MCL/sf/mw/securitysrv: comparison pkiutilities/ocsp/test/server/OpenSSL/generateCerts.sh

equal deleted inserted replaced

--1:000000000000
+:164170e6151a
+#!/bin/sh
+# Generate certs for testing OCSP against OpenSSL implementation
+#
+# There are two CAs:
+#   ca1 signs a responder cert which signs responses
+#   ca2 signs responses with its ca cert
+# Trash existing data
+rm -rf ca1 ca2 certs tmp
+mkdir ca1 ca2 certs tmp
+# ca1 ##########################################################################
+# RSA keys, CA signed responder cert signed responses
+# Create ca files
+touch ca1/index.txt
+echo "01" > ca1/serial
+mkdir ca1/private
+mkdir ca1/certs
+# Generate root cert
+openssl req -x509 -newkey rsa:1024 -keyout ca1/private/cakey.pem -out ca1/cacert.pem -subj "/O=Symbian/CN=CA Root Cert" -days 3650 -nodes
+openssl x509 -in ca1/cacert.pem -outform DER -out certs/ca1-root.der
+# Generate ocsp responder cert
+openssl req -newkey rsa:1024 -keyout ca1/private/reskey.pem -out tmp/req.pem -subj "/O=Symbian/CN=CA OCSP Responder" -days 3650 -nodes
+openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
+openssl x509 -in ca1/certs/01.pem -outform DER -out certs/ca1-responder.der
+# Generate entity cert 1
+openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 1 (Good)" -days 3650 -nodes
+openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
+openssl x509 -in ca1/certs/02.pem -outform DER -out certs/ca1-entity1.der
+# Generate entity cert 2 and revoke it
+openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 2 (Revoked)" -days 3650 -nodes
+openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
+openssl x509 -in ca1/certs/03.pem -outform DER -out certs/ca1-entity2.der
+openssl ca -config openssl.config -name ca1 -revoke ca1/certs/03.pem -crl_reason keyCompromise
+# Generate entity cert 3 and then remove it from the ca
+openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 3 (Unknown)" -days 3650 -nodes
+openssl ca -config openssl.config -name ca1 -in tmp/req.pem -batch -days 3650
+openssl x509 -in ca1/certs/04.pem -outform DER -out certs/ca1-entity3.der
+mv ca1/index.txt tmp
+head -3 tmp/index.txt > ca1/index.txt
+rm ca1/certs/04.pem
+# ca2 ##########################################################################
+# DSA keys, CA cert signs responses
+# Create ca files
+touch ca2/index.txt
+echo "01" > ca2/serial
+mkdir ca2/private
+mkdir ca2/certs
+# Generate root cert
+openssl req -x509 -newkey rsa:1024 -keyout ca2/private/cakey.pem -out ca2/cacert.pem -subj "/O=Symbian/CN=CA Root Cert" -days 3650 -nodes
+openssl x509 -in ca2/cacert.pem -outform DER -out certs/ca2-root.der
+# Generate entity cert 1
+openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 1 (Good)" -days 3650 -nodes
+openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650
+openssl x509 -in ca2/certs/01.pem -outform DER -out certs/ca2-entity1.der
+# Generate entity cert 2 and revoke it
+openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 2 (Revoked)" -days 3650 -nodes
+openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650
+openssl x509 -in ca2/certs/02.pem -outform DER -out certs/ca2-entity2.der
+openssl ca -config openssl.config -name ca2 -revoke ca2/certs/02.pem -crl_reason keyCompromise
+# Generate entity cert 3 and then remove it from the ca
+openssl req -newkey rsa:1024 -keyout tmp/key.pem -out tmp/req.pem -subj "/O=Symbian/CN=Entity Cert 3 (Unknown)" -days 3650 -nodes
+openssl ca -config openssl.config -name ca2 -in tmp/req.pem -batch -days 3650
+openssl x509 -in ca2/certs/03.pem -outform DER -out certs/ca2-entity3.der
+mv ca2/index.txt tmp
+head -2 tmp/index.txt > ca2/index.txt
+rm ca2/certs/03.pem
+# To use DSA instead of RSA, first generate DSA parameters:
+#   openssl dsaparam -out tmp/dsaparam.pem 1024
+# And use this in the newkey options
+#   openssl req -x509 -newkey dsa:tmp/dsaparam.pem ...
+# Tidy
+rm -rf tmp