#
# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Oracle designates this
# particular file as subject to the "Classpath" exception as provided
# by Oracle in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
#!/bin/ksh
#
# needs ksh to run the script.
# generate a self-signed root certificate
if [ ! -f root/root_cert.pem ]; then
if [ ! -d root ]; then
mkdir root
fi
openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \
-out root/root_cert.pem -subj "/C=US/O=Example" \
-config openssl.cnf -reqexts cert_issuer -days 7650 \
-passin pass:passphrase -passout pass:passphrase
fi
# generate a sele-issued root crl issuer certificate
if [ ! -f root/top_crlissuer_cert.pem ]; then
if [ ! -d root ]; then
mkdir root
fi
openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \
-out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \
-extensions crl_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate subca cert issuer and crl iuuser certificates
if [ ! -f subca/subca_cert.pem ]; then
if [ ! -d subca ]; then
mkdir subca
fi
openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \
-out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \
-extensions cert_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \
-CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \
-out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \
-extensions crl_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate dumca cert issuer and crl iuuser certificates
if [ ! -f dumca/dumca_cert.pem ]; then
if [ ! -d sumca ]; then
mkdir dumca
fi
openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \
-out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \
-extensions cert_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out dumca/dumca_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \
-out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in dumca/dumca_crlissuer_req.pem \
-extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate certifiacte for Alice
if [ ! -f subca/alice/alice_cert.pem ]; then
if [ ! -d subca/alice ]; then
mkdir -p subca/alice
fi
openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \
-out subca/alice/alice_req.pem \
-subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/alice/alice_req.pem \
-extfile openssl.cnf -extensions ee_of_subca \
-CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
-out subca/alice/alice_cert.pem -CAcreateserial \
-CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
fi
# generate certifiacte for Bob
if [ ! -f subca/bob/bob_cert.pem ]; then
if [ ! -d subca/bob ]; then
mkdir -p subca/bob
fi
openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \
-out subca/bob/bob_req.pem \
-subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/bob/bob_req.pem \
-extfile openssl.cnf -extensions ee_of_subca \
-CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
-out subca/bob/bob_cert.pem -CAcreateserial \
-CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
fi
# generate certifiacte for Susan
if [ ! -f subca/susan/susan_cert.pem ]; then
if [ ! -d subca/susan ]; then
mkdir -p subca/susan
fi
openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \
-out subca/susan/susan_req.pem \
-subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \
-extensions ee_of_subca -CA subca/subca_cert.pem \
-CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \
-CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate the top CRL
if [ ! -f root/top_crl.pem ]; then
if [ ! -d root ]; then
mkdir root
fi
if [ ! -f root/index.txt ]; then
touch root/index.txt
echo 00 > root/crlnumber
fi
openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
-crl_reason superseded -keyfile root/top_crlissuer_key.pem \
-cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
-passin pass:passphrase
fi
# revoke dumca
openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \
-name ca_top -crl_reason superseded \
-keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \
-passin pass:passphrase
openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
-crl_reason superseded -keyfile root/top_crlissuer_key.pem \
-cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
-passin pass:passphrase
# revoke for subca
if [ ! -f subca/subca_crl.pem ]; then
if [ ! -d subca ]; then
mkdir subca
fi
if [ ! -f subca/index.txt ]; then
touch subca/index.txt
echo 00 > subca/crlnumber
fi
openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
-crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
-cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
-passin pass:passphrase
fi
# revoke susan
openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \
-name ca_subca -crl_reason superseded \
-keyfile subca/subca_crlissuer_key.pem \
-cert subca/subca_crlissuer_cert.pem -passin pass:passphrase
openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
-crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
-cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
-passin pass:passphrase