1#!/bin/sh 2# Id 3# 4# This script need openssl 0.9.8a or newer, so it can parse the 5# otherName section for pkinit certificates. 6# 7 8openssl=openssl 9 10gen_cert() 11{ 12 keytype=${6:-rsa:1024} 13 ${openssl} req \ 14 -new \ 15 -subj "$1" \ 16 -config openssl.cnf \ 17 -newkey $keytype \ 18 -sha1 \ 19 -nodes \ 20 -keyout out.key \ 21 -out cert.req > /dev/null 2>/dev/null 22 23 if [ "$3" = "ca" ] ; then 24 ${openssl} x509 \ 25 -req \ 26 -days 3650 \ 27 -in cert.req \ 28 -extfile openssl.cnf \ 29 -extensions $4 \ 30 -signkey out.key \ 31 -out cert.crt 32 33 ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0 34 35 name=$3 36 37 elif [ "$3" = "proxy" ] ; then 38 39 ${openssl} x509 \ 40 -req \ 41 -in cert.req \ 42 -days 3650 \ 43 -out cert.crt \ 44 -CA $2.crt \ 45 -CAkey $2.key \ 46 -CAcreateserial \ 47 -extfile openssl.cnf \ 48 -extensions $4 49 50 name=$5 51 else 52 53 ${openssl} ca \ 54 -name $4 \ 55 -days 3650 \ 56 -cert $2.crt \ 57 -keyfile $2.key \ 58 -in cert.req \ 59 -out cert.crt \ 60 -outdir . \ 61 -batch \ 62 -config openssl.cnf 63 64 name=$3 65 fi 66 67 mv cert.crt $name.crt 68 mv out.key $name.key 69} 70 71echo "01" > serial 72> index.txt 73rm -f *.0 74 75gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca" 76gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp" 77gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr" 78gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr" 79gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke" 80gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds" 81gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client" 82$openssl ecparam -name secp256r1 -out eccurve.pem 83gen_cert "/CN=pkinit-ec/C=SE" "ca" "pkinit-ec" "pkinit_client" "XXX" ec:eccurve.pem 84gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy 85gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc" 86gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https" 87gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca" 88gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr" 89gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test 90gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test 91gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test 92gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test 93gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test 94gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test 95 96 97# combine 98cat sub-ca.crt ca.crt > sub-ca-combined.crt 99cat test.crt test.key > test.combined.crt 100cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt 101 102# password protected key 103${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key 104${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key 105 106 107${openssl} ca \ 108 -name usr \ 109 -cert ca.crt \ 110 -keyfile ca.key \ 111 -revoke revoke.crt \ 112 -config openssl.cnf 113 114${openssl} pkcs12 \ 115 -export \ 116 -in test.crt \ 117 -inkey test.key \ 118 -passout pass:foobar \ 119 -out test.p12 \ 120 -name "friendlyname-test" \ 121 -certfile ca.crt \ 122 -caname ca 123 124${openssl} pkcs12 \ 125 -export \ 126 -in sub-cert.crt \ 127 -inkey sub-cert.key \ 128 -passout pass:foobar \ 129 -out sub-cert.p12 \ 130 -name "friendlyname-sub-cert" \ 131 -certfile sub-ca-combined.crt \ 132 -caname sub-ca \ 133 -caname ca 134 135${openssl} pkcs12 \ 136 -keypbe NONE \ 137 -certpbe NONE \ 138 -export \ 139 -in test.crt \ 140 -inkey test.key \ 141 -passout pass:foobar \ 142 -out test-nopw.p12 \ 143 -name "friendlyname-cert" \ 144 -certfile ca.crt \ 145 -caname ca 146 147${openssl} smime \ 148 -sign \ 149 -nodetach \ 150 -binary \ 151 -in static-file \ 152 -signer test.crt \ 153 -inkey test.key \ 154 -outform DER \ 155 -out test-signed-data 156 