generate.sh revision 1391:6f26e2e5f4f3
1# 2# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. 3# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4# 5# This code is free software; you can redistribute it and/or modify it 6# under the terms of the GNU General Public License version 2 only, as 7# published by the Free Software Foundation. Sun designates this 8# particular file as subject to the "Classpath" exception as provided 9# by Sun in the LICENSE file that accompanied this code. 10# 11# This code is distributed in the hope that it will be useful, but WITHOUT 12# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14# version 2 for more details (a copy is included in the LICENSE file that 15# accompanied this code). 16# 17# You should have received a copy of the GNU General Public License version 18# 2 along with this work; if not, write to the Free Software Foundation, 19# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20# 21# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, 22# CA 95054 USA or visit www.sun.com if you need additional information or 23# have any questions. 24# 25 26#!/bin/ksh 27# 28# needs ksh to run the script. 29 30# generate a self-signed root certificate 31if [ ! -f root/root_cert.pem ]; then 32 if [ ! -d root ]; then 33 mkdir root 34 fi 35 36 openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \ 37 -out root/root_cert.pem -subj "/C=US/O=Example" \ 38 -config openssl.cnf -reqexts cert_issuer -days 7650 \ 39 -passin pass:passphrase -passout pass:passphrase 40fi 41 42# generate a sele-issued root crl issuer certificate 43if [ ! -f root/top_crlissuer_cert.pem ]; then 44 if [ ! -d root ]; then 45 mkdir root 46 fi 47 48 openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \ 49 -out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \ 50 -passin pass:passphrase -passout pass:passphrase 51 52 openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \ 53 -extensions crl_issuer -CA root/root_cert.pem \ 54 -CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \ 55 -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ 56 -passin pass:passphrase 57fi 58 59# generate subca cert issuer and crl iuuser certificates 60if [ ! -f subca/subca_cert.pem ]; then 61 if [ ! -d subca ]; then 62 mkdir subca 63 fi 64 65 openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \ 66 -out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \ 67 -days 7650 -passin pass:passphrase -passout pass:passphrase 68 69 openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \ 70 -extensions cert_issuer -CA root/root_cert.pem \ 71 -CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \ 72 -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase 73 74 openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \ 75 -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \ 76 -days 7650 -passin pass:passphrase -passout pass:passphrase 77 78 openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \ 79 -extensions crl_issuer -CA root/root_cert.pem \ 80 -CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \ 81 -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ 82 -passin pass:passphrase 83fi 84 85# generate dumca cert issuer and crl iuuser certificates 86if [ ! -f dumca/dumca_cert.pem ]; then 87 if [ ! -d sumca ]; then 88 mkdir dumca 89 fi 90 91 openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \ 92 -out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \ 93 -days 7650 -passin pass:passphrase -passout pass:passphrase 94 95 openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \ 96 -extensions cert_issuer -CA root/root_cert.pem \ 97 -CAkey root/root_key.pem -out dumca/dumca_cert.pem \ 98 -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ 99 -passin pass:passphrase 100 101 openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \ 102 -out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \ 103 -days 7650 -passin pass:passphrase -passout pass:passphrase 104 105 openssl x509 -req -in dumca/dumca_crlissuer_req.pem \ 106 -extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \ 107 -CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \ 108 -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ 109 -passin pass:passphrase 110fi 111 112# generate certifiacte for Alice 113if [ ! -f subca/alice/alice_cert.pem ]; then 114 if [ ! -d subca/alice ]; then 115 mkdir -p subca/alice 116 fi 117 118 openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \ 119 -out subca/alice/alice_req.pem \ 120 -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \ 121 -passin pass:passphrase -passout pass:passphrase 122 123 openssl x509 -req -in subca/alice/alice_req.pem \ 124 -extfile openssl.cnf -extensions ee_of_subca \ 125 -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \ 126 -out subca/alice/alice_cert.pem -CAcreateserial \ 127 -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase 128fi 129 130# generate certifiacte for Bob 131if [ ! -f subca/bob/bob_cert.pem ]; then 132 if [ ! -d subca/bob ]; then 133 mkdir -p subca/bob 134 fi 135 136 openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \ 137 -out subca/bob/bob_req.pem \ 138 -subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \ 139 -passin pass:passphrase -passout pass:passphrase 140 141 openssl x509 -req -in subca/bob/bob_req.pem \ 142 -extfile openssl.cnf -extensions ee_of_subca \ 143 -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \ 144 -out subca/bob/bob_cert.pem -CAcreateserial \ 145 -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase 146fi 147 148# generate certifiacte for Susan 149if [ ! -f subca/susan/susan_cert.pem ]; then 150 if [ ! -d subca/susan ]; then 151 mkdir -p subca/susan 152 fi 153 154 openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \ 155 -out subca/susan/susan_req.pem \ 156 -subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \ 157 -passin pass:passphrase -passout pass:passphrase 158 159 openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \ 160 -extensions ee_of_subca -CA subca/subca_cert.pem \ 161 -CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \ 162 -CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \ 163 -passin pass:passphrase 164fi 165 166 167# generate the top CRL 168if [ ! -f root/top_crl.pem ]; then 169 if [ ! -d root ]; then 170 mkdir root 171 fi 172 173 if [ ! -f root/index.txt ]; then 174 touch root/index.txt 175 echo 00 > root/crlnumber 176 fi 177 178 openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \ 179 -crl_reason superseded -keyfile root/top_crlissuer_key.pem \ 180 -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \ 181 -passin pass:passphrase 182fi 183 184# revoke dumca 185openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \ 186 -name ca_top -crl_reason superseded \ 187 -keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \ 188 -passin pass:passphrase 189 190openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \ 191 -crl_reason superseded -keyfile root/top_crlissuer_key.pem \ 192 -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \ 193 -passin pass:passphrase 194 195# revoke for subca 196if [ ! -f subca/subca_crl.pem ]; then 197 if [ ! -d subca ]; then 198 mkdir subca 199 fi 200 201 if [ ! -f subca/index.txt ]; then 202 touch subca/index.txt 203 echo 00 > subca/crlnumber 204 fi 205 206 openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \ 207 -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ 208 -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \ 209 -passin pass:passphrase 210fi 211 212# revoke susan 213openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \ 214 -name ca_subca -crl_reason superseded \ 215 -keyfile subca/subca_crlissuer_key.pem \ 216 -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase 217 218openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \ 219 -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ 220 -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \ 221 -passin pass:passphrase 222