1#!/bin/sh 2# Id 3# 4# This script need openssl 0.9.8a or newer, so it can parse the 5# otherName section for pkinit certificates. 6# 7 8openssl=openssl 9 10# workaround until openssl -objects lands 11if ${openssl} version | grep '^OpenSSL 1\.[1-9]' >/dev/null ; then 12 config=openssl.1.1.cnf 13else 14 config=openssl.1.0.cnf 15fi 16 17gen_cert() 18{ 19 keytype=${6:-rsa:4096} 20 ${openssl} req \ 21 -new \ 22 -subj "$1" \ 23 -config ${config} \ 24 -newkey $keytype \ 25 -sha1 \ 26 -nodes \ 27 -keyout out.key \ 28 -out cert.req > /dev/null 2>/dev/null 29 30 if [ "$3" = "ca" ] ; then 31 ${openssl} x509 \ 32 -req \ 33 -days 182500 \ 34 -in cert.req \ 35 -extfile ${config} \ 36 -extensions $4 \ 37 -signkey out.key \ 38 -out cert.crt 39 40 ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0 41 42 name=$3 43 44 elif [ "$3" = "proxy" ] ; then 45 46 ${openssl} x509 \ 47 -req \ 48 -in cert.req \ 49 -days 182500 \ 50 -out cert.crt \ 51 -CA $2.crt \ 52 -CAkey $2.key \ 53 -CAcreateserial \ 54 -extfile ${config} \ 55 -extensions $4 56 57 name=$5 58 else 59 60 ${openssl} ca \ 61 -name $4 \ 62 -days 182500 \ 63 -cert $2.crt \ 64 -keyfile $2.key \ 65 -in cert.req \ 66 -out cert.crt \ 67 -outdir . \ 68 -batch \ 69 -config ${config} 70 71 name=$3 72 fi 73 74 mv cert.crt $name.crt 75 mv out.key $name.key 76} 77 78echo "01" > serial 79> index.txt 80rm -f *.0 81 82gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca" 83gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp" 84gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr" 85gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr" 86gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke" 87gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds" 88gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client" 89$openssl ecparam -name secp256r1 -out eccurve.pem 90gen_cert "/CN=pkinit-ec/C=SE" "ca" "pkinit-ec" "pkinit_client" "XXX" ec:eccurve.pem 91gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy 92gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc" 93gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https" 94gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca" 95gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr" 96gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test 97gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test 98gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test 99gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test 100gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test 101gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test 102 103 104# combine 105cat sub-ca.crt ca.crt > sub-ca-combined.crt 106cat test.crt test.key > test.combined.crt 107cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt 108 109# password protected key 110${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key 111${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key 112 113 114${openssl} ca \ 115 -name usr \ 116 -cert ca.crt \ 117 -keyfile ca.key \ 118 -revoke revoke.crt \ 119 -config ${config} 120 121${openssl} pkcs12 \ 122 -export \ 123 -in test.crt \ 124 -inkey test.key \ 125 -passout pass:foobar \ 126 -out test.p12 \ 127 -name "friendlyname-test" \ 128 -certfile ca.crt \ 129 -caname ca 130 131${openssl} pkcs12 \ 132 -export \ 133 -in sub-cert.crt \ 134 -inkey sub-cert.key \ 135 -passout pass:foobar \ 136 -out sub-cert.p12 \ 137 -name "friendlyname-sub-cert" \ 138 -certfile sub-ca-combined.crt \ 139 -caname sub-ca \ 140 -caname ca 141 142${openssl} pkcs12 \ 143 -keypbe NONE \ 144 -certpbe NONE \ 145 -export \ 146 -in test.crt \ 147 -inkey test.key \ 148 -passout pass:foobar \ 149 -out test-nopw.p12 \ 150 -name "friendlyname-cert" \ 151 -certfile ca.crt \ 152 -caname ca 153 154${openssl} smime \ 155 -sign \ 156 -nodetach \ 157 -binary \ 158 -in static-file \ 