1#!/bin/sh 2 3OPENSSL=../../apps/openssl 4OPENSSL_CONF=../../apps/openssl.cnf 5export OPENSSL_CONF 6 7# Root CA: create certificate directly 8CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \ 9 -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650 10# Intermediate CA: request first 11CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \ 12 -keyout intkey.pem -out intreq.pem -newkey rsa:2048 13# Sign request: CA extensions 14$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \ 15 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem 16 17# Server certificate: create request first 18CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ 19 -keyout skey.pem -out req.pem -newkey rsa:1024 20# Sign request: end entity extensions 21$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ 22 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem 23 24# Client certificate: request first 25CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ 26 -keyout ckey.pem -out creq.pem -newkey rsa:1024 27# Sign using intermediate CA 28$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ 29 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem 30 31# Revoked certificate: request first 32CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \ 33 -keyout revkey.pem -out rreq.pem -newkey rsa:1024 34# Sign using intermediate CA 35$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ 36 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem 37 38# OCSP responder certificate: request first 39CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \ 40 -keyout respkey.pem -out respreq.pem -newkey rsa:1024 41# Sign using intermediate CA and responder extensions 42$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ 43 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem 44 45# Example creating a PKCS#3 DH certificate. 46 47# First DH parameters 48 49[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem 50 51# Now a DH private key 52$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem 53# Create DH public key file 54$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem 55# Certificate request, key just reuses old one as it is ignored when the 56# request is signed. 57CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \ 58 -key skey.pem -out dhsreq.pem 59# Sign request: end entity DH extensions 60$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \ 61 -force_pubkey dhspub.pem \ 62 -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem 63 64# DH client certificate 65 66$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem 67$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem 68CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \ 69 -key skey.pem -out dhcreq.pem 70$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \ 71 -force_pubkey dhcpub.pem \ 72 -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem 73 74# Examples of CRL generation without the need to use 'ca' to issue 75# certificates. 76# Create zero length index file 77>index.txt 78# Create initial crl number file 79echo 01 >crlnum.txt 80# Add entries for server and client certs 81$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \ 82 -config ca.cnf -md sha1 83$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \ 84 -config ca.cnf -md sha1 85$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \ 86 -config ca.cnf -md sha1 87# Generate a CRL. 88$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ 89 -md sha1 -crldays 1 -out crl1.pem 90# Revoke a certificate 91openssl ca -revoke rev.pem -crl_reason superseded \ 92 -keyfile root.pem -cert root.pem -config ca.cnf -md sha1 93# Generate another CRL 94$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ 95 -md sha1 -crldays 1 -out crl2.pem 96 97