xref: /freebsd/crypto/openssl/test/ocsp-tests/mk-ocsp-cert-chain.sh (revision e7be843b4a162e68651d3911f0357ed464915629) 
1*e7be843bSPierre Pronchery#!/bin/sh
2*e7be843bSPierre Pronchery
3*e7be843bSPierre Proncheryopensslcmd() {
4*e7be843bSPierre Pronchery    LD_LIBRARY_PATH=../.. ../../apps/openssl $@
5*e7be843bSPierre Pronchery}
6*e7be843bSPierre Pronchery
7*e7be843bSPierre Pronchery# report the openssl version
8*e7be843bSPierre Proncheryopensslcmd version
9*e7be843bSPierre Pronchery
10*e7be843bSPierre Proncheryecho "Creating private keys and certs..."
11*e7be843bSPierre Pronchery
12*e7be843bSPierre Pronchery#####
13*e7be843bSPierre Pronchery
14*e7be843bSPierre Pronchery# root CA private key
15*e7be843bSPierre Proncheryopensslcmd genpkey \
16*e7be843bSPierre Pronchery           -algorithm EC \
17*e7be843bSPierre Pronchery           -pkeyopt ec_paramgen_curve:secp521r1 \
18*e7be843bSPierre Pronchery           -pkeyopt ec_param_enc:named_curve \
19*e7be843bSPierre Pronchery           -out root-key.pem
20*e7be843bSPierre Pronchery
21*e7be843bSPierre Pronchery# root CA certificate (self-signed)
22*e7be843bSPierre Proncheryopensslcmd req \
23*e7be843bSPierre Pronchery           -config ca.cnf \
24*e7be843bSPierre Pronchery           -x509 \
25*e7be843bSPierre Pronchery           -days 3650 \
26*e7be843bSPierre Pronchery           -key root-key.pem \
27*e7be843bSPierre Pronchery           -subj /CN=TestRootCA \
28*e7be843bSPierre Pronchery           -out root-cert.pem
29*e7be843bSPierre Pronchery#####
30*e7be843bSPierre Pronchery
31*e7be843bSPierre Pronchery# intermediate CA private key
32*e7be843bSPierre Proncheryopensslcmd genpkey \
33*e7be843bSPierre Pronchery           -algorithm EC \
34*e7be843bSPierre Pronchery           -pkeyopt ec_paramgen_curve:secp384r1 \
35*e7be843bSPierre Pronchery           -pkeyopt ec_param_enc:named_curve \
36*e7be843bSPierre Pronchery           -out intermediate-key.pem
37*e7be843bSPierre Pronchery
38*e7be843bSPierre Pronchery# intermediate CA certificate-signing-request
39*e7be843bSPierre Proncheryopensslcmd req \
40*e7be843bSPierre Pronchery           -config ca.cnf \
41*e7be843bSPierre Pronchery           -new \
42*e7be843bSPierre Pronchery           -key intermediate-key.pem \
43*e7be843bSPierre Pronchery           -subj /CN=TestIntermediateCA \
44*e7be843bSPierre Pronchery           -out intermediate-csr.pem
45*e7be843bSPierre Pronchery
46*e7be843bSPierre Pronchery# intermediate CA certificate (signed by root CA)
47*e7be843bSPierre Proncheryopensslcmd req \
48*e7be843bSPierre Pronchery           -config ca.cnf \
49*e7be843bSPierre Pronchery           -x509 \
50*e7be843bSPierre Pronchery           -days 1825 \
51*e7be843bSPierre Pronchery           -CA root-cert.pem \
52*e7be843bSPierre Pronchery           -CAkey root-key.pem \
53*e7be843bSPierre Pronchery           -in intermediate-csr.pem \
54*e7be843bSPierre Pronchery           -copy_extensions copyall \
55*e7be843bSPierre Pronchery           -out intermediate-cert.pem
56*e7be843bSPierre Pronchery#####
57*e7be843bSPierre Pronchery
58*e7be843bSPierre Pronchery# server key
59*e7be843bSPierre Proncheryopensslcmd genpkey \
60*e7be843bSPierre Pronchery           -algorithm EC \
61*e7be843bSPierre Pronchery           -pkeyopt ec_paramgen_curve:prime256v1 \
62*e7be843bSPierre Pronchery           -pkeyopt ec_param_enc:named_curve \
63*e7be843bSPierre Pronchery           -out server-key.pem
64*e7be843bSPierre Pronchery
65*e7be843bSPierre Pronchery# server certificate-signing-request
66*e7be843bSPierre Proncheryopensslcmd req \
67*e7be843bSPierre Pronchery           -config ca.cnf \
68*e7be843bSPierre Pronchery	   -extensions usr_cert \
69*e7be843bSPierre Pronchery           -new \
70*e7be843bSPierre Pronchery           -key server-key.pem \
71*e7be843bSPierre Pronchery           -subj /CN=TestServerCA \
72*e7be843bSPierre Pronchery           -out server-csr.pem
73*e7be843bSPierre Pronchery
74*e7be843bSPierre Pronchery# server certificate (signed by intermediate CA)
75*e7be843bSPierre Proncheryopensslcmd req \
76*e7be843bSPierre Pronchery           -config ca.cnf \
77*e7be843bSPierre Pronchery	   -extensions usr_cert \
78*e7be843bSPierre Pronchery           -x509 \
79*e7be843bSPierre Pronchery           -days 365 \
80*e7be843bSPierre Pronchery           -CA intermediate-cert.pem \
81*e7be843bSPierre Pronchery           -CAkey intermediate-key.pem \
82*e7be843bSPierre Pronchery           -in server-csr.pem \
83*e7be843bSPierre Pronchery           -copy_extensions copyall \
84*e7be843bSPierre Pronchery           -out server-cert.pem
85*e7be843bSPierre Pronchery#####
86*e7be843bSPierre Pronchery
87*e7be843bSPierre Proncheryrm -f index.txt index.txt.attr
88*e7be843bSPierre Proncheryecho -n > index.txt
89*e7be843bSPierre Proncheryopensslcmd ca \
90*e7be843bSPierre Pronchery	   -config ca.cnf \
91*e7be843bSPierre Pronchery	   -valid server-cert.pem \
92*e7be843bSPierre Pronchery	   -keyfile intermediate-key.pem \
93*e7be843bSPierre Pronchery	   -cert intermediate-cert.pem
94*e7be843bSPierre Proncheryrm -f index.txt.old
95*e7be843bSPierre Pronchery#####
96*e7be843bSPierre Pronchery
97*e7be843bSPierre Proncherycat server-cert.pem server-key.pem intermediate-cert.pem > server.pem
98*e7be843bSPierre Proncherycat intermediate-cert.pem intermediate-key.pem > ocsp.pem
99*e7be843bSPierre Pronchery
100*e7be843bSPierre Proncheryecho "Done."
101