15b37fcf3Sryker#!/bin/sh 25b37fcf3Sryker 3*40d8aef3Sdjmdigest='-sha1' 4*40d8aef3Sdjmreqcmd="../util/shlib_wrap.sh ../apps/openssl req" 5*40d8aef3Sdjmx509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest" 6*40d8aef3Sdjmverifycmd="../util/shlib_wrap.sh ../apps/openssl verify" 7913ec974Sbeckdummycnf="../apps/openssl.cnf" 85b37fcf3Sryker 95b37fcf3SrykerCAkey="keyCA.ss" 105b37fcf3SrykerCAcert="certCA.ss" 115b37fcf3SrykerCAreq="reqCA.ss" 125b37fcf3SrykerCAconf="CAss.cnf" 135b37fcf3SrykerCAreq2="req2CA.ss" # temp 145b37fcf3Sryker 155b37fcf3SrykerUconf="Uss.cnf" 165b37fcf3SrykerUkey="keyU.ss" 175b37fcf3SrykerUreq="reqU.ss" 185b37fcf3SrykerUcert="certU.ss" 195b37fcf3Sryker 20*40d8aef3SdjmP1conf="P1ss.cnf" 21*40d8aef3SdjmP1key="keyP1.ss" 22*40d8aef3SdjmP1req="reqP1.ss" 23*40d8aef3SdjmP1cert="certP1.ss" 24*40d8aef3SdjmP1intermediate="tmp_intP1.ss" 25*40d8aef3Sdjm 26*40d8aef3SdjmP2conf="P2ss.cnf" 27*40d8aef3SdjmP2key="keyP2.ss" 28*40d8aef3SdjmP2req="reqP2.ss" 29*40d8aef3SdjmP2cert="certP2.ss" 30*40d8aef3SdjmP2intermediate="tmp_intP2.ss" 31*40d8aef3Sdjm 325b37fcf3Srykerecho 335b37fcf3Srykerecho "make a certificate request using 'req'" 34da347917Sbeck 35da347917Sbeckecho "string to make the random number generator think it has entropy" >> ./.rnd 36da347917Sbeck 37*40d8aef3Sdjmif ../util/shlib_wrap.sh ../apps/openssl no-rsa; then 38da347917Sbeck req_new='-newkey dsa:../apps/dsa512.pem' 39da347917Sbeckelse 40da347917Sbeck req_new='-new' 41da347917Sbeckfi 42da347917Sbeck 43da347917Sbeck$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new #>err.ss 445b37fcf3Srykerif [ $? != 0 ]; then 455b37fcf3Sryker echo "error using 'req' to generate a certificate request" 465b37fcf3Sryker exit 1 475b37fcf3Srykerfi 485b37fcf3Srykerecho 495b37fcf3Srykerecho "convert the certificate request into a self signed certificate using 'x509'" 50*40d8aef3Sdjm$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss 515b37fcf3Srykerif [ $? != 0 ]; then 525b37fcf3Sryker echo "error using 'x509' to self sign a certificate request" 535b37fcf3Sryker exit 1 545b37fcf3Srykerfi 555b37fcf3Sryker 565b37fcf3Srykerecho 575b37fcf3Srykerecho "convert a certificate into a certificate request using 'x509'" 585b37fcf3Sryker$x509cmd -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 >err.ss 595b37fcf3Srykerif [ $? != 0 ]; then 605b37fcf3Sryker echo "error using 'x509' convert a certificate to a certificate request" 615b37fcf3Sryker exit 1 625b37fcf3Srykerfi 635b37fcf3Sryker 64913ec974Sbeck$reqcmd -config $dummycnf -verify -in $CAreq -noout 655b37fcf3Srykerif [ $? != 0 ]; then 665b37fcf3Sryker echo first generated request is invalid 675b37fcf3Sryker exit 1 685b37fcf3Srykerfi 695b37fcf3Sryker 70913ec974Sbeck$reqcmd -config $dummycnf -verify -in $CAreq2 -noout 715b37fcf3Srykerif [ $? != 0 ]; then 725b37fcf3Sryker echo second generated request is invalid 735b37fcf3Sryker exit 1 745b37fcf3Srykerfi 755b37fcf3Sryker 765b37fcf3Sryker$verifycmd -CAfile $CAcert $CAcert 775b37fcf3Srykerif [ $? != 0 ]; then 785b37fcf3Sryker echo first generated cert is invalid 795b37fcf3Sryker exit 1 805b37fcf3Srykerfi 815b37fcf3Sryker 825b37fcf3Srykerecho 83*40d8aef3Sdjmecho "make a user certificate request using 'req'" 84da347917Sbeck$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss 855b37fcf3Srykerif [ $? != 0 ]; then 86*40d8aef3Sdjm echo "error using 'req' to generate a user certificate request" 