1# 2# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. 3# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4# 5# This code is free software; you can redistribute it and/or modify it 6# under the terms of the GNU General Public License version 2 only, as 7# published by the Free Software Foundation. Oracle designates this 8# particular file as subject to the "Classpath" exception as provided 9# by Oracle in the LICENSE file that accompanied this code. 10# 11# This code is distributed in the hope that it will be useful, but WITHOUT 12# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14# version 2 for more details (a copy is included in the LICENSE file that 15# accompanied this code). 16# 17# You should have received a copy of the GNU General Public License version 18# 2 along with this work; if not, write to the Free Software Foundation, 19# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20# 21# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22# or visit www.oracle.com if you need additional information or have any 23# questions. 24# 25 26#!/bin/ksh 27# 28# needs ksh to run the script. 29set -e 30 31OPENSSL=openssl 32 33# generate a self-signed root certificate 34if [ ! -f root/finished ]; then 35 if [ ! -d root ]; then 36 mkdir root 37 fi 38 39 # SHA1withRSA 1024 40 ${OPENSSL} req -x509 -newkey rsa:1024 -keyout root/root_key_1024.pem \ 41 -out root/root_cert_sha1_1024.pem -subj "/C=US/O=Example" \ 42 -config openssl.cnf -reqexts cert_issuer -days 7650 -sha1 \ 43 -passin pass:passphrase -passout pass:passphrase 44 45 # SHA1withRSA 512 46 ${OPENSSL} req -x509 -newkey rsa:512 -keyout root/root_key_512.pem \ 47 -out root/root_cert_sha1_512.pem -subj "/C=US/O=Example" \ 48 -config openssl.cnf -reqexts cert_issuer -days 7650 -sha1 \ 49 -passin pass:passphrase -passout pass:passphrase 50 51 # MD2withRSA 2048 52 ${OPENSSL} req -x509 -newkey rsa:2048 -keyout root/root_key_2048.pem \ 53 -out root/root_cert_md2_2048.pem -subj "/C=US/O=Example" \ 54 -config openssl.cnf -reqexts cert_issuer -days 7650 -md2 \ 55 -passin pass:passphrase -passout pass:passphrase 56 57 openssl req -newkey rsa:1024 -keyout root/root_crlissuer_key.pem \ 58 -out root/root_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \ 59 -passin pass:passphrase -passout pass:passphrase 60 61 openssl x509 -req -in root/root_crlissuer_req.pem -extfile openssl.cnf \ 62 -extensions crl_issuer -CA root/root_cert_sha1_1024.pem \ 63 -CAkey root/root_key_1024.pem -out root/root_crlissuer_cert.pem \ 64 -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ 65 -passin pass:passphrase 66 67 touch root/finished 68fi 69 70 71# generate subca cert issuer 72if [ ! -f subca/finished ]; then 73 if [ ! -d subca ]; then 74 mkdir subca 75 fi 76 77 # RSA 1024 78 ${OPENSSL} req -newkey rsa:1024 -keyout subca/subca_key_1024.pem \ 79 -out subca/subca_req_1024.pem -subj "/C=US/O=Example/OU=Class-1" \ 80 -days 7650 -passin pass:passphrase -passout pass:passphrase 81 82 # RSA 512 83 ${OPENSSL} req -newkey rsa:512 -keyout subca/subca_key_512.pem \ 84 -out subca/subca_req_512.pem -subj "/C=US/O=Example/OU=Class-1" \ 85 -days 7650 -passin pass:passphrase -passout pass:passphrase 86 87 # SHA1withRSA 1024 signed with RSA 1024 88 ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \ 89 -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \ 90 -CAkey root/root_key_1024.pem -out subca/subca_cert_sha1_1024_1024.pem \ 91 -CAcreateserial -sha1 \ 92 -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase 93 94 # SHA1withRSA 1024 signed with RSA 512 95 ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \ 96 -extensions cert_issuer -CA root/root_cert_sha1_512.pem \ 97 -CAkey root/root_key_512.pem -out subca/subca_cert_sha1_1024_512.pem \ 98 -CAcreateserial -sha1 \ 99 -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase 100 101 # SHA1withRSA 512 signed with RSA 1024 102 ${OPENSSL} x509 -req -in subca/subca_req_512.pem -extfile openssl.cnf \ 103 -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \ 104 -CAkey root/root_key_1024.pem -out subca/subca_cert_sha1_512_1024.pem \ 105 -CAcreateserial -sha1 \ 106 -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase 107 108 # SHA1withRSA 512 signed with RSA 512 109 ${OPENSSL} x509 -req -in subca/subca_req_512.pem -extfile openssl.cnf \ 110 -extensions cert_issuer -CA root/root_cert_sha1_512.pem \ 111 -CAkey root/root_key_512.pem -out subca/subca_cert_sha1_512_512.pem \ 112 -CAcreateserial -sha1 \ 113 -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase 114 115 # MD2withRSA 1024 signed with RSA 1024 116 ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \ 117 -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \ 118 -CAkey root/root_key_1024.pem -out subca/subca_cert_md2_1024_1024.pem \ 119 -CAcreateserial -md2 \ 120 -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase 121 122 # MD2withRSA 1024 signed with RSA 512 123 ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \ 