1*e0c4386eSCy Schubert#!/bin/sh 2*e0c4386eSCy Schubert 3*e0c4386eSCy SchubertOPENSSL=../../apps/openssl 4*e0c4386eSCy SchubertOPENSSL_CONF=../../apps/openssl.cnf 5*e0c4386eSCy Schubertexport OPENSSL_CONF 6*e0c4386eSCy Schubert 7*e0c4386eSCy Schubert# Root CA: create certificate directly 8*e0c4386eSCy SchubertCN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \ 9*e0c4386eSCy Schubert -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650 10*e0c4386eSCy Schubert# Intermediate CA: request first 11*e0c4386eSCy SchubertCN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \ 12*e0c4386eSCy Schubert -keyout intkey.pem -out intreq.pem -newkey rsa:2048 13*e0c4386eSCy Schubert# Sign request: CA extensions 14*e0c4386eSCy Schubert$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \ 15*e0c4386eSCy Schubert -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem 16*e0c4386eSCy Schubert 17*e0c4386eSCy Schubert# Server certificate: create request first 18*e0c4386eSCy SchubertCN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ 19*e0c4386eSCy Schubert -keyout skey.pem -out req.pem -newkey rsa:1024 20*e0c4386eSCy Schubert# Sign request: end entity extensions 21*e0c4386eSCy Schubert$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ 22*e0c4386eSCy Schubert -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem 23*e0c4386eSCy Schubert 24*e0c4386eSCy Schubert# Client certificate: request first 25*e0c4386eSCy SchubertCN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ 26*e0c4386eSCy Schubert -keyout ckey.pem -out creq.pem -newkey rsa:1024 27*e0c4386eSCy Schubert# Sign using intermediate CA 28*e0c4386eSCy Schubert$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ 29*e0c4386eSCy Schubert -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem 30*e0c4386eSCy Schubert 31*e0c4386eSCy Schubert# Revoked certificate: request first 32*e0c4386eSCy SchubertCN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \ 33*e0c4386eSCy Schubert -keyout revkey.pem -out rreq.pem -newkey rsa:1024 34*e0c4386eSCy Schubert# Sign using intermediate CA 35*e0c4386eSCy Schubert$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ 36*e0c4386eSCy Schubert -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem 37*e0c4386eSCy Schubert 38*e0c4386eSCy Schubert# OCSP responder certificate: request first 39*e0c4386eSCy SchubertCN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \ 40*e0c4386eSCy Schubert -keyout respkey.pem -out respreq.pem -newkey rsa:1024 41*e0c4386eSCy Schubert# Sign using intermediate CA and responder extensions 42*e0c4386eSCy Schubert$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ 43*e0c4386eSCy Schubert -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem 44*e0c4386eSCy Schubert 45*e0c4386eSCy Schubert# Example creating a PKCS#3 DH certificate. 46*e0c4386eSCy Schubert 47*e0c4386eSCy Schubert# First DH parameters 48*e0c4386eSCy Schubert 49*e0c4386eSCy Schubert[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem 50*e0c4386eSCy Schubert 51*e0c4386eSCy Schubert# Now a DH private key 52*e0c4386eSCy Schubert$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem 53*e0c4386eSCy Schubert# Create DH public key file 54*e0c4386eSCy Schubert$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem 55*e0c4386eSCy Schubert# Certificate request, key just reuses old one as it is ignored when the 56*e0c4386eSCy Schubert# request is signed. 57*e0c4386eSCy SchubertCN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \ 58*e0c4386eSCy Schubert -key skey.pem -out dhsreq.pem 59*e0c4386eSCy Schubert# Sign request: end entity DH extensions 60*e0c4386eSCy Schubert$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \ 61*e0c4386eSCy Schubert -force_pubkey dhspub.pem \ 62*e0c4386eSCy Schubert -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem 63*e0c4386eSCy Schubert 64*e0c4386eSCy Schubert# DH client certificate 65*e0c4386eSCy Schubert 66*e0c4386eSCy Schubert$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem 67*e0c4386eSCy Schubert$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem 68*e0c4386eSCy SchubertCN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \ 69*e0c4386eSCy Schubert -key skey.pem -out dhcreq.pem 70*e0c4386eSCy Schubert$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \ 71*e0c4386eSCy Schubert -force_pubkey dhcpub.pem \ 72*e0c4386eSCy Schubert -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem 73*e0c4386eSCy Schubert 74*e0c4386eSCy Schubert# Examples of CRL generation without the need to use 'ca' to issue 75*e0c4386eSCy Schubert# certificates. 76*e0c4386eSCy Schubert# Create zero length index file 77*e0c4386eSCy Schubert>index.txt 78*e0c4386eSCy Schubert# Create initial crl number file 79*e0c4386eSCy Schubertecho 01 >crlnum.txt 80*e0c4386eSCy Schubert# Add entries for server and client certs 81*e0c4386eSCy Schubert$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \ 82*e0c4386eSCy Schubert -config ca.cnf -md sha1 83*e0c4386eSCy Schubert$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \ 84*e0c4386eSCy Schubert -config ca.cnf -md sha1 85*e0c4386eSCy Schubert$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \ 86*e0c4386eSCy Schubert -config ca.cnf -md sha1 87*e0c4386eSCy Schubert# Generate a CRL. 88*e0c4386eSCy Schubert$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ 89*e0c4386eSCy Schubert -md sha1 -crldays 1 -out crl1.pem 90*e0c4386eSCy Schubert# Revoke a certificate 91*e0c4386eSCy Schubertopenssl ca -revoke rev.pem -crl_reason superseded \ 92*e0c4386eSCy Schubert -keyfile root.pem -cert root.pem -config ca.cnf -md sha1 93*e0c4386eSCy Schubert# Generate another CRL 94*e0c4386eSCy Schubert$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ 95*e0c4386eSCy Schubert -md sha1 -crldays 1 -out crl2.pem 96*e0c4386eSCy Schubert 97