xref: /netbsd-src/crypto/external/bsd/openssl.old/dist/demos/certs/mkcerts.sh (revision 4724848cf0da353df257f730694b7882798e5daf) 
1*4724848cSchristos#!/bin/sh
2*4724848cSchristos
3*4724848cSchristosOPENSSL=../../apps/openssl
4*4724848cSchristosOPENSSL_CONF=../../apps/openssl.cnf
5*4724848cSchristosexport OPENSSL_CONF
6*4724848cSchristos
7*4724848cSchristos# Root CA: create certificate directly
8*4724848cSchristosCN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \
9*4724848cSchristos	-keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
10*4724848cSchristos# Intermediate CA: request first
11*4724848cSchristosCN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \
12*4724848cSchristos	-keyout intkey.pem -out intreq.pem -newkey rsa:2048
13*4724848cSchristos# Sign request: CA extensions
14*4724848cSchristos$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \
15*4724848cSchristos	-extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
16*4724848cSchristos
17*4724848cSchristos# Server certificate: create request first
18*4724848cSchristosCN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \
19*4724848cSchristos	-keyout skey.pem -out req.pem -newkey rsa:1024
20*4724848cSchristos# Sign request: end entity extensions
21*4724848cSchristos$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
22*4724848cSchristos	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
23*4724848cSchristos
24*4724848cSchristos# Client certificate: request first
25*4724848cSchristosCN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \
26*4724848cSchristos	-keyout ckey.pem -out creq.pem -newkey rsa:1024
27*4724848cSchristos# Sign using intermediate CA
28*4724848cSchristos$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
29*4724848cSchristos	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
30*4724848cSchristos
31*4724848cSchristos# Revoked certificate: request first
32*4724848cSchristosCN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \
33*4724848cSchristos	-keyout revkey.pem -out rreq.pem -newkey rsa:1024
34*4724848cSchristos# Sign using intermediate CA
35*4724848cSchristos$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
36*4724848cSchristos	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
37*4724848cSchristos
38*4724848cSchristos# OCSP responder certificate: request first
39*4724848cSchristosCN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \
40*4724848cSchristos	-keyout respkey.pem -out respreq.pem -newkey rsa:1024
41*4724848cSchristos# Sign using intermediate CA and responder extensions
42*4724848cSchristos$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
43*4724848cSchristos	-extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
44*4724848cSchristos
45*4724848cSchristos# Example creating a PKCS#3 DH certificate.
46*4724848cSchristos
47*4724848cSchristos# First DH parameters
48*4724848cSchristos
49*4724848cSchristos[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
50*4724848cSchristos
51*4724848cSchristos# Now a DH private key
52*4724848cSchristos$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem
53*4724848cSchristos# Create DH public key file
54*4724848cSchristos$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem
55*4724848cSchristos# Certificate request, key just reuses old one as it is ignored when the
56*4724848cSchristos# request is signed.
57*4724848cSchristosCN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \
58*4724848cSchristos	-key skey.pem -out dhsreq.pem
59*4724848cSchristos# Sign request: end entity DH extensions
60*4724848cSchristos$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
61*4724848cSchristos	-force_pubkey dhspub.pem \
62*4724848cSchristos	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
63*4724848cSchristos
64*4724848cSchristos# DH client certificate
65*4724848cSchristos
66*4724848cSchristos$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem
67*4724848cSchristos$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem
68*4724848cSchristosCN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \
69*4724848cSchristos	-key skey.pem -out dhcreq.pem
70*4724848cSchristos$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
71*4724848cSchristos	-force_pubkey dhcpub.pem \
72*4724848cSchristos	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
73*4724848cSchristos
74*4724848cSchristos# Examples of CRL generation without the need to use 'ca' to issue
75*4724848cSchristos# certificates.
76*4724848cSchristos# Create zero length index file
77*4724848cSchristos>index.txt
78*4724848cSchristos# Create initial crl number file
79*4724848cSchristosecho 01 >crlnum.txt
80*4724848cSchristos# Add entries for server and client certs
81*4724848cSchristos$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \
82*4724848cSchristos		-config ca.cnf -md sha1
83*4724848cSchristos$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \
84*4724848cSchristos		-config ca.cnf -md sha1
85*4724848cSchristos$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \
86*4724848cSchristos		-config ca.cnf -md sha1
87*4724848cSchristos# Generate a CRL.
88*4724848cSchristos$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
89*4724848cSchristos		-md sha1 -crldays 1 -out crl1.pem
90*4724848cSchristos# Revoke a certificate
91*4724848cSchristosopenssl ca -revoke rev.pem -crl_reason superseded \
92*4724848cSchristos		-keyfile root.pem -cert root.pem -config ca.cnf -md sha1
93*4724848cSchristos# Generate another CRL
94*4724848cSchristos$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
95*4724848cSchristos		-md sha1 -crldays 1 -out crl2.pem
96*4724848cSchristos
97