124 -extensions cert_issuer -CA root/root_cert_sha1_512.pem \ 125 -CAkey root/root_key_512.pem -out subca/subca_cert_md2_1024_512.pem \ 126 -CAcreateserial -md2 \ 127 -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase 128 129 openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \ 130 -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \ 131 -days 7650 -passin pass:passphrase -passout pass:passphrase 132 133 openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \ 134 -extensions crl_issuer -CA root/root_cert_sha1_1024.pem \ 135 -CAkey root/root_key_1024.pem -out subca/subca_crlissuer_cert.pem \ 136 -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ 137 -passin pass:passphrase 138 139 touch subca/finished 140fi 141 142 143# generate certifiacte for Alice 144if [ ! -f subca/alice/finished ]; then 145 if [ ! -d subca/alice ]; then 146 mkdir -p subca/alice 147 fi 148 149 # RSA 1024 150 ${OPENSSL} req -newkey rsa:1024 -keyout subca/alice/alice_key_1024.pem \ 151 -out subca/alice/alice_req_1024.pem \ 152 -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \ 153 -passin pass:passphrase -passout pass:passphrase 154 155 # RSA 512 156 ${OPENSSL} req -newkey rsa:512 -keyout subca/alice/alice_key_512.pem \ 157 -out subca/alice/alice_req_512.pem \ 158 -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \ 159 -passin pass:passphrase -passout pass:passphrase 160 161 # SHA1withRSA 1024 signed with RSA 1024 162 ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \ 163 -extfile openssl.cnf -extensions ee_of_subca \ 164 -CA subca/subca_cert_sha1_1024_1024.pem \ 165 -CAkey subca/subca_key_1024.pem \ 166 -out subca/alice/alice_cert_sha1_1024_1024.pem -CAcreateserial -sha1 \ 167 -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase 168 169 # SHA1withRSA 1024 signed with RSA 512 170 ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \ 171 -extfile openssl.cnf -extensions ee_of_subca \ 172 -CA subca/subca_cert_sha1_512_1024.pem \ 173 -CAkey subca/subca_key_512.pem \ 174 -out subca/alice/alice_cert_sha1_1024_512.pem -CAcreateserial -sha1 \ 175 -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase 176 177 # SHA1withRSA 512 signed with RSA 1024 178 ${OPENSSL} x509 -req -in subca/alice/alice_req_512.pem \ 179 -extfile openssl.cnf -extensions ee_of_subca \ 180 -CA subca/subca_cert_sha1_1024_1024.pem \ 181 -CAkey subca/subca_key_1024.pem \ 182 -out subca/alice/alice_cert_sha1_512_1024.pem -CAcreateserial -sha1 \ 183 -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase 184 185 # SHA1withRSA 512 signed with RSA 512 186 ${OPENSSL} x509 -req -in subca/alice/alice_req_512.pem \ 187 -extfile openssl.cnf -extensions ee_of_subca \ 188 -CA subca/subca_cert_sha1_512_1024.pem \ 189 -CAkey subca/subca_key_512.pem \ 190 -out subca/alice/alice_cert_sha1_512_512.pem -CAcreateserial -sha1 \ 191 -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase 192 193 # MD2withRSA 1024 signed with RSA 1024 194 ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \ 195 -extfile openssl.cnf -extensions ee_of_subca \ 196 -CA subca/subca_cert_sha1_1024_1024.pem \ 197 -CAkey subca/subca_key_1024.pem \ 198 -out subca/alice/alice_cert_md2_1024_1024.pem -CAcreateserial -md2 \ 199 -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase 200 201 # MD2withRSA 1024 signed with RSA 512 202 ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \ 203 -extfile openssl.cnf -extensions ee_of_subca \ 204 -CA subca/subca_cert_sha1_512_1024.pem \ 205 -CAkey subca/subca_key_512.pem \ 206 -out subca/alice/alice_cert_md2_1024_512.pem -CAcreateserial -md2 \ 207 -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase 208 209 touch subca/alice/finished 210fi 211 212if [ ! -f root/revoked ]; then 213 if [ ! -d root ]; then 214 mkdir root 215 fi 216 217 if [ ! -f root/index.txt ]; then 218 touch root/index.txt 219 echo 00 > root/crlnumber 220 fi 221 222 openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 -md sha1 \ 223 -crl_reason superseded -keyfile root/root_crlissuer_key.pem \ 224 -cert root/root_crlissuer_cert.pem -out root/top_crl.pem \ 225 -passin pass:passphrase 226 227 touch root/revoked 228fi 229 230if [ ! -f subca/revoked ]; then 231 if [ ! -d subca ]; then 232 mkdir subca 233 fi 234 235 if [ ! -f subca/index.txt ]; then 236 touch subca/index.txt 237 echo 00 > subca/crlnumber 238 fi 239 240 # revoke alice's SHA1withRSA 1024 signed with RSA 1024 241 openssl ca -revoke subca/alice/alice_cert_sha1_1024_1024.pem \ 242 -config openssl.cnf \ 243 -name ca_subca -crl_reason superseded \ 244 -keyfile subca/subca_crlissuer_key.pem \ 245 -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase 246 247 openssl ca -gencrl -config openssl.cnf \ 248 -name ca_subca -crldays 7000 -md md2 \ 249 -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ 250 -cert subca/subca_crlissuer_cert.pem \ 251 -out subca/subca_crl.pem \ 252 -passin pass:passphrase 253 254 touch subca/revoked 255fi 256