| 1 | #!/bin/sh
|
|---|
| 2 |
|
|---|
| 3 | opensslcmd() {
|
|---|
| 4 | LD_LIBRARY_PATH=../.. ../../apps/openssl $@
|
|---|
| 5 | }
|
|---|
| 6 |
|
|---|
| 7 | OPENSSL_CONF=../../apps/openssl.cnf
|
|---|
| 8 | export OPENSSL_CONF
|
|---|
| 9 |
|
|---|
| 10 | opensslcmd version
|
|---|
| 11 |
|
|---|
| 12 | # Root CA: create certificate directly
|
|---|
| 13 | CN="Test Root CA" opensslcmd req -config ca.cnf -x509 -nodes \
|
|---|
| 14 | -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
|
|---|
| 15 | # Intermediate CA: request first
|
|---|
| 16 | CN="Test Intermediate CA" opensslcmd req -config ca.cnf -nodes \
|
|---|
| 17 | -keyout intkey.pem -out intreq.pem -newkey rsa:2048
|
|---|
| 18 | # Sign request: CA extensions
|
|---|
| 19 | opensslcmd x509 -req -in intreq.pem -CA root.pem -days 3600 \
|
|---|
| 20 | -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
|
|---|
| 21 |
|
|---|
| 22 | # Server certificate: create request first
|
|---|
| 23 | CN="Test Server Cert" opensslcmd req -config ca.cnf -nodes \
|
|---|
| 24 | -keyout skey.pem -out req.pem -newkey rsa:1024
|
|---|
| 25 | # Sign request: end entity extensions
|
|---|
| 26 | opensslcmd x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
|
|---|
| 27 | -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
|
|---|
| 28 |
|
|---|
| 29 | # Client certificate: request first
|
|---|
| 30 | CN="Test Client Cert" opensslcmd req -config ca.cnf -nodes \
|
|---|
| 31 | -keyout ckey.pem -out creq.pem -newkey rsa:1024
|
|---|
| 32 | # Sign using intermediate CA
|
|---|
| 33 | opensslcmd x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
|
|---|
| 34 | -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
|
|---|
| 35 |
|
|---|
| 36 | # Revoked certificate: request first
|
|---|
| 37 | CN="Test Revoked Cert" opensslcmd req -config ca.cnf -nodes \
|
|---|
| 38 | -keyout revkey.pem -out rreq.pem -newkey rsa:1024
|
|---|
| 39 | # Sign using intermediate CA
|
|---|
| 40 | opensslcmd x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
|
|---|
| 41 | -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
|
|---|
| 42 |
|
|---|
| 43 | # OCSP responder certificate: request first
|
|---|
| 44 | CN="Test OCSP Responder Cert" opensslcmd req -config ca.cnf -nodes \
|
|---|
| 45 | -keyout respkey.pem -out respreq.pem -newkey rsa:1024
|
|---|
| 46 | # Sign using intermediate CA and responder extensions
|
|---|
| 47 | opensslcmd x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
|
|---|
| 48 | -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
|
|---|
| 49 |
|
|---|
| 50 | # Example creating a PKCS#3 DH certificate.
|
|---|
| 51 |
|
|---|
| 52 | # First DH parameters
|
|---|
| 53 |
|
|---|
| 54 | [ -f dhp.pem ] || opensslcmd genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
|
|---|
| 55 |
|
|---|
| 56 | # Now a DH private key
|
|---|
| 57 | opensslcmd genpkey -paramfile dhp.pem -out dhskey.pem
|
|---|
| 58 | # Create DH public key file
|
|---|
| 59 | opensslcmd pkey -in dhskey.pem -pubout -out dhspub.pem
|
|---|
| 60 | # Certificate request, key just reuses old one as it is ignored when the
|
|---|
| 61 | # request is signed.
|
|---|
| 62 | CN="Test Server DH Cert" opensslcmd req -config ca.cnf -new \
|
|---|
| 63 | -key skey.pem -out dhsreq.pem
|
|---|
| 64 | # Sign request: end entity DH extensions
|
|---|
| 65 | opensslcmd x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
|
|---|
| 66 | -force_pubkey dhspub.pem \
|
|---|
| 67 | -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
|
|---|
| 68 |
|
|---|
| 69 | # DH client certificate
|
|---|
| 70 |
|
|---|
| 71 | opensslcmd genpkey -paramfile dhp.pem -out dhckey.pem
|
|---|
| 72 | opensslcmd pkey -in dhckey.pem -pubout -out dhcpub.pem
|
|---|
| 73 | CN="Test Client DH Cert" opensslcmd req -config ca.cnf -new \
|
|---|
| 74 | -key skey.pem -out dhcreq.pem
|
|---|
| 75 | opensslcmd x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
|
|---|
| 76 | -force_pubkey dhcpub.pem \
|
|---|
| 77 | -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
|
|---|
| 78 |
|
|---|
| 79 | # Examples of CRL generation without the need to use 'ca' to issue
|
|---|
| 80 | # certificates.
|
|---|
| 81 | # Create zero length index file
|
|---|
| 82 | >index.txt
|
|---|
| 83 | # Create initial crl number file
|
|---|
| 84 | echo 01 >crlnum.txt
|
|---|
| 85 | # Add entries for server and client certs
|
|---|
| 86 | opensslcmd ca -valid server.pem -keyfile root.pem -cert root.pem \
|
|---|
| 87 | -config ca.cnf -md sha1
|
|---|
| 88 | opensslcmd ca -valid client.pem -keyfile root.pem -cert root.pem \
|
|---|
| 89 | -config ca.cnf -md sha1
|
|---|
| 90 | opensslcmd ca -valid rev.pem -keyfile root.pem -cert root.pem \
|
|---|
| 91 | -config ca.cnf -md sha1
|
|---|
| 92 | # Generate a CRL.
|
|---|
| 93 | opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
|
|---|
| 94 | -md sha1 -crldays 1 -out crl1.pem
|
|---|
| 95 | # Revoke a certificate
|
|---|
| 96 | openssl ca -revoke rev.pem -crl_reason superseded \
|
|---|
| 97 | -keyfile root.pem -cert root.pem -config ca.cnf -md sha1
|
|---|
| 98 | # Generate another CRL
|
|---|
| 99 | opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
|
|---|
| 100 | -md sha1 -crldays 1 -out crl2.pem
|
|---|
| 101 |
|
|---|
