1#!/bin/sh 2 3set -xe 4 5# simply run me from mysql-test/ 6cd std_data/ 7 8# boilerplace for "openssl ca" and /etc/ssl/openssl.cnf 9rm -rf demoCA 10mkdir demoCA demoCA/newcerts 11touch demoCA/index.txt 12echo 01 > demoCA/serial 13echo 01 > demoCA/crlnumber 14 15# CA certificate, self-signed 16openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text 17 18# server certificate signing request and private key. Note the very long subject (for MDEV-7859) 19openssl req -newkey rsa:2048 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name' 20# convert the key to yassl compatible format 21openssl rsa -in server-key.pem -out server-key.pem 22# sign the server certificate with CA certificate 23openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -in demoCA/server-req.pem 24 25# server certificate with different validity period (MDEV-7598) 26openssl req -newkey rsa:2048 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' 27openssl rsa -in server-new-key.pem -out server-new-key.pem 28openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -in demoCA/server-new-req.pem 29 30# 8K cert 31openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' 32openssl rsa -in server8k-key.pem -out server8k-key.pem 33openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -in demoCA/server8k-req.pem 34 35# with SubjectAltName, only for OpenSSL 1.0.2+ 36cat > demoCA/sanext.conf <<EOF 37subjectAltName=IP:127.0.0.1, DNS:localhost 38EOF 39openssl req -newkey rsa:2048 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' 40openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -in demoCA/serversan-req.pem 41 42# client cert 43openssl req -newkey rsa:2048 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' 44openssl rsa -in client-key.pem -out client-key.pem 45openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -in demoCA/client-req.pem 46 47# generate combined client cert and key file 48cat client-cert.pem client-key.pem > client-certkey.pem 49 50# generate crls 51openssl ca -revoke server-cert.pem -keyfile cakey.pem -batch -cert cacert.pem 52openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out server-cert.crl 53# we only want to have one certificate per CRL. Un-revoke server-cert.crl 54cp demoCA/index.txt.old demoCA/index.txt 55openssl ca -revoke client-cert.pem -keyfile cakey.pem -batch -cert cacert.pem 56openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out client-cert.crl 57 58rm -fv crldir/* 59cp -v client-cert.crl crldir/`openssl x509 -in client-cert.pem -noout -issuer_hash`.r0 60 61rm -rf demoCA 62