875b37fcf3Sryker exit 1 885b37fcf3Srykerfi 895b37fcf3Sryker 905b37fcf3Srykerecho 91*40d8aef3Sdjmecho "sign user certificate request with the just created CA via 'x509'" 92*40d8aef3Sdjm$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss 935b37fcf3Srykerif [ $? != 0 ]; then 94*40d8aef3Sdjm echo "error using 'x509' to sign a user certificate request" 955b37fcf3Sryker exit 1 965b37fcf3Srykerfi 975b37fcf3Sryker 985b37fcf3Sryker$verifycmd -CAfile $CAcert $Ucert 995b37fcf3Srykerecho 1005b37fcf3Srykerecho "Certificate details" 1015b37fcf3Sryker$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert 1025b37fcf3Sryker 1035b37fcf3Srykerecho 104*40d8aef3Sdjmecho "make a proxy certificate request using 'req'" 105*40d8aef3Sdjm$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss 106*40d8aef3Sdjmif [ $? != 0 ]; then 107*40d8aef3Sdjm echo "error using 'req' to generate a proxy certificate request" 108*40d8aef3Sdjm exit 1 109*40d8aef3Sdjmfi 110*40d8aef3Sdjm 111*40d8aef3Sdjmecho 112*40d8aef3Sdjmecho "sign proxy certificate request with the just created user certificate via 'x509'" 113*40d8aef3Sdjm$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss 114*40d8aef3Sdjmif [ $? != 0 ]; then 115*40d8aef3Sdjm echo "error using 'x509' to sign a proxy certificate request" 116*40d8aef3Sdjm exit 1 117*40d8aef3Sdjmfi 118*40d8aef3Sdjm 119*40d8aef3Sdjmcat $Ucert > $P1intermediate 120*40d8aef3Sdjm$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert 121*40d8aef3Sdjmecho 122*40d8aef3Sdjmecho "Certificate details" 123*40d8aef3Sdjm$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert 124*40d8aef3Sdjm 125*40d8aef3Sdjmecho 126*40d8aef3Sdjmecho "make another proxy certificate request using 'req'" 127*40d8aef3Sdjm$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss 128*40d8aef3Sdjmif [ $? != 0 ]; then 129*40d8aef3Sdjm echo "error using 'req' to generate another proxy certificate request" 130*40d8aef3Sdjm exit 1 131*40d8aef3Sdjmfi 132*40d8aef3Sdjm 133*40d8aef3Sdjmecho 134*40d8aef3Sdjmecho "sign second proxy certificate request with the first proxy certificate via 'x509'" 135*40d8aef3Sdjm$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss 136*40d8aef3Sdjmif [ $? != 0 ]; then 137*40d8aef3Sdjm echo "error using 'x509' to sign a second proxy certificate request" 138*40d8aef3Sdjm exit 1 139*40d8aef3Sdjmfi 140*40d8aef3Sdjm 141*40d8aef3Sdjmcat $Ucert $P1cert > $P2intermediate 142*40d8aef3Sdjm$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert 143*40d8aef3Sdjmecho 144*40d8aef3Sdjmecho "Certificate details" 145*40d8aef3Sdjm$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert 146*40d8aef3Sdjm 147*40d8aef3Sdjmecho 1485b37fcf3Srykerecho The generated CA certificate is $CAcert 1495b37fcf3Srykerecho The generated CA private key is $CAkey 1505b37fcf3Sryker 1515b37fcf3Srykerecho The generated user certificate is $Ucert 1525b37fcf3Srykerecho The generated user private key is $Ukey 1535b37fcf3Sryker 154*40d8aef3Sdjmecho The first generated proxy certificate is $P1cert 155*40d8aef3Sdjmecho The first generated proxy private key is $P1key 156*40d8aef3Sdjm 157*40d8aef3Sdjmecho The second generated proxy certificate is $P2cert 158*40d8aef3Sdjmecho The second generated proxy private key is $P2key 159*40d8aef3Sdjm 1605b37fcf3Sryker/bin/rm err.ss 161*40d8aef3Sdjm#/bin/rm $P1intermediate 162*40d8aef3Sdjm#/bin/rm $P2intermediate 1635b37fcf3Srykerexit 0 164