xref: /freebsd/crypto/openssl/demos/certs/mkcerts.sh (revision 6580f5c38dd5b01aeeaed16b370f1a12423437f0)
1#!/bin/sh
2
3OPENSSL=../../apps/openssl
4OPENSSL_CONF=../../apps/openssl.cnf
5export OPENSSL_CONF
6
7# Root CA: create certificate directly
8CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \
9	-keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
10# Intermediate CA: request first
11CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \
12	-keyout intkey.pem -out intreq.pem -newkey rsa:2048
13# Sign request: CA extensions
14$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \
15	-extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
16
17# Server certificate: create request first
18CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \
19	-keyout skey.pem -out req.pem -newkey rsa:1024
20# Sign request: end entity extensions
21$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
22	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
23
24# Client certificate: request first
25CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \
26	-keyout ckey.pem -out creq.pem -newkey rsa:1024
27# Sign using intermediate CA
28$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
29	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
30
31# Revoked certificate: request first
32CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \
33	-keyout revkey.pem -out rreq.pem -newkey rsa:1024
34# Sign using intermediate CA
35$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
36	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
37
38# OCSP responder certificate: request first
39CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \
40	-keyout respkey.pem -out respreq.pem -newkey rsa:1024
41# Sign using intermediate CA and responder extensions
42$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
43	-extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
44
45# Example creating a PKCS#3 DH certificate.
46
47# First DH parameters
48
49[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
50
51# Now a DH private key
52$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem
53# Create DH public key file
54$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem
55# Certificate request, key just reuses old one as it is ignored when the
56# request is signed.
57CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \
58	-key skey.pem -out dhsreq.pem
59# Sign request: end entity DH extensions
60$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
61	-force_pubkey dhspub.pem \
62	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
63
64# DH client certificate
65
66$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem
67$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem
68CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \
69	-key skey.pem -out dhcreq.pem
70$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
71	-force_pubkey dhcpub.pem \
72	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
73
74# Examples of CRL generation without the need to use 'ca' to issue
75# certificates.
76# Create zero length index file
77>index.txt
78# Create initial crl number file
79echo 01 >crlnum.txt
80# Add entries for server and client certs
81$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \
82		-config ca.cnf -md sha1
83$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \
84		-config ca.cnf -md sha1
85$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \
86		-config ca.cnf -md sha1
87# Generate a CRL.
88$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
89		-md sha1 -crldays 1 -out crl1.pem
90# Revoke a certificate
91openssl ca -revoke rev.pem -crl_reason superseded \
92		-keyfile root.pem -cert root.pem -config ca.cnf -md sha1
93# Generate another CRL
94$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
95		-md sha1 -crldays 1 -out crl2.pem
96
97