eec147dccb
In addition, update the generation script to allow convenient update of the server and user certificates without having to generate new keys. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
83 lines
3.4 KiB
Bash
Executable file
83 lines
3.4 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
OPENSSL=openssl
|
|
|
|
echo
|
|
echo "---[ DH parameters ]----------------------------------------------------"
|
|
echo
|
|
|
|
if [ -r dh_param_3072.pem ]; then
|
|
echo "Use already generated dh_param_3072.pem"
|
|
else
|
|
openssl dhparam -out dh_param_3072.pem 3072
|
|
fi
|
|
|
|
echo
|
|
echo "---[ Root CA ]----------------------------------------------------------"
|
|
echo
|
|
|
|
if [ -r rsa3072-ca.key ]; then
|
|
echo "Use already generated Root CA"
|
|
else
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/#@CN@/commonName_default = Suite B RSA 3k Root CA/" |
|
|
sed s%\./ec-ca$%./rsa3072-ca% \
|
|
> rsa3072-ca-openssl.cnf.tmp
|
|
$OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -x509 -new -newkey rsa:3072 -nodes -keyout rsa3072-ca.key -out rsa3072-ca.pem -outform PEM -days 3650 -sha384
|
|
mkdir -p rsa3072-ca/certs rsa3072-ca/crl rsa3072-ca/newcerts rsa3072-ca/private
|
|
touch rsa3072-ca/index.txt
|
|
rm rsa3072-ca-openssl.cnf.tmp
|
|
fi
|
|
|
|
echo
|
|
echo "---[ Server ]-----------------------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/#@CN@/commonName_default = rsa3072.server.w1.fi/" |
|
|
sed "s/#@ALTNAME@/subjectAltName=critical,DNS:rsa3072.server.w1.fi/" |
|
|
sed s%\./ec-ca$%./rsa3072-ca% \
|
|
> rsa3072-ca-openssl.cnf.tmp
|
|
if [ ! -r rsa3072-server.req ]; then
|
|
$OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout rsa3072-server.key -out rsa3072-server.req -outform PEM -sha384
|
|
fi
|
|
$OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-server.req -out rsa3072-server.pem -extensions ext_server -days 730 -md sha384
|
|
rm rsa3072-ca-openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ User SHA-384 ]-----------------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/#@CN@/commonName_default = user-rsa3072/" |
|
|
sed "s/#@ALTNAME@/subjectAltName=email:user-rsa3072@w1.fi/" |
|
|
sed s%\./ec-ca$%./rsa3072-ca% \
|
|
> rsa3072-ca-openssl.cnf.tmp
|
|
if [ ! -r rsa3072-user.req ]; then
|
|
$OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout rsa3072-user.key -out rsa3072-user.req -outform PEM -extensions ext_client -sha384
|
|
fi
|
|
$OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-user.req -out rsa3072-user.pem -extensions ext_client -days 730 -md sha384
|
|
rm rsa3072-ca-openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ User RSA2048 ]-----------------------------------------------------"
|
|
echo
|
|
|
|
cat ec-ca-openssl.cnf |
|
|
sed "s/#@CN@/commonName_default = user-rsa3072-rsa2048/" |
|
|
sed "s/#@ALTNAME@/subjectAltName=email:user-rsa3072-rsa2048@w1.fi/" |
|
|
sed s%\./ec-ca$%./rsa3072-ca% \
|
|
> rsa3072-ca-openssl.cnf.tmp
|
|
if [ ! -r rsa3072-user-rsa2048.req ]; then
|
|
$OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout rsa3072-user-rsa2048.key -out rsa3072-user-rsa2048.req -outform PEM -extensions ext_client -sha384
|
|
fi
|
|
$OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-user-rsa2048.req -out rsa3072-user-rsa2048.pem -extensions ext_client -days 730 -md sha384
|
|
rm rsa3072-ca-openssl.cnf.tmp
|
|
|
|
echo
|
|
echo "---[ Verify ]-----------------------------------------------------------"
|
|
echo
|
|
|
|
$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-server.pem
|
|
$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-user.pem
|
|
$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-user-rsa2048.pem
|