1#! /bin/bash 2 3set -e 4 5DAYS=182500 6 7key() { 8 local key=$1; shift 9 10 if [ ! -f "${key}.pem" ]; then 11 openssl genpkey \ 12 -paramfile <(openssl ecparam -name prime256v1) \ 13 -out "${key}.pem" 14 fi 15} 16 17req() { 18 local key=$1; shift 19 local dn=$1; shift 20 21 openssl req -new -sha256 -key "${key}.pem" \ 22 -config <(printf "[req]\n%s\n%s\n[dn]\nCN_default=foo\n" \ 23 "prompt = yes" "distinguished_name = dn") \ 24 -subj "${dn}" 25} 26 27cert() { 28 local cert=$1; shift 29 local exts=$1; shift 30 31 openssl x509 -req -sha256 -out "${cert}.pem" \ 32 -extfile <(printf "%s\n" "$exts") "$@" 33} 34 35genroot() { 36 local dn=$1; shift 37 local key=$1; shift 38 local cert=$1; shift 39 40 exts=$(printf "%s\n%s\n%s\n%s\n" \ 41 "subjectKeyIdentifier = hash" \ 42 "authorityKeyIdentifier = keyid" \ 43 "basicConstraints = CA:true" \ 44 "keyUsage = keyCertSign, cRLSign" ) 45 key "$key"; req "$key" "$dn" | 46 cert "$cert" "$exts" -signkey "${key}.pem" \ 47 -set_serial 1 -days "${DAYS}" 48} 49 50genee() { 51 local dn=$1; shift 52 local key=$1; shift 53 local cert=$1; shift 54 local cakey=$1; shift 55 local cacert=$1; shift 56 57 exts=$(printf "%s\n%s\n%s\n%s\n" \ 58 "subjectKeyIdentifier = hash" \ 59 "authorityKeyIdentifier = keyid, issuer" \ 60 "basicConstraints = CA:false" \ 61 "keyUsage = digitalSignature, keyEncipherment, dataEncipherment" \ 62 ) 63 key "$key"; req "$key" "$dn" | 64 cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ 65 -set_serial 2 -days "${DAYS}" "$@" 66} 67 68 69genroot "/C=SE/O=Heimdal/CN=CA secp256r1" \ 70 secp256r1TestCA.key secp256r1TestCA.cert 71genee "/C=SE/O=Heimdal/CN=Server" \ 72 secp256r2TestServer.key secp256r2TestServer.cert \ 73 secp256r1TestCA.key secp256r1TestCA.cert 74genee "/C=SE/O=Heimdal/CN=Client" \ 75 secp256r2TestClient.key secp256r2TestClient.cert \ 76 secp256r1TestCA.key secp256r1TestCA.cert 77 78cat secp256r1TestCA.key.pem secp256r1TestCA.cert.pem > \ 79 secp256r1TestCA.pem 80cat secp256r2TestClient.cert.pem secp256r2TestClient.key.pem > \ 81 secp256r2TestClient.pem 82cat secp256r2TestServer.cert.pem secp256r2TestServer.key.pem > \ 83 secp256r2TestServer.pem 84