|
1 #!/bin/sh |
|
2 |
|
3 # Generate certs for testing OCSP against OpenSSL implementation |
|
4 # |
|
5 # There are two CAs: |
|
6 # ca1 signs a responder cert which signs responses |
|
7 # ca2 signs responses with its ca cert |
|
8 |
|
9 # Trash existing data |
|
10 rm -rf ca1 ca2 certs tmp |
|
11 mkdir ca1 ca2 certs tmp |
|
12 |
|
13 # ca1 ########################################################################## |
|
14 |
|
15 # RSA keys, CA signed responder cert signed responses |
|
16 |
|
17 # Create ca files |
|
18 touch ca1/index.txt |
|
19 echo "01" > ca1/serial |
|
20 mkdir ca1/private |
|
21 mkdir ca1/certs |
|
22 |
|
23 # Generate root cert |
|
24 openssl req -x509 -newkey rsa:1024 -keyout ca1/private/cakey.pem -out ca1/cacert.pem -subj "/O=Symbian/CN=CA Root Cert" -days 3650 -nodes |
|
25 openssl x509 -in ca1/cacert.pem -outform DER -out certs/ca1-root.der |
|
26 |
|
27 # Generate ocsp responder cert |
|
28 openssl req -newkey rsa:1024 -keyout ca1/private/reskey.pem -out tmp/req.pem -subj "/O=Symbian/CN=CA OCSP Responder" -days 3650 -nodes |
|
29 openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650 |
|
30 openssl x509 -in ca1/certs/01.pem -outform DER -out certs/ca1-responder.der |
|
31 |
|
32 # Generate entity cert 1 |
|
33 openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 1 (Good)" -days 3650 -nodes |
|
34 openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650 |
|
35 openssl x509 -in ca1/certs/02.pem -outform DER -out certs/ca1-entity1.der |
|
36 |
|
37 # Generate entity cert 2 and revoke it |
|
38 openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 2 (Revoked)" -days 3650 -nodes |
|
39 openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650 |
|
40 openssl x509 -in ca1/certs/03.pem -outform DER -out certs/ca1-entity2.der |
|
41 openssl ca -config openssl.config -name ca1 -revoke ca1/certs/03.pem -crl_reason keyCompromise |
|
42 |
|
43 # Generate entity cert 3 and then remove it from the ca |
|
44 openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 3 (Unknown)" -days 3650 -nodes |
|
45 openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650 |
|
46 openssl x509 -in ca1/certs/04.pem -outform DER -out certs/ca1-entity3.der |
|
47 mv ca1/index.txt tmp |
|
48 head -3 tmp/index.txt > ca1/index.txt |
|
49 rm ca1/certs/04.pem |
|
50 |
|
51 # ca2 ########################################################################## |
|
52 |
|
53 # DSA keys, CA cert signs responses |
|
54 |
|
55 # Create ca files |
|
56 touch ca2/index.txt |
|
57 echo "01" > ca2/serial |
|
58 mkdir ca2/private |
|
59 mkdir ca2/certs |
|
60 |
|
61 # Generate root cert |
|
62 openssl req -x509 -newkey rsa:1024 -keyout ca2/private/cakey.pem -out ca2/cacert.pem -subj "/O=Symbian/CN=CA Root Cert" -days 3650 -nodes |
|
63 openssl x509 -in ca2/cacert.pem -outform DER -out certs/ca2-root.der |
|
64 |
|
65 # Generate entity cert 1 |
|
66 openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 1 (Good)" -days 3650 -nodes |
|
67 openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650 |
|
68 openssl x509 -in ca2/certs/01.pem -outform DER -out certs/ca2-entity1.der |
|
69 |
|
70 # Generate entity cert 2 and revoke it |
|
71 openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 2 (Revoked)" -days 3650 -nodes |
|
72 openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650 |
|
73 openssl x509 -in ca2/certs/02.pem -outform DER -out certs/ca2-entity2.der |
|
74 openssl ca -config openssl.config -name ca2 -revoke ca2/certs/02.pem -crl_reason keyCompromise |
|
75 |
|
76 # Generate entity cert 3 and then remove it from the ca |
|
77 openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 3 (Unknown)" -days 3650 -nodes |
|
78 openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650 |
|
79 openssl x509 -in ca2/certs/03.pem -outform DER -out certs/ca2-entity3.der |
|
80 mv ca2/index.txt tmp |
|
81 head -2 tmp/index.txt > ca2/index.txt |
|
82 rm ca2/certs/03.pem |
|
83 |
|
84 # To use DSA instead of RSA, first generate DSA parameters: |
|
85 # openssl dsaparam -out tmp/dsaparam.pem 1024 |
|
86 # And use this in the newkey options |
|
87 # openssl req -x509 -newkey dsa:tmp/dsaparam.pem ... |
|
88 |
|
89 # Tidy |
|
90 rm -rf tmp |