1160814Ssimon#!/bin/sh
2160814Ssimon
3160814Ssimon# For a list of supported curves, use "apps/openssl ecparam -list_curves".
4160814Ssimon
5160814Ssimon# Path to the openssl distribution
6160814SsimonOPENSSL_DIR=../..
7160814Ssimon# Path to the openssl program
8160814SsimonOPENSSL_CMD=$OPENSSL_DIR/apps/openssl
9160814Ssimon# Option to find configuration file
10160814SsimonOPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
11160814Ssimon# Directory where certificates are stored
12160814SsimonCERTS_DIR=./Certs
13160814Ssimon# Directory where private key files are stored
14160814SsimonKEYS_DIR=$CERTS_DIR
15160814Ssimon# Directory where combo files (containing a certificate and corresponding
16160814Ssimon# private key together) are stored
17160814SsimonCOMBO_DIR=$CERTS_DIR
18160814Ssimon# cat command
19160814SsimonCAT=/bin/cat
20160814Ssimon# rm command
21160814SsimonRM=/bin/rm
22160814Ssimon# mkdir command
23160814SsimonMKDIR=/bin/mkdir
24160814Ssimon# The certificate will expire these many days after the issue date.
25160814SsimonDAYS=1500
26160814SsimonTEST_CA_CURVE=secp160r1
27160814SsimonTEST_CA_FILE=secp160r1TestCA
28160814SsimonTEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"
29160814Ssimon
30160814SsimonTEST_SERVER_CURVE=secp160r2
31160814SsimonTEST_SERVER_FILE=secp160r2TestServer
32160814SsimonTEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"
33160814Ssimon
34160814SsimonTEST_CLIENT_CURVE=secp160r2
35160814SsimonTEST_CLIENT_FILE=secp160r2TestClient
36160814SsimonTEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"
37160814Ssimon
38160814Ssimon# Generating an EC certificate involves the following main steps
39160814Ssimon# 1. Generating curve parameters (if needed)
40160814Ssimon# 2. Generating a certificate request
41160814Ssimon# 3. Signing the certificate request 
42160814Ssimon# 4. [Optional] One can combine the cert and private key into a single
43160814Ssimon#    file and also delete the certificate request
44160814Ssimon
45160814Ssimon$MKDIR -p $CERTS_DIR
46160814Ssimon$MKDIR -p $KEYS_DIR
47160814Ssimon$MKDIR -p $COMBO_DIR
48160814Ssimon
49160814Ssimonecho "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"
50160814Ssimonecho "==============================================================="
51160814Ssimon$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem
52160814Ssimon
53160814Ssimon# Generate a new certificate request in $TEST_CA_FILE.req.pem. A 
54160814Ssimon# new ecdsa (actually ECC) key pair is generated on the parameters in
55160814Ssimon# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem
56160814Ssimon# WARNING: By using the -nodes option, we force the private key to be 
57160814Ssimon# stored in the clear (rather than encrypted with a password).
58160814Ssimon$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
59160814Ssimon    -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
60160814Ssimon    -newkey ec:$TEST_CA_CURVE.pem -new \
61160814Ssimon    -out $CERTS_DIR/$TEST_CA_FILE.req.pem
62160814Ssimon
63160814Ssimon# Sign the certificate request in $TEST_CA_FILE.req.pem using the
64160814Ssimon# private key in $TEST_CA_FILE.key.pem and include the CA extension.
65160814Ssimon# Make the certificate valid for 1500 days from the time of signing.
