-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgenerate.sh
executable file
·220 lines (181 loc) · 5.2 KB
/
generate.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
#!/usr/bin/env bash
create_rsa_ca() {
dir="$1"
echo "Creating RSA CA"
mkdir ${dir}
mkdir -p ${dir}/ca.db.certs
touch ${dir}/ca.db.index
echo "01" > ${dir}/ca.db.serial
openssl req -x509 \
-newkey rsa:2048 -keyout ${dir}/ca.key -nodes \
-days 3650 -out ${dir}/ca.crt \
-subj '/CN=Testing-RSA-CA'
openssl x509 -in ${dir}/ca.crt \
-outform der -out ${dir}/ca.crt.der
cat <<_EOF_ > ${dir}/rsaca.conf
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = ./${dir}
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = 365
default_crl_days = 30
default_md = sha384
preserve = no
policy = generic_policy
x509_extensions = usr_cert
[ usr_cert ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = clientAuth
keyUsage = digitalSignature
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[req]
x509_extensions = v3_req
distinguished_name = dn
[dn]
[v3_req]
#subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:false
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
_EOF_
}
create_ecdsa_ca() {
dir="$1"
echo "Creating ECDSA CA"
mkdir -p ${dir}/ca.db.certs
touch ${dir}/ca.db.index
echo "01" > ${dir}/ca.db.serial
openssl req -x509 \
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
-keyout ${dir}/ca.key -nodes \
-days 3650 -out ${dir}/ca.crt \
-subj '/CN=Testing-ECDSA-CA'
openssl x509 -in ${dir}/ca.crt \
-outform der -out ${dir}/ca.crt.der
cat <<_EOF_ > ${dir}/ecdsaca.conf
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = ./${dir}
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no
policy = generic_policy
x509_extensions = usr_cert
[ usr_cert ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = clientAuth
keyUsage = digitalSignature
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[req]
x509_extensions = v3_req
distinguished_name = dn
[dn]
[v3_req]
#subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:false
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
_EOF_
}
dir=rsa-ca
if [ ! -d $dir ]; then
create_rsa_ca "${dir}"
fi
dir=ecdsa-ca
if [ ! -d $dir ]; then
create_ecdsa_ca "${dir}"
fi
if [ ! -f eckey.pem ]; then
echo "Creating EC key"
openssl ecparam -name prime256v1 -genkey -noout -out eckey.pem
openssl ec -in eckey.pem -pubout -out eckeypub.pem
fi
if [ ! -f eckey-ecdsa.crt.der ]; then
echo "Using ECDSA CA to sign EC key"
openssl req -new -config ecdsa-ca/ecdsaca.conf \
-key eckey.pem -out myreq-eckey.pem \
-subj '/CN=ecdsa-ca-signed-ec-key' \
-reqexts v3_req
openssl ca -config ecdsa-ca/ecdsaca.conf \
-out eckey-ecdsa.pem -infiles myreq-eckey.pem
openssl x509 -in eckey-ecdsa.pem -outform der -out eckey-ecdsa.crt.der
openssl verify -verbose -CAfile ecdsa-ca/ca.crt eckey-ecdsa.pem
fi
if [ ! -f eckey-rsa.crt.der ]; then
echo "Using RSA CA to sign EC key"
openssl req -new -config rsa-ca/rsaca.conf \
-key eckey.pem -out myreq-rsakey.pem \
-subj '/CN=rsa-ca-signed-ec-key' \
-reqexts v3_req
openssl ca -config rsa-ca/rsaca.conf \
-out eckey-rsa.pem -infiles myreq-rsakey.pem
openssl x509 -in eckey-rsa.pem -outform der -out eckey-rsa.crt.der
openssl verify -verbose -CAfile rsa-ca/ca.crt eckey-rsa.pem
fi
if [ ! -f rsakey.pem ]; then
echo "Creating RSA key"
openssl genrsa -out rsakey.pem
openssl rsa -in rsakey.pem -pubout -out rsakeypub.pem
fi
if [ ! -f rsakey-ecdsa.crt.der ]; then
echo "Using ECDSA CA to sign RSA key"
openssl req -new -config ecdsa-ca/ecdsaca.conf \
-key rsakey.pem -out myreq-eckey.pem \
-subj '/CN=ecdsa-ca-signed-rsa-key' \
-reqexts v3_req
openssl ca -config ecdsa-ca/ecdsaca.conf \
-out rsakey-ecdsa.pem -infiles myreq-eckey.pem
openssl x509 -in rsakey-ecdsa.pem -outform der -out rsakey-ecdsa.crt.der
openssl verify -verbose -CAfile ecdsa-ca/ca.crt rsakey-ecdsa.pem
fi
if [ ! -f rsakey-rsa.crt.der ]; then
echo "Using RSA CA to sign RSA key"
openssl req -new -config rsa-ca/rsaca.conf \
-key rsakey.pem -out myreq-rsakey.pem \
-subj '/CN=rsa-ca-signed-rsa-key' \
-reqexts v3_req
openssl ca -config rsa-ca/rsaca.conf \
-out rsakey-rsa.pem -infiles myreq-rsakey.pem
openssl x509 -in rsakey-rsa.pem -outform der -out rsakey-rsa.crt.der
openssl verify -verbose -CAfile rsa-ca/ca.crt rsakey-rsa.pem
fi