -CA ca.crt \ 302178825Sdfr -reqin ocsp-req2.der \ 303178825Sdfr -noverify \ 304178825Sdfr -respout ocsp-resp2.der 305178825Sdfr 306178825Sdfr${openssl} ca \ 307178825Sdfr -gencrl \ 308178825Sdfr -name usr \ 309178825Sdfr -crldays 3600 \ 310178825Sdfr -keyfile ca.key \ 311178825Sdfr -cert ca.crt \ 312178825Sdfr -crl_reason superseded \ 313178825Sdfr -out crl1.crl \ 314178825Sdfr -config openssl.cnf 315178825Sdfr 316178825Sdfr${openssl} crl -in crl1.crl -outform der -out crl1.der 317