openssl/demos/certs/mkcerts.sh
Sam Roberts 3b09585bd6 Remove unnecessary trailing whitespace
Trim trailing whitespace. It doesn't match OpenSSL coding standards,
AFAICT, and it can cause problems with git tooling.

Trailing whitespace remains in test data and external source.

Backport-of: https://github.com/openssl/openssl/pull/8092

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8134)
2019-02-05 16:29:17 +01:00

96 lines
3.8 KiB
Bash

#!/bin/sh
OPENSSL=../../apps/openssl
OPENSSL_CONF=../../apps/openssl.cnf
export OPENSSL_CONF
# Root CA: create certificate directly
CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \
-keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
# Intermediate CA: request first
CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \
-keyout intkey.pem -out intreq.pem -newkey rsa:2048
# Sign request: CA extensions
$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \
-extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
# Server certificate: create request first
CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \
-keyout skey.pem -out req.pem -newkey rsa:1024
# Sign request: end entity extensions
$OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
# Client certificate: request first
CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \
-keyout ckey.pem -out creq.pem -newkey rsa:1024
# Sign using intermediate CA
$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
# Revoked certificate: request first
CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \
-keyout revkey.pem -out rreq.pem -newkey rsa:1024
# Sign using intermediate CA
$OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
-extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
# OCSP responder certificate: request first
CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \
-keyout respkey.pem -out respreq.pem -newkey rsa:1024
# Sign using intermediate CA and responder extensions
$OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
-extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
# Example creating a PKCS#3 DH certificate.
# First DH parameters
[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
# Now a DH private key
$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem
# Create DH public key file
$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem
# Certificate request, key just reuses old one as it is ignored when the
# request is signed.
CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \
-key skey.pem -out dhsreq.pem
# Sign request: end entity DH extensions
$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
-force_pubkey dhspub.pem \
-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
# DH client certificate
$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem
$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem
CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \
-key skey.pem -out dhcreq.pem
$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
-force_pubkey dhcpub.pem \
-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
# Examples of CRL generation without the need to use 'ca' to issue
# certificates.
# Create zero length index file
>index.txt
# Create initial crl number file
echo 01 >crlnum.txt
# Add entries for server and client certs
$OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \
-config ca.cnf -md sha1
$OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \
-config ca.cnf -md sha1
$OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \
-config ca.cnf -md sha1
# Generate a CRL.
$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
-md sha1 -crldays 1 -out crl1.pem
# Revoke a certificate
openssl ca -revoke rev.pem -crl_reason superseded \
-keyfile root.pem -cert root.pem -config ca.cnf -md sha1
# Generate another CRL
$OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
-md sha1 -crldays 1 -out crl2.pem