generate.sh revision 1391:6f26e2e5f4f3 
1#
2# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
3# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4#
5# This code is free software; you can redistribute it and/or modify it
6# under the terms of the GNU General Public License version 2 only, as
7# published by the Free Software Foundation.  Sun designates this
8# particular file as subject to the "Classpath" exception as provided
9# by Sun in the LICENSE file that accompanied this code.
10#
11# This code is distributed in the hope that it will be useful, but WITHOUT
12# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14# version 2 for more details (a copy is included in the LICENSE file that
15# accompanied this code).
16#
17# You should have received a copy of the GNU General Public License version
18# 2 along with this work; if not, write to the Free Software Foundation,
19# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20#
21# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
22# CA 95054 USA or visit www.sun.com if you need additional information or
23# have any questions.
24#
25
26#!/bin/ksh
27#
28# needs ksh to run the script.
29
30# generate a self-signed root certificate
31if [ ! -f root/root_cert.pem ]; then
32    if [ ! -d root ]; then
33        mkdir root
34    fi
35
36    openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \
37        -out root/root_cert.pem -subj "/C=US/O=Example" \
38        -config openssl.cnf -reqexts cert_issuer -days 7650 \
39        -passin pass:passphrase -passout pass:passphrase
40fi
41
42# generate a sele-issued root crl issuer certificate
43if [ ! -f root/top_crlissuer_cert.pem ]; then
44    if [ ! -d root ]; then
45        mkdir root
46    fi
47
48    openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \
49        -out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \
50        -passin pass:passphrase -passout pass:passphrase
51
52    openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \
53        -extensions crl_issuer -CA root/root_cert.pem \
54        -CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \
55        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
56        -passin pass:passphrase
57fi
58
59# generate subca cert issuer and crl iuuser certificates
60if [ ! -f subca/subca_cert.pem ]; then
61    if [ ! -d subca ]; then
62        mkdir subca
63    fi
64
65    openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \
66        -out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \
67        -days 7650 -passin pass:passphrase -passout pass:passphrase
68
69    openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \
70        -extensions cert_issuer -CA root/root_cert.pem \
71        -CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \
72        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
73
74    openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \
75        -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \
76        -days 7650 -passin pass:passphrase -passout pass:passphrase
77
78    openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \
79        -extensions crl_issuer -CA root/root_cert.pem \
80        -CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \
81        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
82        -passin pass:passphrase
83fi
84
85# generate dumca cert issuer and crl iuuser certificates
86if [ ! -f dumca/dumca_cert.pem ]; then
87    if [ ! -d sumca ]; then
88        mkdir dumca
89    fi
90
91    openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \
92        -out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \
93        -days 7650 -passin pass:passphrase -passout pass:passphrase
94
95    openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \
96        -extensions cert_issuer -CA root/root_cert.pem \
97        -CAkey root/root_key.pem -out dumca/dumca_cert.pem \
98        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
99        -passin pass:passphrase
100
101    openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \
102        -out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \
103        -days 7650 -passin pass:passphrase -passout pass:passphrase
104
105    openssl x509 -req -in dumca/dumca_crlissuer_req.pem \
106        -extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \
107        -CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \
108        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
109        -passin pass:passphrase
110fi
111
112# generate certifiacte for Alice
113if [ ! -f subca/alice/alice_cert.pem ]; then
114    if [ ! -d subca/alice ]; then
115        mkdir -p subca/alice
116    fi
117
118    openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \
119        -out subca/alice/alice_req.pem \
120        -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
121        -passin pass:passphrase -passout pass:passphrase
122
123    openssl x509 -req -in subca/alice/alice_req.pem \
124        -extfile openssl.cnf -extensions ee_of_subca \
125        -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
126        -out subca/alice/alice_cert.pem -CAcreateserial \
127        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
128fi
129
130# generate certifiacte for Bob
131if [ ! -f subca/bob/bob_cert.pem ]; then
132    if [ ! -d subca/bob ]; then
133        mkdir -p subca/bob
134    fi
135
136    openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \
137        -out subca/bob/bob_req.pem \
138        -subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \
139        -passin pass:passphrase -passout pass:passphrase
140
141    openssl x509 -req -in subca/bob/bob_req.pem \
142        -extfile openssl.cnf -extensions ee_of_subca \
143        -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
144        -out subca/bob/bob_cert.pem -CAcreateserial \
145        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
146fi
147
148# generate certifiacte for Susan
149if [ ! -f subca/susan/susan_cert.pem ]; then
150    if [ ! -d subca/susan ]; then
151        mkdir -p subca/susan
152    fi
153
154    openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \
155        -out subca/susan/susan_req.pem \
156        -subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \
157        -passin pass:passphrase -passout pass:passphrase
158
159    openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \
160        -extensions ee_of_subca -CA subca/subca_cert.pem \
161        -CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \
162        -CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \
163        -passin pass:passphrase
164fi
165
166
167# generate the top CRL
168if [ ! -f root/top_crl.pem ]; then
169    if [ ! -d root ]; then
170        mkdir root
171    fi
172
173    if [ ! -f root/index.txt ]; then
174        touch root/index.txt
175        echo 00 > root/crlnumber
176    fi
177
178    openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
179        -crl_reason superseded -keyfile root/top_crlissuer_key.pem \
180        -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
181        -passin pass:passphrase
182fi
183
184# revoke dumca
185openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \
186        -name ca_top -crl_reason superseded \
187        -keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \
188        -passin pass:passphrase
189
190openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
191        -crl_reason superseded -keyfile root/top_crlissuer_key.pem \
192        -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
193        -passin pass:passphrase
194
195# revoke for subca
196if [ ! -f subca/subca_crl.pem ]; then
197    if [ ! -d subca ]; then
198        mkdir subca
199    fi
200
201    if [ ! -f subca/index.txt ]; then
202        touch subca/index.txt
203        echo 00 > subca/crlnumber
204    fi
205
206    openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
207        -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
208        -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
209        -passin pass:passphrase
210fi
211
212# revoke susan
213openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \
214        -name ca_subca -crl_reason superseded \
215        -keyfile subca/subca_crlissuer_key.pem \
216        -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase
217
218openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
219        -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
220        -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
221        -passin pass:passphrase
222