1160814Ssimon#!/bin/sh 2160814Ssimon 3160814Ssimon# For a list of supported curves, use "apps/openssl ecparam -list_curves". 4160814Ssimon 5160814Ssimon# Path to the openssl distribution 6160814SsimonOPENSSL_DIR=../.. 7160814Ssimon# Path to the openssl program 8160814SsimonOPENSSL_CMD=$OPENSSL_DIR/apps/openssl 9160814Ssimon# Option to find configuration file 10160814SsimonOPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" 11160814Ssimon# Directory where certificates are stored 12160814SsimonCERTS_DIR=./Certs 13160814Ssimon# Directory where private key files are stored 14160814SsimonKEYS_DIR=$CERTS_DIR 15160814Ssimon# Directory where combo files (containing a certificate and corresponding 16160814Ssimon# private key together) are stored 17160814SsimonCOMBO_DIR=$CERTS_DIR 18160814Ssimon# cat command 19160814SsimonCAT=/bin/cat 20160814Ssimon# rm command 21160814SsimonRM=/bin/rm 22160814Ssimon# mkdir command 23160814SsimonMKDIR=/bin/mkdir 24160814Ssimon# The certificate will expire these many days after the issue date. 25160814SsimonDAYS=1500 26160814SsimonTEST_CA_CURVE=secp160r1 27160814SsimonTEST_CA_FILE=secp160r1TestCA 28160814SsimonTEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)" 29160814Ssimon 30160814SsimonTEST_SERVER_CURVE=secp160r2 31160814SsimonTEST_SERVER_FILE=secp160r2TestServer 32160814SsimonTEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)" 33160814Ssimon 34160814SsimonTEST_CLIENT_CURVE=secp160r2 35160814SsimonTEST_CLIENT_FILE=secp160r2TestClient 36160814SsimonTEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)" 37160814Ssimon 38160814Ssimon# Generating an EC certificate involves the following main steps 39160814Ssimon# 1. Generating curve parameters (if needed) 40160814Ssimon# 2. Generating a certificate request 41160814Ssimon# 3. Signing the certificate request 42160814Ssimon# 4. [Optional] One can combine the cert and private key into a single 43160814Ssimon# file and also delete the certificate request 44160814Ssimon 45160814Ssimon$MKDIR -p $CERTS_DIR 46160814Ssimon$MKDIR -p $KEYS_DIR 47160814Ssimon$MKDIR -p $COMBO_DIR 48160814Ssimon 49160814Ssimonecho "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)" 50160814Ssimonecho "===============================================================" 51160814Ssimon$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem 52160814Ssimon 53160814Ssimon# Generate a new certificate request in $TEST_CA_FILE.req.pem. A 54160814Ssimon# new ecdsa (actually ECC) key pair is generated on the parameters in 55160814Ssimon# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem 56160814Ssimon# WARNING: By using the -nodes option, we force the private key to be 57160814Ssimon# stored in the clear (rather than encrypted with a password). 58160814Ssimon$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \ 59160814Ssimon -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \ 60160814Ssimon -newkey ec:$TEST_CA_CURVE.pem -new \ 61160814Ssimon -out $CERTS_DIR/$TEST_CA_FILE.req.pem 62160814Ssimon 63160814Ssimon# Sign the certificate request in $TEST_CA_FILE.req.pem using the 64160814Ssimon# private key in $TEST_CA_FILE.key.pem and include the CA extension. 65160814Ssimon# Make the certificate valid for 1500 days from the time of signing. 66160814Ssimon# The certificate is written into $TEST_CA_FILE.cert.pem 67160814Ssimon$OPENSSL_CMD x509 -req -days $DAYS \ 68160814Ssimon -in $CERTS_DIR/$TEST_CA_FILE.req.pem \ 69160814Ssimon -extfile $OPENSSL_DIR/apps/openssl.cnf \ 70160814Ssimon -extensions v3_ca \ 71160814Ssimon -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 72160814Ssimon -out $CERTS_DIR/$TEST_CA_FILE.cert.pem 73160814Ssimon 74160814Ssimon# Display the certificate 75160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text 76160814Ssimon 77160814Ssimon# Place the certificate and key in a common file 78160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ 79160814Ssimon > $COMBO_DIR/$TEST_CA_FILE.pem 80160814Ssimon$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem 81160814Ssimon 82160814Ssimon# Remove the cert request file (no longer needed) 83160814Ssimon$RM $CERTS_DIR/$TEST_CA_FILE.req.pem 84160814Ssimon 85160814Ssimonecho "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)" 86160814Ssimonecho "==========================================================================" 87160814Ssimon# Generate parameters for curve $TEST_SERVER_CURVE, if needed 88160814Ssimon$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem 89160814Ssimon 90160814Ssimon# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 91160814Ssimon# new ecdsa (actually ECC) key pair is generated on the parameters in 92160814Ssimon# $TEST_SERVER_CURVE.pem and the private key is saved in 93160814Ssimon# $TEST_SERVER_FILE.key.pem 94160814Ssimon# WARNING: By using the -nodes option, we force the private key to be 95160814Ssimon# stored in the clear (rather than encrypted with a password). 