1824N/A#
2362N/A# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
1824N/A# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
1824N/A#
1824N/A# This code is free software; you can redistribute it and/or modify it
1824N/A# under the terms of the GNU General Public License version 2 only, as
2362N/A# published by the Free Software Foundation. Oracle designates this
1824N/A# particular file as subject to the "Classpath" exception as provided
2362N/A# by Oracle in the LICENSE file that accompanied this code.
1824N/A#
1824N/A# This code is distributed in the hope that it will be useful, but WITHOUT
1824N/A# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
1824N/A# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
1824N/A# version 2 for more details (a copy is included in the LICENSE file that
1824N/A# accompanied this code).
1824N/A#
1824N/A# You should have received a copy of the GNU General Public License version
1824N/A# 2 along with this work; if not, write to the Free Software Foundation,
1824N/A# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
1824N/A#
2362N/A# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
2362N/A# or visit www.oracle.com if you need additional information or have any
2362N/A# questions.
1824N/A#
1824N/A
1824N/A#!/bin/ksh
1824N/A#
1824N/A# needs ksh to run the script.
1824N/Aset -e
1824N/A
1824N/AOPENSSL=openssl
1824N/A
1824N/A# generate a self-signed root certificate
1824N/Aif [ ! -f root/finished ]; then
1824N/A if [ ! -d root ]; then
1824N/A mkdir root
1824N/A fi
1824N/A
1824N/A # SHA1withRSA 1024
1824N/A ${OPENSSL} req -x509 -newkey rsa:1024 -keyout root/root_key_1024.pem \
1824N/A -out root/root_cert_sha1_1024.pem -subj "/C=US/O=Example" \
1824N/A -config openssl.cnf -reqexts cert_issuer -days 7650 -sha1 \
1824N/A -passin pass:passphrase -passout pass:passphrase
1824N/A
1824N/A # SHA1withRSA 512
1824N/A ${OPENSSL} req -x509 -newkey rsa:512 -keyout root/root_key_512.pem \
1824N/A -out root/root_cert_sha1_512.pem -subj "/C=US/O=Example" \
1824N/A -config openssl.cnf -reqexts cert_issuer -days 7650 -sha1 \
1824N/A -passin pass:passphrase -passout pass:passphrase
1824N/A
1824N/A # MD2withRSA 2048
1824N/A ${OPENSSL} req -x509 -newkey rsa:2048 -keyout root/root_key_2048.pem \
1824N/A -out root/root_cert_md2_2048.pem -subj "/C=US/O=Example" \
1824N/A -config openssl.cnf -reqexts cert_issuer -days 7650 -md2 \
1824N/A -passin pass:passphrase -passout pass:passphrase
1824N/A
1824N/A openssl req -newkey rsa:1024 -keyout root/root_crlissuer_key.pem \
1824N/A -out root/root_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \
1824N/A -passin pass:passphrase -passout pass:passphrase
1824N/A
1824N/A openssl x509 -req -in root/root_crlissuer_req.pem -extfile openssl.cnf \
1824N/A -extensions crl_issuer -CA root/root_cert_sha1_1024.pem \
1824N/A -CAkey root/root_key_1024.pem -out root/root_crlissuer_cert.pem \
1824N/A -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
1824N/A -passin pass:passphrase
1824N/A
1824N/A touch root/finished
1824N/Afi
1824N/A
1824N/A
1824N/A# generate subca cert issuer
1824N/Aif [ ! -f subca/finished ]; then
1824N/A if [ ! -d subca ]; then
1824N/A mkdir subca
1824N/A fi
1824N/A
1824N/A # RSA 1024
1824N/A ${OPENSSL} req -newkey rsa:1024 -keyout subca/subca_key_1024.pem \
1824N/A -out subca/subca_req_1024.pem -subj "/C=US/O=Example/OU=Class-1" \
1824N/A -days 7650 -passin pass:passphrase -passout pass:passphrase
1824N/A
1824N/A # RSA 512
1824N/A ${OPENSSL} req -newkey rsa:512 -keyout subca/subca_key_512.pem \
1824N/A -out subca/subca_req_512.pem -subj "/C=US/O=Example/OU=Class-1" \
1824N/A -days 7650 -passin pass:passphrase -passout pass:passphrase
1824N/A
1824N/A # SHA1withRSA 1024 signed with RSA 1024
1824N/A ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
1824N/A -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \
1824N/A -CAkey root/root_key_1024.pem -out subca/subca_cert_sha1_1024_1024.pem \
1824N/A -CAcreateserial -sha1 \
1824N/A -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A # SHA1withRSA 1024 signed with RSA 512
1824N/A ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
1824N/A -extensions cert_issuer -CA root/root_cert_sha1_512.pem \
1824N/A -CAkey root/root_key_512.pem -out subca/subca_cert_sha1_1024_512.pem \
1824N/A -CAcreateserial -sha1 \
1824N/A -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A # SHA1withRSA 512 signed with RSA 1024
