#!/bin/sh # Helper script to create CA and server certificates. srcdir=${1-.} OPENSSL=@OPENSSL@ CONF=${srcdir}/openssl.conf REQ="${OPENSSL} req -config ${CONF}" CA="${OPENSSL} ca -config ${CONF} -batch" # MKCERT makes a self-signed cert MKCERT="${REQ} -x509 -new -days 900" REQDN=reqDN STRMASK=default CADIR=./ca export REQDN STRMASK CADIR asn1date() { date -d "$1" "+%y%m%d%H%M%SZ" } openssl version 1>&2 set -ex for i in ca ca1 ca2 ca3; do rm -rf $i mkdir $i touch $i/index.txt echo 01 > $i/serial ${OPENSSL} genrsa -rand ${srcdir}/../configure 1024 > $i/key.pem done ${OPENSSL} genrsa -rand ${srcdir}/../configure 1024 > client.key ${OPENSSL} dsaparam -genkey -rand ${srcdir}/../configure 1024 > client.dsap ${OPENSSL} gendsa client.dsap > clientdsa.key ${MKCERT} -key ca/key.pem -out ca/cert.pem < T61String csr_fields "`echo -e 'H\0350llo World'`" localhost | ${REQ} -new -key ${srcdir}/server.key -out t61subj.csr STRMASK=pkix # => BMPString csr_fields "`echo -e 'H\0350llo World'`" localhost | ${REQ} -new -key ${srcdir}/server.key -out bmpsubj.csr STRMASK=utf8only # => UTF8String csr_fields "`echo -e 'H\0350llo World'`" localhost | ${REQ} -new -key ${srcdir}/server.key -out utf8subj.csr STRMASK=default ### produce a set of CA certs csr_fields "First Random CA" "first.example.com" "CAs Ltd." Lincoln Lincolnshire | \ ${MKCERT} -key ${srcdir}/server.key -out ca1.pem csr_fields "Second Random CA" "second.example.com" "CAs Ltd." Falmouth Cornwall | \ ${MKCERT} -key ${srcdir}/server.key -out ca2.pem csr_fields "Third Random CA" "third.example.com" "CAs Ltd." Ipswich Suffolk | \ ${MKCERT} -key ${srcdir}/server.key -out ca3.pem csr_fields "Fourth Random CA" "fourth.example.com" "CAs Ltd." Norwich Norfolk | \ ${MKCERT} -key ${srcdir}/server.key -out ca4.pem cat ca/cert.pem ca[1234].pem > calist.pem csr_fields "Wildcard Cert Dept" "*.example.com" | \ ${REQ} -new -key ${srcdir}/server.key -out wildcard.csr csr_fields "Wildcard IP Cert" "*.0.0.1" | \ ${REQ} -new -key ${srcdir}/server.key -out wildip.csr csr_fields "Neon Client Cert" ignored.example.com | \ ${REQ} -new -key client.key -out client.csr csr_fields "Neon Client Cert" ignored.example.com | \ ${REQ} -new -key clientdsa.key -out clientdsa.csr ### requests using special DN. REQDN=reqDN.doubleCN csr_fields "Double CN Dept" "nohost.example.com localhost" | ${REQ} -new -key ${srcdir}/server.key -out twocn.csr REQDN=reqDN.CNfirst echo localhost | ${REQ} -new -key ${srcdir}/server.key -out cnfirst.csr REQDN=reqDN.missingCN echo GB | ${REQ} -new -key ${srcdir}/server.key -out missingcn.csr REQDN=reqDN.justEmail echo blah@example.com | ${REQ} -new -key ${srcdir}/server.key -out justmail.csr # presume AVAs will come out in least->most specific order still... REQDN=reqDN.twoOU csr_fields "Second OU Dept First OU Dept" | ${REQ} -new -key ${srcdir}/server.key -out twoou.csr ### don't put ${REQ} invocations after here for f in server client clientdsa twocn caseless cnfirst \ t61subj bmpsubj utf8subj \ missingcn justmail twoou wildcard wildip wrongcn; do ${CA} -days 900 -in ${f}.csr -out ${f}.cert done ${CA} -startdate `asn1date "2 days ago"` -enddate `asn1date "yesterday"` -in expired.csr -out expired.cert ${CA} -startdate `asn1date "tomorrow"` -enddate `asn1date "2 days"` -in notyet.csr -out notyet.cert for n in 1 2 3 4 5 6 7 8 9; do ${CA} -extensions altExt${n} -days 900 \ -in altname${n}.csr -out altname${n}.cert done # Sign this CSR using the intermediary CA CADIR=./ca2 ${CA} -days 900 -in server.csr -out ca2server.cert # And create a file with the concatenation of both EE and intermediary # cert. cat ca2server.cert ca2/cert.pem > ca2server.pem # sign with expired CA CADIR=./ca1 ${CA} -days 3 -in server.csr -out ca1server.cert # sign with not yet valid CA CADIR=./ca3 ${CA} -days 3 -in server.csr -out ca3server.cert MKPKCS12="${OPENSSL} pkcs12 -export -passout stdin -in client.cert -inkey client.key" # generate a PKCS12 cert from the client cert: -passOUT because it's the # passphrase on the OUTPUT cert, confusing... echo foobar | ${MKPKCS12} -name "Just A Neon Client Cert" -out client.p12 # generate a PKCS#12 cert with no password and a friendly name echo | ${MKPKCS12} -name "An Unencrypted Neon Client Cert" -out unclient.p12 # PKCS#12 cert with DSA key echo | ${OPENSSL} pkcs12 -name "An Unencrypted Neon DSA Client Cert" \ -export -passout stdin \ -in clientdsa.cert -inkey clientdsa.key \ -out dsaclient.p12 # generate a PKCS#12 cert with no friendly name echo | ${MKPKCS12} -out noclient.p12 # generate a PKCS#12 cert with no private keys echo | ${MKPKCS12} -nokeys -out nkclient.p12 # generate a PKCS#12 cert without the cert echo | ${MKPKCS12} -nokeys -out ncclient.p12 # generate an encoded PKCS#12 cert with no private keys echo foobar | ${MKPKCS12} -nokeys -out enkclient.p12 # a PKCS#12 cert including a bundled CA cert echo foobar | ${MKPKCS12} -certfile ca/cert.pem -name "A Neon Client Cert With CA" -out clientca.p12 ### a file containing a complete chain cat ca/cert.pem server.cert > chain.pem ### NSS database initialization, for testing PKCS#11. CERTUTIL=@CERTUTIL@ PK12UTIL=@PK12UTIL@ if [ ${CERTUTIL} != "notfound" -a ${PK12UTIL} != "notfound" ]; then rm -rf nssdb nssdb-dsa mkdir nssdb nssdb-dsa echo foobar > nssdb.pw ${CERTUTIL} -d nssdb -N -f nssdb.pw ${PK12UTIL} -d nssdb -K foobar -W '' -i unclient.p12 ${CERTUTIL} -d nssdb-dsa -N -f nssdb.pw ${PK12UTIL} -d nssdb-dsa -K foobar -W '' -i dsaclient.p12 rm -f nssdb.pw fi