66160814Ssimon# The certificate is written into $TEST_CA_FILE.cert.pem
67160814Ssimon$OPENSSL_CMD x509 -req -days $DAYS \
68160814Ssimon    -in $CERTS_DIR/$TEST_CA_FILE.req.pem \
69160814Ssimon    -extfile $OPENSSL_DIR/apps/openssl.cnf \
70160814Ssimon    -extensions v3_ca \
71160814Ssimon    -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
72160814Ssimon    -out $CERTS_DIR/$TEST_CA_FILE.cert.pem
73160814Ssimon
74160814Ssimon# Display the certificate
75160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
76160814Ssimon
77160814Ssimon# Place the certificate and key in a common file
78160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
79160814Ssimon	 > $COMBO_DIR/$TEST_CA_FILE.pem
80160814Ssimon$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
81160814Ssimon
82160814Ssimon# Remove the cert request file (no longer needed)
83160814Ssimon$RM $CERTS_DIR/$TEST_CA_FILE.req.pem
84160814Ssimon
85160814Ssimonecho "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
86160814Ssimonecho "=========================================================================="
87160814Ssimon# Generate parameters for curve $TEST_SERVER_CURVE, if needed
88160814Ssimon$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
89160814Ssimon
90160814Ssimon# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 
91160814Ssimon# new ecdsa (actually ECC) key pair is generated on the parameters in
92160814Ssimon# $TEST_SERVER_CURVE.pem and the private key is saved in 
93160814Ssimon# $TEST_SERVER_FILE.key.pem
94160814Ssimon# WARNING: By using the -nodes option, we force the private key to be 
95160814Ssimon# stored in the clear (rather than encrypted with a password).
96160814Ssimon$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
97160814Ssimon    -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
98160814Ssimon    -newkey ec:$TEST_SERVER_CURVE.pem -new \
99160814Ssimon    -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
100160814Ssimon
101160814Ssimon# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
102160814Ssimon# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
103160814Ssimon# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
104160814Ssimon# file for this CA, create one. Make the certificate valid for $DAYS days
105160814Ssimon# from the time of signing. The certificate is written into 
106160814Ssimon# $TEST_SERVER_FILE.cert.pem
107160814Ssimon$OPENSSL_CMD x509 -req -days $DAYS \
108160814Ssimon    -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
109160814Ssimon    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
110160814Ssimon    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
111160814Ssimon    -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
112160814Ssimon
113160814Ssimon# Display the certificate 
114160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
115160814Ssimon
116160814Ssimon# Place the certificate and key in a common file
117160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
118160814Ssimon	 > $COMBO_DIR/$TEST_SERVER_FILE.pem
119160814Ssimon$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
120160814Ssimon
121160814Ssimon# Remove the cert request file (no longer needed)
122160814Ssimon$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
123160814Ssimon
124160814Ssimonecho "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
125160814Ssimonecho "=========================================================================="
126160814Ssimon# Generate parameters for curve $TEST_CLIENT_CURVE, if needed
127160814Ssimon$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
128160814Ssimon
129160814Ssimon# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 
130160814Ssimon# new ecdsa (actually ECC) key pair is generated on the parameters in
131160814Ssimon# $TEST_CLIENT_CURVE.pem and the private key is saved in 
132160814Ssimon# $TEST_CLIENT_FILE.key.pem
133160814Ssimon# WARNING: By using the -nodes option, we force the private key to be 
134160814Ssimon# stored in the clear (rather than encrypted with a password).
135160814Ssimon$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
136160814Ssimon	     -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
137160814Ssimon	     -newkey ec:$TEST_CLIENT_CURVE.pem -new \
138160814Ssimon	     -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
139160814Ssimon
140160814Ssimon# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
141160814Ssimon# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
142160814Ssimon# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
143160814Ssimon# file for this CA, create one. Make the certificate valid for $DAYS days
144160814Ssimon# from the time of signing. The certificate is written into 
145160814Ssimon# $TEST_CLIENT_FILE.cert.pem
146160814Ssimon$OPENSSL_CMD x509 -req -days $DAYS \
147160814Ssimon    -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
148160814Ssimon    -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
149160814Ssimon    -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
150160814Ssimon    -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
151160814Ssimon
152160814Ssimon# Display the certificate 
153160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
154160814Ssimon
155160814Ssimon# Place the certificate and key in a common file
156160814Ssimon$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
157160814Ssimon	 > $COMBO_DIR/$TEST_CLIENT_FILE.pem
158160814Ssimon$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
159160814Ssimon
160160814Ssimon# Remove the cert request file (no longer needed)
161160814Ssimon$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
162160814Ssimon
163160814Ssimon
164160814Ssimon
165