1#!/bin/sh 2 3# For a list of supported curves, use "apps/openssl ecparam -list_curves". 4 5# Path to the openssl distribution 6OPENSSL_DIR=../.. 7# Path to the openssl program 8OPENSSL_CMD=$OPENSSL_DIR/apps/openssl 9# Option to find configuration file 10OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" 11# Directory where certificates are stored 12CERTS_DIR=./Certs 13# Directory where private key files are stored 14KEYS_DIR=$CERTS_DIR 15# Directory where combo files (containing a certificate and corresponding 16# private key together) are stored 17COMBO_DIR=$CERTS_DIR 18# cat command 19CAT=/bin/cat 20# rm command 21RM=/bin/rm 22# mkdir command 23MKDIR=/bin/mkdir 24# The certificate will expire these many days after the issue date. 25DAYS=1500 26TEST_CA_CURVE=secp160r1 27TEST_CA_FILE=secp160r1TestCA 28TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)" 29 30TEST_SERVER_CURVE=secp160r2 31TEST_SERVER_FILE=secp160r2TestServer 32TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)" 33 34TEST_CLIENT_CURVE=secp160r2 35TEST_CLIENT_FILE=secp160r2TestClient 36TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)" 37 38# Generating an EC certificate involves the following main steps 39# 1. Generating curve parameters (if needed) 40# 2. Generating a certificate request 41# 3. Signing the certificate request 42# 4. [Optional] One can combine the cert and private key into a single 43# file and also delete the certificate request 44 45$MKDIR -p $CERTS_DIR 46$MKDIR -p $KEYS_DIR 47$MKDIR -p $COMBO_DIR 48 49echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)" 50echo "===============================================================" 51$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem 52 53# Generate a new certificate request in $TEST_CA_FILE.req.pem. A 54# new ecdsa (actually ECC) key pair is generated on the parameters in 55# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem 56# WARNING: By using the -nodes option, we force the private key to be 57# stored in the clear (rather than encrypted with a password). 58$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \ 59 -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \ 60 -newkey ec:$TEST_CA_CURVE.pem -new \ 61 -out $CERTS_DIR/$TEST_CA_FILE.req.pem 62 63# Sign the certificate request in $TEST_CA_FILE.req.pem using the 64# private key in $TEST_CA_FILE.key.pem and include the CA extension. 65# Make the certificate valid for 1500 days from the time of signing. 66# The certificate is written into $TEST_CA_FILE.cert.pem 67$OPENSSL_CMD x509 -req -days $DAYS \ 68 -in $CERTS_DIR/$TEST_CA_FILE.req.pem \ 69 -extfile $OPENSSL_DIR/apps/openssl.cnf \ 70 -extensions v3_ca \ 71 -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 72 -out $CERTS_DIR/$TEST_CA_FILE.cert.pem 73 74# Display the certificate 75$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text 76 77# Place the certificate and key in a common file 78$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ 79 > $COMBO_DIR/$TEST_CA_FILE.pem 80$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem 81 82# Remove the cert request file (no longer needed) 83$RM $CERTS_DIR/$TEST_CA_FILE.req.pem 84 85echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)" 86echo "==========================================================================" 87# Generate parameters for curve $TEST_SERVER_CURVE, if needed 88$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem 89 90# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 91# new ecdsa (actually ECC) key pair is generated on the parameters in 92# $TEST_SERVER_CURVE.pem and the private key is saved in 93# $TEST_SERVER_FILE.key.pem 94# WARNING: By using the -nodes option, we force the private key to be 95# stored in the clear (rather than encrypted with a password). 96$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ 97 -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ 98 -newkey ec:$TEST_SERVER_CURVE.pem -new \ 99 -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem 100 101# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the 102# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 103# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 104# file for this CA, create one. Make the certificate valid for $DAYS days 105# from the time of signing. The certificate is written into 106# $TEST_SERVER_FILE.cert.pem 107$OPENSSL_CMD x509 -req -days $DAYS \ 108 -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ 109 -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 110 -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 111 -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial 112 113# Display the certificate 114$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text 115 116# Place the certificate and key in a common file 117$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ 118 > $COMBO_DIR/$TEST_SERVER_FILE.pem 119$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem 120 121# Remove the cert request file (no longer needed) 122$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem 123 124echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)" 125echo "==========================================================================" 126# Generate parameters for curve $TEST_CLIENT_CURVE, if needed 127$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem 128 129# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 130# new ecdsa (actually ECC) key pair is generated on the parameters in 131# $TEST_CLIENT_CURVE.pem and the private key is saved in 132# $TEST_CLIENT_FILE.key.pem 133# WARNING: By using the -nodes option, we force the private key to be 134# stored in the clear (rather than encrypted with a password). 135$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ 136 -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ 137 -newkey ec:$TEST_CLIENT_CURVE.pem -new \ 138 -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem 139 140# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the 141# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 142# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 143# file for this CA, create one. Make the certificate valid for $DAYS days 144# from the time of signing. The certificate is written into 145# $TEST_CLIENT_FILE.cert.pem 146$OPENSSL_CMD x509 -req -days $DAYS \ 147 -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ 148 -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 149 -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 150 -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial 151 152# Display the certificate 153$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text 154 155# Place the certificate and key in a common file 156$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ 157 > $COMBO_DIR/$TEST_CLIENT_FILE.pem 158$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem 159 160# Remove the cert request file (no longer needed) 161$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem 162 163 164 165