ab672e9abe
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21786 ec53bebd-3082-4978-b11e-865c3cabbd6b
317 lines
6.6 KiB
Bash
317 lines
6.6 KiB
Bash
#!/bin/sh
|
|
# $Id$
|
|
#
|
|
# This script need openssl 0.9.8a or newer, so it can parse the
|
|
# otherName section for pkinit certificates.
|
|
#
|
|
|
|
openssl=$HOME/src/openssl/openssl-0.9.8e/apps/openssl
|
|
|
|
gen_cert()
|
|
{
|
|
${openssl} req \
|
|
-new \
|
|
-subj "$1" \
|
|
-config openssl.cnf \
|
|
-newkey rsa:1024 \
|
|
-sha1 \
|
|
-nodes \
|
|
-keyout out.key \
|
|
-out cert.req > /dev/null 2>/dev/null
|
|
|
|
if [ "$3" = "ca" ] ; then
|
|
${openssl} x509 \
|
|
-req \
|
|
-days 3650 \
|
|
-in cert.req \
|
|
-extfile openssl.cnf \
|
|
-extensions $4 \
|
|
-signkey out.key \
|
|
-out cert.crt
|
|
|
|
ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0
|
|
|
|
name=$3
|
|
|
|
elif [ "$3" = "proxy" ] ; then
|
|
|
|
${openssl} x509 \
|
|
-req \
|
|
-in cert.req \
|
|
-days 3650 \
|
|
-out cert.crt \
|
|
-CA $2.crt \
|
|
-CAkey $2.key \
|
|
-CAcreateserial \
|
|
-extfile openssl.cnf \
|
|
-extensions $4
|
|
|
|
name=$5
|
|
else
|
|
|
|
${openssl} ca \
|
|
-name $4 \
|
|
-days 3650 \
|
|
-cert $2.crt \
|
|
-keyfile $2.key \
|
|
-in cert.req \
|
|
-out cert.crt \
|
|
-outdir . \
|
|
-batch \
|
|
-config openssl.cnf
|
|
|
|
name=$3
|
|
fi
|
|
|
|
mv cert.crt $name.crt
|
|
mv out.key $name.key
|
|
}
|
|
|
|
echo "01" > serial
|
|
> index.txt
|
|
rm -f *.0
|
|
|
|
gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca"
|
|
gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp"
|
|
gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr"
|
|
gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr"
|
|
gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke"
|
|
gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds"
|
|
gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client"
|
|
gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy
|
|
gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc"
|
|
gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https"
|
|
gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca"
|
|
gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr"
|
|
gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test
|
|
gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test
|
|
gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test
|
|
gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test
|
|
gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test
|
|
gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test
|
|
|
|
|
|
# combine
|
|
cat sub-ca.crt ca.crt > sub-ca-combined.crt
|
|
cat test.crt test.key > test.combined.crt
|
|
cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt
|
|
|
|
# password protected key
|
|
${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key
|
|
${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key
|
|
|
|
|
|
${openssl} ca \
|
|
-name usr \
|
|
-cert ca.crt \
|
|
-keyfile ca.key \
|
|
-revoke revoke.crt \
|
|
-config openssl.cnf
|
|
|
|
${openssl} pkcs12 \
|
|
-export \
|
|
-in test.crt \
|
|
-inkey test.key \
|
|
-passout pass:foobar \
|
|
-out test.p12 \
|
|
-name "friendlyname-test" \
|
|
-certfile ca.crt \
|
|
-caname ca
|
|
|
|
${openssl} pkcs12 \
|
|
-export \
|
|
-in sub-cert.crt \
|
|
-inkey sub-cert.key \
|
|
-passout pass:foobar \
|
|
-out sub-cert.p12 \
|
|
-name "friendlyname-sub-cert" \
|
|
-certfile sub-ca-combined.crt \
|
|
-caname sub-ca \
|
|
-caname ca
|
|
|
|
${openssl} pkcs12 \
|
|
-keypbe NONE \
|
