1#!/bin/sh 2 3# CreateCerts.sh 4# Security 5# 6# Created by Fabrice Gautier on 6/7/11. 7# Copyright 2011 Apple, Inc. All rights reserved. 8 9echo "Create Certs" 10 11 12#Overrride which openssl to use: 13# System openssl 14#OPENSSL=/usr/bin/openssl 15# Macport openssl 16#OPENSSL=/opt/local/bin/openssl 17# your own openssl 18OPENSSL=/usr/local/ssl/bin/openssl 19 20#Override which gnutls-certtool to use: 21# Macport gnutls 22#GNUTLS_CERTTOOL=/opt/local/gnutls-certtool 23# your own gnutls 24GNUTLS_CERTTOOL=/usr/local/bin/certtool 25 26 27DIR=test-certs 28 29mkdir -p $DIR 30cd $DIR 31 32#generate EC params 33${OPENSSL} ecparam -name secp256k1 -out ecparam.pem 34 35echo "**** Generating CA keys and certs..." 36# generate CA certs 37${OPENSSL} req -x509 -nodes -days 365 -subj '/CN=SecurityTest CA Cert (RSA)' -newkey rsa:1024 -keyout CAKey.rsa.pem -out CACert.rsa.pem 38${OPENSSL} req -x509 -nodes -days 365 -subj '/CN=SecurityTest CA Cert (ECC)' -newkey ec:ecparam.pem -keyout CAKey.ecc.pem -out CACert.ecc.pem 39 40echo "**** Generating Server keys and csr..." 41# generate Server EC key 42${GNUTLS_CERTTOOL} -p --ecc --sec-param high --outfile ServerKey.ecc.pem 43 44# generate Server certs 45${OPENSSL} req -new -nodes -days 365 -subj '/CN=SecurityTests Server Cert (RSA)' -newkey rsa:1024 -keyout ServerKey.rsa.pem -out ServerReq.rsa.pem 46${OPENSSL} req -new -nodes -days 365 -subj '/CN=SecurityTests Server Cert (ECC)' -key ServerKey.ecc.pem -out ServerReq.ecc.pem 47 48echo "**** Generating Client keys and csr..." 49# generate Client EC key 50${GNUTLS_CERTTOOL} -p --ecc --sec-param high --outfile ClientKey.ecc.pem 51 52# generate client certs 53${OPENSSL} req -new -nodes -days 365 -subj '/CN=SecurityTests Client Cert (RSA)' -newkey rsa:1024 -keyout ClientKey.rsa.pem -out ClientReq.rsa.pem 54${OPENSSL} req -new -nodes -days 365 -subj '/CN=SecurityTests Client Cert (ECC)' -key ClientKey.ecc.pem -out ClientReq.ecc.pem 55 56echo "**** Signing Servers certs..." 57# sign certs 58${OPENSSL} x509 -req -in ServerReq.rsa.pem -CA CACert.rsa.pem -CAkey CAKey.rsa.pem -set_serial 1 -out ServerCert.rsa.rsa.pem 59${OPENSSL} x509 -req -in ServerReq.rsa.pem -CA CACert.ecc.pem -CAkey CAKey.ecc.pem -set_serial 2 -out ServerCert.rsa.ecc.pem 60${OPENSSL} x509 -req -in ServerReq.ecc.pem -CA CACert.rsa.pem -CAkey CAKey.rsa.pem -set_serial 3 -out ServerCert.ecc.rsa.pem 61${OPENSSL} x509 -req -in ServerReq.ecc.pem -CA CACert.ecc.pem -CAkey CAKey.ecc.pem -set_serial 4 -out ServerCert.ecc.ecc.pem 62 63echo "**** Signing Clients certs..." 64${OPENSSL} x509 -req -in ClientReq.rsa.pem -CA CACert.rsa.pem -CAkey CAKey.rsa.pem -set_serial 1001 -out ClientCert.rsa.rsa.pem 65${OPENSSL} x509 -req -in ClientReq.rsa.pem -CA CACert.ecc.pem -CAkey CAKey.ecc.pem -set_serial 1002 -out ClientCert.rsa.ecc.pem 66${OPENSSL} x509 -req -in ClientReq.ecc.pem -CA CACert.rsa.pem -CAkey CAKey.rsa.pem -set_serial 1003 -out ClientCert.ecc.rsa.pem 67${OPENSSL} x509 -req -in ClientReq.ecc.pem -CA CACert.ecc.pem -CAkey CAKey.ecc.pem -set_serial 1004 -out ClientCert.ecc.ecc.pem 68 69 70#export client keys and cert into .h 71 72${OPENSSL} ec -outform DER -in ClientKey.ecc.pem -out ClientKey.ecc.der 73${OPENSSL} rsa -outform DER -in ClientKey.rsa.pem -out ClientKey.rsa.der 74 75xxd -i ClientKey.ecc.der > ClientKey_ecc.h 76xxd -i ClientKey.rsa.der > ClientKey_rsa.h 77 78${OPENSSL} x509 -outform DER -in ClientCert.rsa.rsa.pem -out ClientCert.rsa.rsa.der 79${OPENSSL} x509 -outform DER -in ClientCert.rsa.ecc.pem -out ClientCert.rsa.ecc.der 80${OPENSSL} x509 -outform DER -in ClientCert.ecc.rsa.pem -out ClientCert.ecc.rsa.der 81${OPENSSL} x509 -outform DER -in ClientCert.ecc.ecc.pem -out ClientCert.ecc.ecc.der 82 83xxd -i ClientCert.rsa.rsa.der > ClientCert_rsa_rsa.h 84xxd -i ClientCert.rsa.ecc.der > ClientCert_rsa_ecc.h 85xxd -i ClientCert.ecc.rsa.der > ClientCert_ecc_rsa.h 86xxd -i ClientCert.ecc.ecc.der > ClientCert_ecc_ecc.h 87