|
| 1 | +#!/bin/sh |
| 2 | + |
| 3 | +set -xe |
| 4 | + |
| 5 | +rm -rf rsa/ ecdsa/ eddsa/ |
| 6 | +mkdir -p rsa/ ecdsa/ eddsa/ |
| 7 | + |
| 8 | +openssl req -nodes \ |
| 9 | + -x509 \ |
| 10 | + -days 3650 \ |
| 11 | + -newkey rsa:4096 \ |
| 12 | + -keyout rsa/ca.key \ |
| 13 | + -out rsa/ca.cert \ |
| 14 | + -sha256 \ |
| 15 | + -batch \ |
| 16 | + -subj "/CN=ponytown RSA CA" |
| 17 | + |
| 18 | +openssl req -nodes \ |
| 19 | + -newkey rsa:3072 \ |
| 20 | + -keyout rsa/inter.key \ |
| 21 | + -out rsa/inter.req \ |
| 22 | + -sha256 \ |
| 23 | + -batch \ |
| 24 | + -subj "/CN=ponytown RSA level 2 intermediate" |
| 25 | + |
| 26 | +openssl req -nodes \ |
| 27 | + -newkey rsa:2048 \ |
| 28 | + -keyout rsa/end.key \ |
| 29 | + -out rsa/end.req \ |
| 30 | + -sha256 \ |
| 31 | + -batch \ |
| 32 | + -subj "/CN=testserver.com" |
| 33 | + |
| 34 | +openssl rsa \ |
| 35 | + -in rsa/end.key \ |
| 36 | + -out rsa/end.rsa |
| 37 | + |
| 38 | +openssl req -nodes \ |
| 39 | + -newkey rsa:2048 \ |
| 40 | + -keyout rsa/client.key \ |
| 41 | + -out rsa/client.req \ |
| 42 | + -sha256 \ |
| 43 | + -batch \ |
| 44 | + -subj "/CN=ponytown client" |
| 45 | + |
| 46 | +openssl rsa \ |
| 47 | + -in rsa/client.key \ |
| 48 | + -out rsa/client.rsa |
| 49 | + |
| 50 | +# ecdsa |
| 51 | +openssl ecparam -name prime256v1 -out ecdsa/nistp256.pem |
| 52 | +openssl ecparam -name secp384r1 -out ecdsa/nistp384.pem |
| 53 | + |
| 54 | +openssl req -nodes \ |
| 55 | + -x509 \ |
| 56 | + -newkey ec:ecdsa/nistp384.pem \ |
| 57 | + -keyout ecdsa/ca.key \ |
| 58 | + -out ecdsa/ca.cert \ |
| 59 | + -sha256 \ |
| 60 | + -batch \ |
| 61 | + -days 3650 \ |
| 62 | + -subj "/CN=ponytown ECDSA CA" |
| 63 | + |
| 64 | +openssl req -nodes \ |
| 65 | + -newkey ec:ecdsa/nistp256.pem \ |
| 66 | + -keyout ecdsa/inter.key \ |
| 67 | + -out ecdsa/inter.req \ |
| 68 | + -sha256 \ |
| 69 | + -batch \ |
| 70 | + -days 3000 \ |
| 71 | + -subj "/CN=ponytown ECDSA level 2 intermediate" |
| 72 | + |
| 73 | +openssl req -nodes \ |
| 74 | + -newkey ec:ecdsa/nistp256.pem \ |
| 75 | + -keyout ecdsa/end.key \ |
| 76 | + -out ecdsa/end.req \ |
| 77 | + -sha256 \ |
| 78 | + -batch \ |
| 79 | + -days 2000 \ |
| 80 | + -subj "/CN=testserver.com" |
| 81 | + |
| 82 | +openssl req -nodes \ |
| 83 | + -newkey ec:ecdsa/nistp384.pem \ |
| 84 | + -keyout ecdsa/client.key \ |
| 85 | + -out ecdsa/client.req \ |
| 86 | + -sha256 \ |
| 87 | + -batch \ |
| 88 | + -days 2000 \ |
| 89 | + -subj "/CN=ponytown client" |
| 90 | + |
| 91 | +# eddsa |
| 92 | + |
| 93 | +# TODO: add support for Ed448 |
| 94 | +# openssl genpkey -algorithm Ed448 -out eddsa/ca.key |
| 95 | +openssl genpkey -algorithm Ed25519 -out eddsa/ca.key |
