Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssl/demos/certs/mkcerts.sh
34869 views
1
#!/bin/sh

2


3
opensslcmd() {

4
    LD_LIBRARY_PATH=../.. ../../apps/openssl $@

5
}

6


7
OPENSSL_CONF=../../apps/openssl.cnf

8
export OPENSSL_CONF

9


10
opensslcmd version

11


12
# Root CA: create certificate directly

13
CN="Test Root CA" opensslcmd req -config ca.cnf -x509 -nodes \

14
	-keyout root.pem -out root.pem -newkey rsa:2048 -days 3650

15
# Intermediate CA: request first

16
CN="Test Intermediate CA" opensslcmd req -config ca.cnf -nodes \

17
	-keyout intkey.pem -out intreq.pem -newkey rsa:2048

18
# Sign request: CA extensions

19
opensslcmd x509 -req -in intreq.pem -CA root.pem -days 3600 \

20
	-extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem

21


22
# Server certificate: create request first

23
CN="Test Server Cert" opensslcmd req -config ca.cnf -nodes \

24
	-keyout skey.pem -out req.pem -newkey rsa:1024

25
# Sign request: end entity extensions

26
opensslcmd x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \

27
	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem

28


29
# Client certificate: request first

30
CN="Test Client Cert" opensslcmd req -config ca.cnf -nodes \

31
	-keyout ckey.pem -out creq.pem -newkey rsa:1024

32
# Sign using intermediate CA

33
opensslcmd x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \

34
	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem

35


36
# Revoked certificate: request first

37
CN="Test Revoked Cert" opensslcmd req -config ca.cnf -nodes \

38
	-keyout revkey.pem -out rreq.pem -newkey rsa:1024

39
# Sign using intermediate CA

40
opensslcmd x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \

41
	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem

42


43
# OCSP responder certificate: request first

44
CN="Test OCSP Responder Cert" opensslcmd req -config ca.cnf -nodes \

45
	-keyout respkey.pem -out respreq.pem -newkey rsa:1024

46
# Sign using intermediate CA and responder extensions

47
opensslcmd x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \

48
	-extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem

49


50
# Example creating a PKCS#3 DH certificate.

51


52
# First DH parameters

53


54
[ -f dhp.pem ] || opensslcmd genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem

55


56
# Now a DH private key

57
opensslcmd genpkey -paramfile dhp.pem -out dhskey.pem

58
# Create DH public key file

59
opensslcmd pkey -in dhskey.pem -pubout -out dhspub.pem

60
# Certificate request, key just reuses old one as it is ignored when the

61
# request is signed.

62
CN="Test Server DH Cert" opensslcmd req -config ca.cnf -new \

63
	-key skey.pem -out dhsreq.pem

64
# Sign request: end entity DH extensions

65
opensslcmd x509 -req -in dhsreq.pem -CA root.pem -days 3600 \

66
	-force_pubkey dhspub.pem \

67
	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem

68


69
# DH client certificate

70


71
opensslcmd genpkey -paramfile dhp.pem -out dhckey.pem

72
opensslcmd pkey -in dhckey.pem -pubout -out dhcpub.pem

73
CN="Test Client DH Cert" opensslcmd req -config ca.cnf -new \

74
	-key skey.pem -out dhcreq.pem

75
opensslcmd x509 -req -in dhcreq.pem -CA root.pem -days 3600 \

76
	-force_pubkey dhcpub.pem \

77
	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem

78


79
# Examples of CRL generation without the need to use 'ca' to issue

80
# certificates.

81
# Create zero length index file

82
>index.txt

83
# Create initial crl number file

84
echo 01 >crlnum.txt

85
# Add entries for server and client certs

86
opensslcmd ca -valid server.pem -keyfile root.pem -cert root.pem \

87
		-config ca.cnf -md sha1

88
opensslcmd ca -valid client.pem -keyfile root.pem -cert root.pem \

89
		-config ca.cnf -md sha1

90
opensslcmd ca -valid rev.pem -keyfile root.pem -cert root.pem \

91
		-config ca.cnf -md sha1

92
# Generate a CRL.

93
opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \

94
		-md sha1 -crldays 1 -out crl1.pem

95
# Revoke a certificate

96
openssl ca -revoke rev.pem -crl_reason superseded \

97
		-keyfile root.pem -cert root.pem -config ca.cnf -md sha1

98
# Generate another CRL

99
opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \

100
		-md sha1 -crldays 1 -out crl2.pem

101


102


103