96160814Ssimon$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ 97160814Ssimon -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ 98160814Ssimon -newkey ec:$TEST_SERVER_CURVE.pem -new \ 99160814Ssimon -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem 100160814Ssimon 101160814Ssimon# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the 102160814Ssimon# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 103160814Ssimon# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 104160814Ssimon# file for this CA, create one. Make the certificate valid for $DAYS days 105160814Ssimon# from the time of signing. The certificate is written into 106160814Ssimon# $TEST_SERVER_FILE.cert.pem 107160814Ssimon$OPENSSL_CMD x509 -req -days $DAYS \ 108160814Ssimon -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ 109160814Ssimon -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 110160814Ssimon -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 111160814Ssimon -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial 112160814Ssimon 113160814Ssimon# Display the certificate 114160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text 115160814Ssimon 116160814Ssimon# Place the certificate and key in a common file 117160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ 118160814Ssimon > $COMBO_DIR/$TEST_SERVER_FILE.pem 119160814Ssimon$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem 120160814Ssimon 121160814Ssimon# Remove the cert request file (no longer needed) 122160814Ssimon$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem 123160814Ssimon 124160814Ssimonecho "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)" 125160814Ssimonecho "==========================================================================" 126160814Ssimon# Generate parameters for curve $TEST_CLIENT_CURVE, if needed 127160814Ssimon$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem 128160814Ssimon 129160814Ssimon# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 130160814Ssimon# new ecdsa (actually ECC) key pair is generated on the parameters in 131160814Ssimon# $TEST_CLIENT_CURVE.pem and the private key is saved in 132160814Ssimon# $TEST_CLIENT_FILE.key.pem 133160814Ssimon# WARNING: By using the -nodes option, we force the private key to be 134160814Ssimon# stored in the clear (rather than encrypted with a password). 135160814Ssimon$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ 136160814Ssimon -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ 137160814Ssimon -newkey ec:$TEST_CLIENT_CURVE.pem -new \ 138160814Ssimon -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem 139160814Ssimon 140160814Ssimon# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the 141160814Ssimon# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 142160814Ssimon# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 143160814Ssimon# file for this CA, create one. Make the certificate valid for $DAYS days 144160814Ssimon# from the time of signing. The certificate is written into 145160814Ssimon# $TEST_CLIENT_FILE.cert.pem 146160814Ssimon$OPENSSL_CMD x509 -req -days $DAYS \ 147160814Ssimon -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ 148160814Ssimon -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 149160814Ssimon -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 150160814Ssimon -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial 151160814Ssimon 152160814Ssimon# Display the certificate 153160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text 154160814Ssimon 155160814Ssimon# Place the certificate and key in a common file 156160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ 157160814Ssimon > $COMBO_DIR/$TEST_CLIENT_FILE.pem 158160814Ssimon$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem 159160814Ssimon 160160814Ssimon# Remove the cert request file (no longer needed) 161160814Ssimon$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem 162160814Ssimon 163160814Ssimon 164160814Ssimon 165