| 96 | + |
| 97 | +openssl req -nodes \ |
| 98 | + -x509 \ |
| 99 | + -key eddsa/ca.key \ |
| 100 | + -out eddsa/ca.cert \ |
| 101 | + -sha256 \ |
| 102 | + -batch \ |
| 103 | + -days 3650 \ |
| 104 | + -subj "/CN=ponytown EdDSA CA" |
| 105 | + |
| 106 | +openssl genpkey -algorithm Ed25519 -out eddsa/inter.key |
| 107 | + |
| 108 | +openssl req -nodes \ |
| 109 | + -new \ |
| 110 | + -key eddsa/inter.key \ |
| 111 | + -out eddsa/inter.req \ |
| 112 | + -sha256 \ |
| 113 | + -batch \ |
| 114 | + -subj "/CN=ponytown EdDSA level 2 intermediate" |
| 115 | + |
| 116 | +openssl genpkey -algorithm Ed25519 -out eddsa/end.key |
| 117 | + |
| 118 | +openssl req -nodes \ |
| 119 | + -new \ |
| 120 | + -key eddsa/end.key \ |
| 121 | + -out eddsa/end.req \ |
| 122 | + -sha256 \ |
| 123 | + -batch \ |
| 124 | + -subj "/CN=testserver.com" |
| 125 | + |
| 126 | +# TODO: add support for Ed448 |
| 127 | +# openssl genpkey -algorithm Ed448 -out eddsa/client.key |
| 128 | +openssl genpkey -algorithm Ed25519 -out eddsa/client.key |
| 129 | + |
| 130 | +openssl req -nodes \ |
| 131 | + -new \ |
| 132 | + -key eddsa/client.key \ |
| 133 | + -out eddsa/client.req \ |
| 134 | + -sha256 \ |
| 135 | + -batch \ |
| 136 | + -subj "/CN=ponytown client" |
| 137 | + |
| 138 | +for kt in rsa ecdsa eddsa ; do |
| 139 | + openssl x509 -req \ |
| 140 | + -in $kt/inter.req \ |
| 141 | + -out $kt/inter.cert \ |
| 142 | + -CA $kt/ca.cert \ |
| 143 | + -CAkey $kt/ca.key \ |
| 144 | + -sha256 \ |
| 145 | + -days 3650 \ |
| 146 | + -set_serial 123 \ |
| 147 | + -extensions v3_inter -extfile openssl.cnf |
| 148 | + |
| 149 | + openssl x509 -req \ |
| 150 | + -in $kt/end.req \ |
| 151 | + -out $kt/end.cert \ |
| 152 | + -CA $kt/inter.cert \ |
| 153 | + -CAkey $kt/inter.key \ |
| 154 | + -sha256 \ |
| 155 | + -days 2000 \ |
| 156 | + -set_serial 456 \ |
| 157 | + -extensions v3_end -extfile openssl.cnf |
| 158 | + |
| 159 | + openssl x509 -req \ |
| 160 | + -in $kt/client.req \ |
| 161 | + -out $kt/client.cert \ |
| 162 | + -CA $kt/inter.cert \ |
| 163 | + -CAkey $kt/inter.key \ |
| 164 | + -sha256 \ |
| 165 | + -days 2000 \ |
| 166 | + -set_serial 789 \ |
| 167 | + -extensions v3_client -extfile openssl.cnf |
| 168 | + |
| 169 | + cat $kt/inter.cert $kt/ca.cert > $kt/end.chain |
| 170 | + cat $kt/end.cert $kt/inter.cert $kt/ca.cert > $kt/end.fullchain |
| 171 | + |
| 172 | + cat $kt/inter.cert $kt/ca.cert > $kt/client.chain |
| 173 | + cat $kt/client.cert $kt/inter.cert $kt/ca.cert > $kt/client.fullchain |
| 174 | + |
| 175 | + openssl asn1parse -in $kt/ca.cert -out $kt/ca.der > /dev/null |
| 176 | +done |
0 commit comments