1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
#!/bin/sh -
# $Id$
# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# Quick hack to generate a set of business keys and certs for use with
# early prototype code. Not for production use.
#
# All we're trying to do here is generate a three-level-deep set of
# certs for each of several independent entities. Could easily be
# deeper in practice but this should be enough for simple tests: a
# self-signed root cert to use as a trust anchor, a working CA, and an
# EE cert used for CMS or TLS.
#
# Among other things missing here, we're not doing any restrictions
# beyond basicConstraints and we're not doing CRLs.
#
# One can extract the public key from a .key file by doing:
#
# $ openssl rsa -in foo.key -pubout
#
# I ended up needing this to build simulated packets for the
# left-right protocol.
for i in Alice Bob Carol Dave Elena Frank Ginny Harry
do
for j in Root CA EE
do
case $j in
EE) ca=false;;
*) ca=true;;
esac
test -r $i-$j.cnf || cat >$i-$j.cnf <<-EOF
[ req ]
distinguished_name = req_dn
x509_extensions = req_x509_ext
prompt = no
default_md = sha256
[ req_dn ]
CN = Test Certificate $i $j
[ req_x509_ext ]
basicConstraints = CA:$ca
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
EOF
test -r $i-$j.key || openssl genrsa -out $i-$j.key 2048
test -r $i-$j.req || openssl req -new -sha256 -key $i-$j.key -out $i-$j.req -config $i-$j.cnf
done
test -r $i-Root.cer || openssl x509 -sha256 -req -in $i-Root.req -out $i-Root.cer -extfile $i-Root.cnf -extensions req_x509_ext -signkey $i-Root.key -days 60
test -r $i-CA.cer || openssl x509 -sha256 -req -in $i-CA.req -out $i-CA.cer -extfile $i-CA.cnf -extensions req_x509_ext -CA $i-Root.cer -CAkey $i-Root.key -CAcreateserial
test -r $i-EE.cer || openssl x509 -sha256 -req -in $i-EE.req -out $i-EE.cer -extfile $i-EE.cnf -extensions req_x509_ext -CA $i-CA.cer -CAkey $i-CA.key -CAcreateserial
done
for i in *.cer
do
h=`openssl x509 -noout -hash -in $i`.0
test -r $h ||
ln -s $i $h
done
|
