1#!/bin/sh 2# $Id$ 3# 4# This script need openssl 0.9.8a or newer, so it can parse the 5# otherName section for pkinit certificates. 6# 7 8openssl=openssl 9 10gen_cert() 11{ 12 keytype=${6:-rsa:1024} 13 ${openssl} req \ 14 -new \ 15 -subj "$1" \ 16 -config openssl.cnf \ 17 -newkey $keytype \ 18 -sha1 \ 19 -nodes \ 20 -keyout out.key \ 21 -out cert.req > /dev/null 2>/dev/null 22 23 if [ "$3" = "ca" ] ; then 24 ${openssl} x509 \ 25 -req \ 26 -days 3650 \ 27 -in cert.req \ 28 -extfile openssl.cnf \ 29 -extensions $4 \ 30 -signkey out.key \ 31 -out cert.crt 32 33 ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0 34 35 name=$3 36 37 elif [ "$3" = "proxy" ] ; then 38 39 ${openssl} x509 \ 40 -req \ 41 -in cert.req \ 42 -days 3650 \ 43 -out cert.crt \ 44 -CA $2.crt \ 45 -CAkey $2.key \ 46 -CAcreateserial \ 47 -extfile openssl.cnf \ 48 -extensions $4 49 50 name=$5 51 else 52 53 ${openssl} ca \ 54 -name $4 \ 55 -days 3650 \ 56 -cert $2.crt \ 57 -keyfile $2.key \ 58 -in cert.req \ 59 -out cert.crt \ 60 -outdir . \ 61 -batch \ 62 -config openssl.cnf 63 64 name=$3 65 fi 66 67 mv cert.crt $name.crt 68 mv out.key $name.key 69} 70 71echo "01" > serial 72> index.txt 73rm -f *.0 74 75gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca" 76gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp" 77gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr" 78gen_cert "/CN=localhost/C=SE" "ca" "localhost" "https" 79gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr" 80gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke" 81gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds" 82gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client" 83$openssl ecparam -name secp256r1 -out eccurve.pem 84gen_cert "/CN=pkinit-ec/C=SE" "ca" "pkinit-ec" "pkinit_client" "XXX" ec:eccurve.pem 85gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy 86gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc" 87gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https" 88gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca" 89gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr" 90gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test 91gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test 92gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test 93gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test 94gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test 95gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test 96 97 98# combine 99cat sub-ca.crt ca.crt > sub-ca-combined.crt 100cat test.crt test.key > test.combined.crt 101cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt 102 103# password protected key 104${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key 105${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key 106 107${openssl} ca \ 108 -name usr \ 109 -cert ca.crt \ 110 -keyfile ca.key \ 111 -revoke revoke.crt \ 112 -config openssl.cnf 113 114echo "pkcs12" 115 116${openssl} pkcs12 \ 117 -export \ 118 -in test.crt \ 119 -inkey test.key \ 120 -passout pass:foobar \ 121 -out test.p12 \ 122 -name "friendlyname-test" \ 123 -certfile ca.crt \ 124 -caname ca 125 126${openssl} pkcs12 \ 127 -export \ 128 -in sub-cert.crt \ 129 -inkey sub-cert.key \ 130 -passout pass:foobar \ 131 -out sub-cert.p12 \ 132 -name "friendlyname-sub-cert" \ 133 -certfile sub-ca-combined.crt \ 134 -caname sub-ca \ 135 -caname ca 136 137${openssl} pkcs12 \ 138 -keypbe NONE \ 139 -certpbe NONE \ 140 -export \ 141 -in test.crt \ 142 -inkey test.key \ 143 -passout pass:foobar \ 144 -out test-nopw.p12 \ 145 -name "friendlyname-cert" \ 146 -certfile ca.crt \ 147 -caname ca 148 149echo "smime" 150 151${openssl} smime \ 152 -sign \ 153 -nodetach \ 154 -binary \ 155 -in static-file \ 156 -signer test.crt \ 157 -inkey test.key \ 