|
-certpbe NONE \
|
|
-export \
|
|
-in test.crt \
|
|
-inkey test.key \
|
|
-passout pass:foobar \
|
|
-out test-nopw.p12 \
|
|
-name "friendlyname-cert" \
|
|
-certfile ca.crt \
|
|
-caname ca
|
|
|
|
${openssl} smime \
|
|
-sign \
|
|
-nodetach \
|
|
-binary \
|
|
-in static-file \
|
|
-signer test.crt \
|
|
-inkey test.key \
|
|
-outform DER \
|
|
-out test-signed-data
|
|
|
|
${openssl} smime \
|
|
-sign \
|
|
-nodetach \
|
|
-binary \
|
|
-in static-file \
|
|
-signer test.crt \
|
|
-inkey test.key \
|
|
-noattr \
|
|
-outform DER \
|
|
-out test-signed-data-noattr
|
|
|
|
${openssl} smime \
|
|
-sign \
|
|
-nodetach \
|
|
-binary \
|
|
-in static-file \
|
|
-signer test.crt \
|
|
-inkey test.key \
|
|
-noattr \
|
|
-nocerts \
|
|
-outform DER \
|
|
-out test-signed-data-noattr-nocerts
|
|
|
|
${openssl} smime \
|
|
-encrypt \
|
|
-nodetach \
|
|
-binary \
|
|
-in static-file \
|
|
-outform DER \
|
|
-out test-enveloped-rc2-40 \
|
|
-rc2-40 \
|
|
test.crt
|
|
|
|
${openssl} smime \
|
|
-encrypt \
|
|
-nodetach \
|
|
-binary \
|
|
-in static-file \
|
|
-outform DER \
|
|
-out test-enveloped-rc2-64 \
|
|
-rc2-64 \
|
|
test.crt
|
|
|
|
${openssl} smime \
|
|
-encrypt \
|
|
-nodetach \
|
|
-binary \
|
|
-in static-file \
|
|
-outform DER \
|
|
-out test-enveloped-rc2-128 \
|
|
-rc2-128 \
|
|
test.crt
|
|
|
|
${openssl} smime \
|
|
-encrypt \
|
|
-nodetach \
|
|
-binary \
|
|
-in static-file \
|
|
-outform DER \
|
|
-out test-enveloped-des \
|
|
-des \
|
|
test.crt
|
|
|
|
${openssl} smime \
|
|
-encrypt \
|
|
-nodetach \
|
|
-binary \
|
|
-in static-file \
|
|
-outform DER \
|
|
-out test-enveloped-des-ede3 \
|
|
-des3 \
|
|
test.crt
|
|
|
|
${openssl} smime \
|
|
-encrypt \
|
|
-nodetach \
|
|
-binary \
|
|
-in static-file \
|
|
-outform DER \
|
|
-out test-enveloped-aes-128 \
|
|
-aes128 \
|
|
test.crt
|
|
|
|
${openssl} smime \
|
|
-encrypt \
|
|
-nodetach \
|
|
-binary \
|
|
-in static-file \
|
|
-outform DER \
|
|
-out test-enveloped-aes-256 \
|
|
-aes256 \
|
|
test.crt
|
|
|
|
echo ocsp requests
|
|
|
|
${openssl} ocsp \
|
|
-issuer ca.crt \
|
|
-cert test.crt \
|
|
-reqout ocsp-req1.der
|
|
|
|
${openssl} ocsp \
|
|
-index index.txt \
|
|
-rsigner ocsp-responder.crt \
|
|
-rkey ocsp-responder.key \
|
|
-CA ca.crt \
|
|
-reqin ocsp-req1.der \
|
|
-noverify \
|
|
-respout ocsp-resp1-ocsp.der
|
|
|
|
${openssl} ocsp \
|
|
-index index.txt \
|
|
-rsigner ca.crt \
|
|
-rkey ca.key \
|
|
-CA ca.crt \
|
|
-reqin ocsp-req1.der \
|
|
-noverify \
|
|
-respout ocsp-resp1-ca.der
|
|
|
|
${openssl} ocsp \
|
|
-index index.txt \
|
|
-rsigner ocsp-responder.crt \
|
|
-rkey ocsp-responder.key \
|
|
-CA ca.crt \
|
|
-resp_no_certs \
|
|
-reqin ocsp-req1.der \
|
|
-noverify \
|
|
-respout ocsp-resp1-ocsp-no-cert.der
|
|
|
|
${openssl} ocsp \
|
|
-index index.txt \
|
|
-rsigner ocsp-responder.crt \
|
|
-rkey ocsp-responder.key \
|
|
-CA ca.crt \
|
|
-reqin ocsp-req1.der \
|
|
-resp_key_id \
|
|
-noverify \
|
|
-respout ocsp-resp1-keyhash.der
|
|
|
|
${openssl} ocsp \
|
|
-issuer ca.crt \
|
|
-cert revoke.crt \
|
|
-reqout ocsp-req2.der
|
|
|
|
${openssl} ocsp \
|
|
-index index.txt \
|
|
-rsigner ocsp-responder.crt \
|
|
-rkey ocsp-responder.key \
|
|
-CA ca.crt \
|
|
-reqin ocsp-req2.der \
|
|
-noverify \
|
|
-respout ocsp-resp2.der
|
|
|
|
${openssl} ca \
|
|
-gencrl \
|
|
-name usr \
|
|
-crldays 3600 \
|
|
-keyfile ca.key \
|
|
-cert ca.crt \
|
|
-crl_reason superseded \
|
|
-out crl1.crl \
|
|
-config openssl.cnf
|
|
|
|
${openssl} crl -in crl1.crl -outform der -out crl1.der
|