1#!/bin/sh
2
3# For a list of supported curves, use "apps/openssl ecparam -list_curves".
4
5# Path to the openssl distribution
6OPENSSL_DIR=../..
7# Path to the openssl program
8OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
9# Option to find configuration file
10OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
11# Directory where certificates are stored
12CERTS_DIR=./Certs
13# Directory where private key files are stored
14KEYS_DIR=$CERTS_DIR
15# Directory where combo files (containing a certificate and corresponding
16# private key together) are stored
17COMBO_DIR=$CERTS_DIR
18# cat command
19CAT=/bin/cat
20# rm command
21RM=/bin/rm
22# mkdir command
23MKDIR=/bin/mkdir
24# The certificate will expire these many days after the issue date.
25DAYS=1500
26TEST_CA_CURVE=secp160r1
27TEST_CA_FILE=secp160r1TestCA
28TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"
29
30TEST_SERVER_CURVE=secp160r2
31TEST_SERVER_FILE=secp160r2TestServer
32TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"
33
34TEST_CLIENT_CURVE=secp160r2
35TEST_CLIENT_FILE=secp160r2TestClient
36TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"
37
38# Generating an EC certificate involves the following main steps
39# 1. Generating curve parameters (if needed)
40# 2. Generating a certificate request
41# 3. Signing the certificate request 
42# 4. [Optional] One can combine the cert and private key into a single
43#    file and also delete the certificate request
44
45$MKDIR -p $CERTS_DIR
46$MKDIR -p $KEYS_DIR
47$MKDIR -p $COMBO_DIR
48
49echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"
50echo "==============================================================="
51$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem
52
53# Generate a new certificate request in $TEST_CA_FILE.req.pem. A 
54# new ecdsa (actually ECC) key pair is generated on the parameters in
55# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem
56# WARNING: By using the -nodes option, we force the private key to be 
57# stored in the clear (rather than encrypted with a password).
58$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
59    -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
60    -newkey ec:$TEST_CA_CURVE.pem -new \
61    -out $CERTS_DIR/$TEST_CA_FILE.req.pem
62
63# Sign the certificate request in $TEST_CA_FILE.req.pem using the
64# private key in $TEST_CA_FILE.key.pem and include the CA extension.
65# Make the certificate valid for 1500 days from the time of signing.
66# The certificate is written into $TEST_CA_FILE.cert.pem
67$OPENSSL_CMD x509 -req -days $DAYS \
68    -in $CERTS_DIR/$TEST_CA_FILE.req.pem \
69    -extfile $OPENSSL_DIR/apps/openssl.cnf \
70    -extensions v3_ca \
71    -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
72    -out $CERTS_DIR/$TEST_CA_FILE.cert.pem
73
74# Display the certificate
75$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
76
77# Place the certificate and key in a common file
78$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
79	 > $COMBO_DIR/$TEST_CA_FILE.pem
80$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
81
82# Remove the cert request file (no longer needed)
83$RM $CERTS_DIR/$TEST_CA_FILE.req.pem
84
85echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
86echo "=========================================================================="
87# Generate parameters for curve $TEST_SERVER_CURVE, if needed
88$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
89
90# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 
91# new ecdsa (actually ECC) key pair is generated on the parameters in
92# $TEST_SERVER_CURVE.pem and the private key is saved in 
93# $TEST_SERVER_FILE.key.pem
94# WARNING: By using the -nodes option, we force the private key to be 
95# stored in the clear (rather than encrypted with a password).
96$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
97    -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
98    -newkey ec:$TEST_SERVER_CURVE.pem -new \
99    -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
100
101# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
102# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
103# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
104# file for this CA, create one. Make the certificate valid for $DAYS days
105# from the time of signing. The certificate is written into 
106# $TEST_SERVER_FILE.cert.pem
107$OPENSSL_CMD x509 -req -days $DAYS \
108    -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
109    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
110    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
111    -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
112
113# Display the certificate 
114$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
115
116# Place the certificate and key in a common file
117$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
118	 > $COMBO_DIR/$TEST_SERVER_FILE.pem
119$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
120
121# Remove the cert request file (no longer needed)
122$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
123
124echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
125echo "=========================================================================="
126# Generate parameters for curve $TEST_CLIENT_CURVE, if needed
127$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
128
129# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 
130# new ecdsa (actually ECC) key pair is generated on the parameters in
131# $TEST_CLIENT_CURVE.pem and the private key is saved in 
132# $TEST_CLIENT_FILE.key.pem
133# WARNING: By using the -nodes option, we force the private key to be 
134# stored in the clear (rather than encrypted with a password).
135$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
136	     -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
137	     -newkey ec:$TEST_CLIENT_CURVE.pem -new \
138	     -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
139
140# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
141# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
142# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
143# file for this CA, create one. Make the certificate valid for $DAYS days
144# from the time of signing. The certificate is written into 
145# $TEST_CLIENT_FILE.cert.pem
146$OPENSSL_CMD x509 -req -days $DAYS \
147    -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
148    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
149    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
150    -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
151
152# Display the certificate 
153$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
154
155# Place the certificate and key in a common file
156$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
157	 > $COMBO_DIR/$TEST_CLIENT_FILE.pem
158$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
159
160# Remove the cert request file (no longer needed)
161$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
162
163
164
165