159 -signer test.crt \ 160 -inkey test.key \ 161 -outform DER \ 162 -out test-signed-data 163 164${openssl} smime \ 165 -sign \ 166 -nodetach \ 167 -binary \ 168 -in static-file \ 169 -signer test.crt \ 170 -inkey test.key \ 171 -noattr \ 172 -outform DER \ 173 -out test-signed-data-noattr 174 175${openssl} smime \ 176 -sign \ 177 -nodetach \ 178 -binary \ 179 -in static-file \ 180 -signer test.crt \ 181 -inkey test.key \ 182 -noattr \ 183 -nocerts \ 184 -outform DER \ 185 -out test-signed-data-noattr-nocerts 186 187${openssl} smime \ 188 -sign \ 189 -md sha1 \ 190 -nodetach \ 191 -binary \ 192 -in static-file \ 193 -signer test.crt \ 194 -inkey test.key \ 195 -outform DER \ 196 -out test-signed-sha-1 197 198${openssl} smime \ 199 -sign \ 200 -md sha256 \ 201 -nodetach \ 202 -binary \ 203 -in static-file \ 204 -signer test.crt \ 205 -inkey test.key \ 206 -outform DER \ 207 -out test-signed-sha-256 208 209${openssl} smime \ 210 -sign \ 211 -md sha512 \ 212 -nodetach \ 213 -binary \ 214 -in static-file \ 215 -signer test.crt \ 216 -inkey test.key \ 217 -outform DER \ 218 -out test-signed-sha-512 219 220 221${openssl} smime \ 222 -encrypt \ 223 -nodetach \ 224 -binary \ 225 -in static-file \ 226 -outform DER \ 227 -out test-enveloped-rc2-40 \ 228 -rc2-40 \ 229 test.crt 230 231${openssl} smime \ 232 -encrypt \ 233 -nodetach \ 234 -binary \ 235 -in static-file \ 236 -outform DER \ 237 -out test-enveloped-rc2-64 \ 238 -rc2-64 \ 239 test.crt 240 241${openssl} smime \ 242 -encrypt \ 243 -nodetach \ 244 -binary \ 245 -in static-file \ 246 -outform DER \ 247 -out test-enveloped-rc2-128 \ 248 -rc2-128 \ 249 test.crt 250 251${openssl} smime \ 252 -encrypt \ 253 -nodetach \ 254 -binary \ 255 -in static-file \ 256 -outform DER \ 257 -out test-enveloped-des \ 258 -des \ 259 test.crt 260 261${openssl} smime \ 262 -encrypt \ 263 -nodetach \ 264 -binary \ 265 -in static-file \ 266 -outform DER \ 267 -out test-enveloped-des-ede3 \ 268 -des3 \ 269 test.crt 270 271${openssl} smime \ 272 -encrypt \ 273 -nodetach \ 274 -binary \ 275 -in static-file \ 276 -outform DER \ 277 -out test-enveloped-aes-128 \ 278 -aes128 \ 279 test.crt 280 281${openssl} smime \ 282 -encrypt \ 283 -nodetach \ 284 -binary \ 285 -in static-file \ 286 -outform DER \ 287 -out test-enveloped-aes-256 \ 288 -aes256 \ 289 test.crt 290 291echo ocsp requests 292 293${openssl} ocsp \ 294 -issuer ca.crt \ 295 -cert test.crt \ 296 -reqout ocsp-req1.der 297 298${openssl} ocsp \ 299 -index index.txt \ 300 -rsigner ocsp-responder.crt \ 301 -rkey ocsp-responder.key \ 302 -CA ca.crt \ 303 -reqin ocsp-req1.der \ 304 -noverify \ 305 -respout ocsp-resp1-ocsp.der 306 307${openssl} ocsp \ 308 -index index.txt \ 309 -rsigner ca.crt \ 310 -rkey ca.key \ 311 -CA ca.crt \ 312 -reqin ocsp-req1.der \ 313 -noverify \ 314 -respout ocsp-resp1-ca.der 315 316${openssl} ocsp \ 317 -index index.txt \ 318 -rsigner ocsp-responder.crt \ 319 -rkey ocsp-responder.key \ 320 -CA ca.crt \ 321 -resp_no_certs \ 322 -reqin ocsp-req1.der \ 323 -noverify \ 324 -respout ocsp-resp1-ocsp-no-cert.der 325 326${openssl} ocsp \ 327 -index index.txt \ 328 -rsigner ocsp-responder.crt \ 329 -rkey ocsp-responder.key \ 330 -CA ca.crt \ 331 -reqin ocsp-req1.der \ 332 -resp_key_id \ 333 -noverify \ 334 -respout ocsp-resp1-keyhash.der 335 336${openssl} ocsp \ 337 -issuer ca.crt \ 338 -cert revoke.crt \ 339 -reqout ocsp-req2.der 340 341${openssl} ocsp \ 342 -index index.txt \ 343 -rsigner ocsp-responder.crt \ 344 -rkey ocsp-responder.key \ 345 -CA ca.crt \ 346 -reqin ocsp-req2.der \ 347 -noverify \ 348 -respout ocsp-resp2.der 349 350${openssl} ca \ 351 -gencrl \ 352 -name usr \ 353 -crldays 3600 \ 354 -keyfile ca.key \ 355 -cert ca.crt \ 356 -crl_reason superseded \ 357 -out crl1.crl \ 358 -config ${config} 359 360${openssl} crl -in crl1.crl -outform der -out crl1.der 361