FCL/sf/mw/securitysrv: pkiutilities/ocsp/test/server/OpenSSL/generateCerts.sh@164170e6151a (annotated)

0 164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	1	#!/bin/sh
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	2
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	3	# Generate certs for testing OCSP against OpenSSL implementation
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	4	#
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	5	# There are two CAs:
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	6	# ca1 signs a responder cert which signs responses
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	7	# ca2 signs responses with its ca cert
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	8
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	9	# Trash existing data
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	10	rm -rf ca1 ca2 certs tmp
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	11	mkdir ca1 ca2 certs tmp
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	12
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	13	# ca1 ##########################################################################
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	14
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	15	# RSA keys, CA signed responder cert signed responses
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	16
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	17	# Create ca files
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	18	touch ca1/index.txt
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	19	echo "01" > ca1/serial
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	20	mkdir ca1/private
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	21	mkdir ca1/certs
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	22
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	23	# Generate root cert
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	24	openssl req -x509 -newkey rsa:1024 -keyout ca1/private/cakey.pem -out ca1/cacert.pem -subj "/O=Symbian/CN=CA Root Cert" -days 3650 -nodes
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	25	openssl x509 -in ca1/cacert.pem -outform DER -out certs/ca1-root.der
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	26
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	27	# Generate ocsp responder cert
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	28	openssl req -newkey rsa:1024 -keyout ca1/private/reskey.pem -out tmp/req.pem -subj "/O=Symbian/CN=CA OCSP Responder" -days 3650 -nodes
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	29	openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	30	openssl x509 -in ca1/certs/01.pem -outform DER -out certs/ca1-responder.der
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	31
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	32	# Generate entity cert 1
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	33	openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 1 (Good)" -days 3650 -nodes
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	34	openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	35	openssl x509 -in ca1/certs/02.pem -outform DER -out certs/ca1-entity1.der
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	36
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	37	# Generate entity cert 2 and revoke it
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	38	openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 2 (Revoked)" -days 3650 -nodes
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	39	openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	40	openssl x509 -in ca1/certs/03.pem -outform DER -out certs/ca1-entity2.der
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	41	openssl ca -config openssl.config -name ca1 -revoke ca1/certs/03.pem -crl_reason keyCompromise
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	42
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	43	# Generate entity cert 3 and then remove it from the ca
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	44	openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 3 (Unknown)" -days 3650 -nodes
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	45	openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	46	openssl x509 -in ca1/certs/04.pem -outform DER -out certs/ca1-entity3.der
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	47	mv ca1/index.txt tmp
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	48	head -3 tmp/index.txt > ca1/index.txt
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	49	rm ca1/certs/04.pem
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	50
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	51	# ca2 ##########################################################################
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	52
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	53	# DSA keys, CA cert signs responses
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	54
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	55	# Create ca files
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	56	touch ca2/index.txt
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	57	echo "01" > ca2/serial
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	58	mkdir ca2/private
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	59	mkdir ca2/certs
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	60
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	61	# Generate root cert
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	62	openssl req -x509 -newkey rsa:1024 -keyout ca2/private/cakey.pem -out ca2/cacert.pem -subj "/O=Symbian/CN=CA Root Cert" -days 3650 -nodes
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	63	openssl x509 -in ca2/cacert.pem -outform DER -out certs/ca2-root.der
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	64
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	65	# Generate entity cert 1
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	66	openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 1 (Good)" -days 3650 -nodes
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	67	openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	68	openssl x509 -in ca2/certs/01.pem -outform DER -out certs/ca2-entity1.der
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	69
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	70	# Generate entity cert 2 and revoke it
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	71	openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 2 (Revoked)" -days 3650 -nodes
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	72	openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	73	openssl x509 -in ca2/certs/02.pem -outform DER -out certs/ca2-entity2.der
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	74	openssl ca -config openssl.config -name ca2 -revoke ca2/certs/02.pem -crl_reason keyCompromise
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	75
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	76	# Generate entity cert 3 and then remove it from the ca
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	77	openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 3 (Unknown)" -days 3650 -nodes
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	78	openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	79	openssl x509 -in ca2/certs/03.pem -outform DER -out certs/ca2-entity3.der
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	80	mv ca2/index.txt tmp
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	81	head -2 tmp/index.txt > ca2/index.txt
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	82	rm ca2/certs/03.pem
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	83
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	84	# To use DSA instead of RSA, first generate DSA parameters:
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	85	# openssl dsaparam -out tmp/dsaparam.pem 1024
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	86	# And use this in the newkey options
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	87	# openssl req -x509 -newkey dsa:tmp/dsaparam.pem ...
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	88
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	89	# Tidy
164170e6151a Revision: 201004 Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com> parents: diff changeset	90	rm -rf tmp

author	Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
	Tue, 26 Jan 2010 15:20:08 +0200
changeset 0	164170e6151a
permissions	-rw-r--r--