c2bbf275b2
2. automatically create required sub-directories Submitted by: Vipul Gupta <Vipul.Gupta@sun.com>
165 lines
7.0 KiB
Bash
Executable File
165 lines
7.0 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# For a list of supported curves, use "apps/openssl ecparam -list_curves".
|
|
|
|
# Path to the openssl distribution
|
|
OPENSSL_DIR=../..
|
|
# Path to the openssl program
|
|
OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
|
|
# Option to find configuration file
|
|
OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
|
|
# Directory where certificates are stored
|
|
CERTS_DIR=./Certs
|
|
# Directory where private key files are stored
|
|
KEYS_DIR=$CERTS_DIR
|
|
# Directory where combo files (containing a certificate and corresponding
|
|
# private key together) are stored
|
|
COMBO_DIR=$CERTS_DIR
|
|
# cat command
|
|
CAT=/bin/cat
|
|
# rm command
|
|
RM=/bin/rm
|
|
# mkdir command
|
|
MKDIR=/bin/mkdir
|
|
# The certificate will expire these many days after the issue date.
|
|
DAYS=1500
|
|
TEST_CA_CURVE=secp160r1
|
|
TEST_CA_FILE=secp160r1TestCA
|
|
TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"
|
|
|
|
TEST_SERVER_CURVE=secp160r2
|
|
TEST_SERVER_FILE=secp160r2TestServer
|
|
TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"
|
|
|
|
TEST_CLIENT_CURVE=secp160r2
|
|
TEST_CLIENT_FILE=secp160r2TestClient
|
|
TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"
|
|
|
|
# Generating an EC certificate involves the following main steps
|
|
# 1. Generating curve parameters (if needed)
|
|
# 2. Generating a certificate request
|
|
# 3. Signing the certificate request
|
|
# 4. [Optional] One can combine the cert and private key into a single
|
|
# file and also delete the certificate request
|
|
|
|
$MKDIR -p $CERTS_DIR
|
|
$MKDIR -p $KEYS_DIR
|
|
$MKDIR -p $COMBO_DIR
|
|
|
|
echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"
|
|
echo "==============================================================="
|
|
$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem
|
|
|
|
# Generate a new certificate request in $TEST_CA_FILE.req.pem. A
|
|
# new ecdsa (actually ECC) key pair is generated on the parameters in
|
|
# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem
|
|
# WARNING: By using the -nodes option, we force the private key to be
|
|
# stored in the clear (rather than encrypted with a password).
|
|
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
|
|
-keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
|
-newkey ec:$TEST_CA_CURVE.pem -new \
|
|
-out $CERTS_DIR/$TEST_CA_FILE.req.pem
|
|
|
|
# Sign the certificate request in $TEST_CA_FILE.req.pem using the
|
|
# private key in $TEST_CA_FILE.key.pem and include the CA extension.
|
|
# Make the certificate valid for 1500 days from the time of signing.
|
|
# The certificate is written into $TEST_CA_FILE.cert.pem
|
|
$OPENSSL_CMD x509 -req -days $DAYS \
|
|
-in $CERTS_DIR/$TEST_CA_FILE.req.pem \
|
|
-extfile $OPENSSL_DIR/apps/openssl.cnf \
|
|
-extensions v3_ca \
|
|
-signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
|
-out $CERTS_DIR/$TEST_CA_FILE.cert.pem
|
|
|
|
# Display the certificate
|
|
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
|
|
|
|
# Place the certificate and key in a common file
|
|
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
|
|
> $COMBO_DIR/$TEST_CA_FILE.pem
|
|
$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
|
|
|
|
# Remove the cert request file (no longer needed)
|
|
$RM $CERTS_DIR/$TEST_CA_FILE.req.pem
|
|
|
|
echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
|
|
echo "=========================================================================="
|
|
# Generate parameters for curve $TEST_SERVER_CURVE, if needed
|
|
$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
|
|
|
|
# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A
|
|
# new ecdsa (actually ECC) key pair is generated on the parameters in
|
|
# $TEST_SERVER_CURVE.pem and the private key is saved in
|
|
# $TEST_SERVER_FILE.key.pem
|
|
# WARNING: By using the -nodes option, we force the private key to be
|
|
# stored in the clear (rather than encrypted with a password).
|
|
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
|
|
-keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
|
|
-newkey ec:$TEST_SERVER_CURVE.pem -new \
|
|
-out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
|
|
|
|
# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
|
|
# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
|
|
# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
|
|
# file for this CA, create one. Make the certificate valid for $DAYS days
|
|
# from the time of signing. The certificate is written into
|
|
# $TEST_SERVER_FILE.cert.pem
|
|
$OPENSSL_CMD x509 -req -days $DAYS \
|
|
-in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
|
|
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
|
|
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
|
-out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
|
|
|
|
# Display the certificate
|
|
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
|
|
|
|
# Place the certificate and key in a common file
|
|
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
|
|
> $COMBO_DIR/$TEST_SERVER_FILE.pem
|
|
$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
|
|
|
|
# Remove the cert request file (no longer needed)
|
|
$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
|
|
|
|
echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
|
|
echo "=========================================================================="
|
|
# Generate parameters for curve $TEST_CLIENT_CURVE, if needed
|
|
$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
|
|
|
|
# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A
|
|
# new ecdsa (actually ECC) key pair is generated on the parameters in
|
|
# $TEST_CLIENT_CURVE.pem and the private key is saved in
|
|
# $TEST_CLIENT_FILE.key.pem
|
|
# WARNING: By using the -nodes option, we force the private key to be
|
|
# stored in the clear (rather than encrypted with a password).
|
|
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
|
|
-keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
|
|
-newkey ec:$TEST_CLIENT_CURVE.pem -new \
|
|
-out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
|
|
|
|
# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
|
|
# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
|
|
# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
|
|
# file for this CA, create one. Make the certificate valid for $DAYS days
|
|
# from the time of signing. The certificate is written into
|
|
# $TEST_CLIENT_FILE.cert.pem
|
|
$OPENSSL_CMD x509 -req -days $DAYS \
|
|
-in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
|
|
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
|
|
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
|
|
-out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
|
|
|
|
# Display the certificate
|
|
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
|
|
|
|
# Place the certificate and key in a common file
|
|
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
|
|
> $COMBO_DIR/$TEST_CLIENT_FILE.pem
|
|
$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
|
|
|
|
# Remove the cert request file (no longer needed)
|
|
$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
|
|
|
|
|
|
|