2011-06-02 02:36:49 +08:00
|
|
|
#!/bin/sh
|
|
|
|
|
2012-01-26 00:33:39 +08:00
|
|
|
OPENSSL=../../apps/openssl
|
|
|
|
OPENSSL_CONF=../../apps/openssl.cnf
|
|
|
|
export OPENSSL_CONF
|
2011-06-02 02:36:49 +08:00
|
|
|
|
|
|
|
# Root CA: create certificate directly
|
|
|
|
CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \
|
|
|
|
-keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
|
|
|
|
# Intermediate CA: request first
|
|
|
|
CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \
|
|
|
|
-keyout intkey.pem -out intreq.pem -newkey rsa:2048
|
|
|
|
# Sign request: CA extensions
|
|
|
|
$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \
|
|
|
|
-extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
|
2012-09-10 04:43:49 +08:00
|
|
|
|
|
|
|
# Server certificate: create request first
|
2012-12-15 07:28:19 +08:00
|
|
|
CN="crl.host.com" $OPENSSL req -config ca.cnf -nodes \
|
2012-09-10 04:43:49 +08:00
|
|
|
-keyout skey.pem -out req.pem -newkey rsa:1024
|
|
|
|
# Sign request: end entity extensions
|
|
|
|
$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
|
|
|
|
-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
|
|
|
|
|
2011-06-02 02:36:49 +08:00
|
|
|
# Client certificate: request first
|
|
|
|
CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \
|
|
|
|
-keyout ckey.pem -out creq.pem -newkey rsa:1024
|
|
|
|
# Sign using intermediate CA
|
|
|
|
$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
|
|
|
|
-extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
|
2012-01-26 00:33:39 +08:00
|
|
|
|
2012-10-28 02:05:56 +08:00
|
|
|
# Revoked certificate: request first
|
2012-09-10 04:43:49 +08:00
|
|
|
CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \
|
|
|
|
-keyout revkey.pem -out rreq.pem -newkey rsa:1024
|
|
|
|
# Sign using intermediate CA
|
|
|
|
$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
|
|
|
|
-extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
|
|
|
|
|
|
|
|
# OCSP responder certificate: request first
|
|
|
|
CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \
|
|
|
|
-keyout respkey.pem -out respreq.pem -newkey rsa:1024
|
|
|
|
# Sign using intermediate CA and responder extensions
|
|
|
|
$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
|
|
|
|
-extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
|
|
|
|
|
2012-01-26 00:33:39 +08:00
|
|
|
# Example creating a PKCS#3 DH certificate.
|
|
|
|
|
|
|
|
# First DH parameters
|
|
|
|
|
2012-02-09 23:43:58 +08:00
|
|
|
[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
|
2012-01-26 00:33:39 +08:00
|
|
|
|
|
|
|
# Now a DH private key
|
|
|
|
$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem
|
|
|
|
# Create DH public key file
|
|
|
|
$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem
|
|
|
|
# Certificate request, key just reuses old one as it is ignored when the
|
|
|
|
# request is signed.
|
|
|
|
CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \
|
|
|
|
-key skey.pem -out dhsreq.pem
|
|
|
|
# Sign request: end entity DH extensions
|
|
|
|
$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
|
|
|
|
-force_pubkey dhspub.pem \
|
|
|
|
-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
|
|
|
|
|
|
|
|
# DH client certificate
|
|
|
|
|
|
|
|
$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem
|
|
|
|
$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem
|
|
|
|
CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \
|
|
|
|
-key skey.pem -out dhcreq.pem
|
|
|
|
$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
|
|
|
|
-force_pubkey dhcpub.pem \
|
|
|
|
-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
|
2012-09-10 04:43:49 +08:00
|
|
|
|
|
|
|
# Examples of CRL generation without the need to use 'ca' to issue
|
|
|
|
# certificates.
|
|
|
|
# Create zero length index file
|
|
|
|
>index.txt
|
|
|
|
# Create initial crl number file
|
|
|
|
echo 01 >crlnum.txt
|
|
|
|
# Add entries for server and client certs
|
|
|
|
$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \
|
|
|
|
-config ca.cnf -md sha1
|
|
|
|
$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \
|
|
|
|
-config ca.cnf -md sha1
|
|
|
|
$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \
|
|
|
|
-config ca.cnf -md sha1
|
|
|
|
# Generate a CRL.
|
|
|
|
$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
|
|
|
|
-md sha1 -crldays 1 -out crl1.pem
|
|
|
|
# Revoke a certificate
|
|
|
|
openssl ca -revoke rev.pem -crl_reason superseded \
|
|
|
|
-keyfile root.pem -cert root.pem -config ca.cnf -md sha1
|
|
|
|
# Generate another CRL
|
|
|
|
$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
|
|
|
|
-md sha1 -crldays 1 -out crl2.pem
|
|
|
|
|