157${openssl} smime \ 158 -sign \ 159 -nodetach \ 160 -binary \ 161 -in static-file \ 162 -signer test.crt \ 163 -inkey test.key \ 164 -noattr \ 165 -outform DER \ 166 -out test-signed-data-noattr 167 168${openssl} smime \ 169 -sign \ 170 -nodetach \ 171 -binary \ 172 -in static-file \ 173 -signer test.crt \ 174 -inkey test.key \ 175 -noattr \ 176 -nocerts \ 177 -outform DER \ 178 -out test-signed-data-noattr-nocerts 179 180${openssl} smime \ 181 -sign \ 182 -md sha1 \ 183 -nodetach \ 184 -binary \ 185 -in static-file \ 186 -signer test.crt \ 187 -inkey test.key \ 188 -outform DER \ 189 -out test-signed-sha-1 190 191${openssl} smime \ 192 -sign \ 193 -md sha256 \ 194 -nodetach \ 195 -binary \ 196 -in static-file \ 197 -signer test.crt \ 198 -inkey test.key \ 199 -outform DER \ 200 -out test-signed-sha-256 201 202${openssl} smime \ 203 -sign \ 204 -md sha512 \ 205 -nodetach \ 206 -binary \ 207 -in static-file \ 208 -signer test.crt \ 209 -inkey test.key \ 210 -outform DER \ 211 -out test-signed-sha-512 212 213 214${openssl} smime \ 215 -encrypt \ 216 -nodetach \ 217 -binary \ 218 -in static-file \ 219 -outform DER \ 220 -out test-enveloped-rc2-40 \ 221 -rc2-40 \ 222 test.crt 223 224${openssl} smime \ 225 -encrypt \ 226 -nodetach \ 227 -binary \ 228 -in static-file \ 229 -outform DER \ 230 -out test-enveloped-rc2-64 \ 231 -rc2-64 \ 232 test.crt 233 234${openssl} smime \ 235 -encrypt \ 236 -nodetach \ 237 -binary \ 238 -in static-file \ 239 -outform DER \ 240 -out test-enveloped-rc2-128 \ 241 -rc2-128 \ 242 test.crt 243 244${openssl} smime \ 245 -encrypt \ 246 -nodetach \ 247 -binary \ 248 -in static-file \ 249 -outform DER \ 250 -out test-enveloped-des \ 251 -des \ 252 test.crt 253 254${openssl} smime \ 255 -encrypt \ 256 -nodetach \ 257 -binary \ 258 -in static-file \ 259 -outform DER \ 260 -out test-enveloped-des-ede3 \ 261 -des3 \ 262 test.crt 263 264${openssl} smime \ 265 -encrypt \ 266 -nodetach \ 267 -binary \ 268 -in static-file \ 269 -outform DER \ 270 -out test-enveloped-aes-128 \ 271 -aes128 \ 272 test.crt 273 274${openssl} smime \ 275 -encrypt \ 276 -nodetach \ 277 -binary \ 278 -in static-file \ 279 -outform DER \ 280 -out test-enveloped-aes-256 \ 281 -aes256 \ 282 test.crt 283 284echo ocsp requests 285 286${openssl} ocsp \ 287 -issuer ca.crt \ 288 -cert test.crt \ 289 -reqout ocsp-req1.der 290 291${openssl} ocsp \ 292 -index index.txt \ 293 -rsigner ocsp-responder.crt \ 294 -rkey ocsp-responder.key \ 295 -CA ca.crt \ 296 -reqin ocsp-req1.der \ 297 -noverify \ 298 -respout ocsp-resp1-ocsp.der 299 300${openssl} ocsp \ 301 -index index.txt \ 302 -rsigner ca.crt \ 303 -rkey ca.key \ 304 -CA ca.crt \ 305 -reqin ocsp-req1.der \ 306 -noverify \ 307 -respout ocsp-resp1-ca.der 308 309${openssl} ocsp \ 310 -index index.txt \ 311 -rsigner ocsp-responder.crt \ 312 -rkey ocsp-responder.key \ 313 -CA ca.crt \ 314 -resp_no_certs \ 315 -reqin ocsp-req1.der \ 316 -noverify \ 317 -respout ocsp-resp1-ocsp-no-cert.der 318 319${openssl} ocsp \ 320 -index index.txt \ 321 -rsigner ocsp-responder.crt \ 322 -rkey ocsp-responder.key \ 323 -CA ca.crt \ 324 -reqin ocsp-req1.der \ 325 -resp_key_id \ 326 -noverify \ 327 -respout ocsp-resp1-keyhash.der 328 329${openssl} ocsp \ 330 -issuer ca.crt \ 331 -cert revoke.crt \ 332 -reqout ocsp-req2.der 333 334${openssl} ocsp \ 335 -index index.txt \ 336 -rsigner ocsp-responder.crt \ 337 -rkey ocsp-responder.key \ 338 -CA ca.crt \ 339 -reqin ocsp-req2.der \ 340 -noverify \ 341 -respout ocsp-resp2.der 342 343${openssl} ca \ 344 -gencrl \ 345 -name usr \ 346 -crldays 3600 \ 347 -keyfile ca.key \ 348 -cert ca.crt \ 349 -crl_reason superseded \ 350 -out crl1.crl \ 351 -config openssl.cnf 352 353${openssl} crl -in crl1.crl -outform der -out crl1.der 354