158 -outform DER \ 159 -out test-signed-data 160 161${openssl} smime \ 162 -sign \ 163 -nodetach \ 164 -binary \ 165 -in static-file \ 166 -signer test.crt \ 167 -inkey test.key \ 168 -noattr \ 169 -outform DER \ 170 -out test-signed-data-noattr 171 172${openssl} smime \ 173 -sign \ 174 -nodetach \ 175 -binary \ 176 -in static-file \ 177 -signer test.crt \ 178 -inkey test.key \ 179 -noattr \ 180 -nocerts \ 181 -outform DER \ 182 -out test-signed-data-noattr-nocerts 183 184${openssl} smime \ 185 -sign \ 186 -md sha1 \ 187 -nodetach \ 188 -binary \ 189 -in static-file \ 190 -signer test.crt \ 191 -inkey test.key \ 192 -outform DER \ 193 -out test-signed-sha-1 194 195${openssl} smime \ 196 -sign \ 197 -md sha256 \ 198 -nodetach \ 199 -binary \ 200 -in static-file \ 201 -signer test.crt \ 202 -inkey test.key \ 203 -outform DER \ 204 -out test-signed-sha-256 205 206${openssl} smime \ 207 -sign \ 208 -md sha512 \ 209 -nodetach \ 210 -binary \ 211 -in static-file \ 212 -signer test.crt \ 213 -inkey test.key \ 214 -outform DER \ 215 -out test-signed-sha-512 216 217 218${openssl} smime \ 219 -encrypt \ 220 -nodetach \ 221 -binary \ 222 -in static-file \ 223 -outform DER \ 224 -out test-enveloped-rc2-40 \ 225 -rc2-40 \ 226 test.crt 227 228${openssl} smime \ 229 -encrypt \ 230 -nodetach \ 231 -binary \ 232 -in static-file \ 233 -outform DER \ 234 -out test-enveloped-rc2-64 \ 235 -rc2-64 \ 236 test.crt 237 238${openssl} smime \ 239 -encrypt \ 240 -nodetach \ 241 -binary \ 242 -in static-file \ 243 -outform DER \ 244 -out test-enveloped-rc2-128 \ 245 -rc2-128 \ 246 test.crt 247 248${openssl} smime \ 249 -encrypt \ 250 -nodetach \ 251 -binary \ 252 -in static-file \ 253 -outform DER \ 254 -out test-enveloped-des \ 255 -des \ 256 test.crt 257 258${openssl} smime \ 259 -encrypt \ 260 -nodetach \ 261 -binary \ 262 -in static-file \ 263 -outform DER \ 264 -out test-enveloped-des-ede3 \ 265 -des3 \ 266 test.crt 267 268${openssl} smime \ 269 -encrypt \ 270 -nodetach \ 271 -binary \ 272 -in static-file \ 273 -outform DER \ 274 -out test-enveloped-aes-128 \ 275 -aes128 \ 276 test.crt 277 278${openssl} smime \ 279 -encrypt \ 280 -nodetach \ 281 -binary \ 282 -in static-file \ 283 -outform DER \ 284 -out test-enveloped-aes-256 \ 285 -aes256 \ 286 test.crt 287 288echo ocsp requests 289 290${openssl} ocsp \ 291 -issuer ca.crt \ 292 -cert test.crt \ 293 -reqout ocsp-req1.der 294 295${openssl} ocsp \ 296 -index index.txt \ 297 -rsigner ocsp-responder.crt \ 298 -rkey ocsp-responder.key \ 299 -CA ca.crt \ 300 -reqin ocsp-req1.der \ 301 -noverify \ 302 -respout ocsp-resp1-ocsp.der 303 304${openssl} ocsp \ 305 -index index.txt \ 306 -rsigner ca.crt \ 307 -rkey ca.key \ 308 -CA ca.crt \ 309 -reqin ocsp-req1.der \ 310 -noverify \ 311 -respout ocsp-resp1-ca.der 312 313${openssl} ocsp \ 314 -index index.txt \ 315 -rsigner ocsp-responder.crt \ 316 -rkey ocsp-responder.key \ 317 -CA ca.crt \ 318 -resp_no_certs \ 319 -reqin ocsp-req1.der \ 320 -noverify \ 321 -respout ocsp-resp1-ocsp-no-cert.der 322 323${openssl} ocsp \ 324 -index index.txt \ 325 -rsigner ocsp-responder.crt \ 326 -rkey ocsp-responder.key \ 327 -CA ca.crt \ 328 -reqin ocsp-req1.der \ 329 -resp_key_id \ 330 -noverify \ 331 -respout ocsp-resp1-keyhash.der 332 333${openssl} ocsp \ 334 -issuer ca.crt \ 335 -cert revoke.crt \ 336 -reqout ocsp-req2.der 337 338${openssl} ocsp \ 339 -index index.txt \ 340 -rsigner ocsp-responder.crt \ 341 -rkey ocsp-responder.key \ 342 -CA ca.crt \ 343 -reqin ocsp-req2.der \ 344 -noverify \ 345 -respout ocsp-resp2.der 346 347${openssl} ca \ 348 -gencrl \ 349 -name usr \ 350 -crldays 3600 \ 351 -keyfile ca.key \ 352 -cert ca.crt \ 353 -crl_reason superseded \ 354 -out crl1.crl \ 355 -config openssl.cnf 356 357${openssl} crl -in crl1.crl -outform der -out crl1.der 358