1824N/A ${OPENSSL} x509 -req -in subca/subca_req_512.pem -extfile openssl.cnf \
1824N/A -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \
1824N/A -CAkey root/root_key_1024.pem -out subca/subca_cert_sha1_512_1024.pem \
1824N/A -CAcreateserial -sha1 \
1824N/A -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A # SHA1withRSA 512 signed with RSA 512
1824N/A ${OPENSSL} x509 -req -in subca/subca_req_512.pem -extfile openssl.cnf \
1824N/A -extensions cert_issuer -CA root/root_cert_sha1_512.pem \
1824N/A -CAkey root/root_key_512.pem -out subca/subca_cert_sha1_512_512.pem \
1824N/A -CAcreateserial -sha1 \
1824N/A -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A # MD2withRSA 1024 signed with RSA 1024
1824N/A ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
1824N/A -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \
1824N/A -CAkey root/root_key_1024.pem -out subca/subca_cert_md2_1024_1024.pem \
1824N/A -CAcreateserial -md2 \
1824N/A -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A # MD2withRSA 1024 signed with RSA 512
1824N/A ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
1824N/A -extensions cert_issuer -CA root/root_cert_sha1_512.pem \
1824N/A -CAkey root/root_key_512.pem -out subca/subca_cert_md2_1024_512.pem \
1824N/A -CAcreateserial -md2 \
1824N/A -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \
1824N/A -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \
1824N/A -days 7650 -passin pass:passphrase -passout pass:passphrase
1824N/A
1824N/A openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \
1824N/A -extensions crl_issuer -CA root/root_cert_sha1_1024.pem \
1824N/A -CAkey root/root_key_1024.pem -out subca/subca_crlissuer_cert.pem \
1824N/A -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
1824N/A -passin pass:passphrase
1824N/A
1824N/A touch subca/finished
1824N/Afi
1824N/A
1824N/A
1824N/A# generate certifiacte for Alice
1824N/Aif [ ! -f subca/alice/finished ]; then
1824N/A if [ ! -d subca/alice ]; then
1824N/A mkdir -p subca/alice
1824N/A fi
1824N/A
1824N/A # RSA 1024
1824N/A ${OPENSSL} req -newkey rsa:1024 -keyout subca/alice/alice_key_1024.pem \
1824N/A -out subca/alice/alice_req_1024.pem \
1824N/A -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
1824N/A -passin pass:passphrase -passout pass:passphrase
1824N/A
1824N/A # RSA 512
1824N/A ${OPENSSL} req -newkey rsa:512 -keyout subca/alice/alice_key_512.pem \
1824N/A -out subca/alice/alice_req_512.pem \
1824N/A -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
1824N/A -passin pass:passphrase -passout pass:passphrase
1824N/A
1824N/A # SHA1withRSA 1024 signed with RSA 1024
1824N/A ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
1824N/A -extfile openssl.cnf -extensions ee_of_subca \
1824N/A -CA subca/subca_cert_sha1_1024_1024.pem \
1824N/A -CAkey subca/subca_key_1024.pem \
1824N/A -out subca/alice/alice_cert_sha1_1024_1024.pem -CAcreateserial -sha1 \
1824N/A -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A # SHA1withRSA 1024 signed with RSA 512
1824N/A ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
1824N/A -extfile openssl.cnf -extensions ee_of_subca \
1824N/A -CA subca/subca_cert_sha1_512_1024.pem \
1824N/A -CAkey subca/subca_key_512.pem \
1824N/A -out subca/alice/alice_cert_sha1_1024_512.pem -CAcreateserial -sha1 \
1824N/A -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A # SHA1withRSA 512 signed with RSA 1024
1824N/A ${OPENSSL} x509 -req -in subca/alice/alice_req_512.pem \
1824N/A -extfile openssl.cnf -extensions ee_of_subca \
1824N/A -CA subca/subca_cert_sha1_1024_1024.pem \
1824N/A -CAkey subca/subca_key_1024.pem \
1824N/A -out subca/alice/alice_cert_sha1_512_1024.pem -CAcreateserial -sha1 \
1824N/A -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A # SHA1withRSA 512 signed with RSA 512
1824N/A ${OPENSSL} x509 -req -in subca/alice/alice_req_512.pem \
1824N/A -extfile openssl.cnf -extensions ee_of_subca \
1824N/A -CA subca/subca_cert_sha1_512_1024.pem \
1824N/A -CAkey subca/subca_key_512.pem \
1824N/A -out subca/alice/alice_cert_sha1_512_512.pem -CAcreateserial -sha1 \
1824N/A -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A # MD2withRSA 1024 signed with RSA 1024
1824N/A ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
1824N/A -extfile openssl.cnf -extensions ee_of_subca \
1824N/A -CA subca/subca_cert_sha1_1024_1024.pem \
1824N/A -CAkey subca/subca_key_1024.pem \
1824N/A -out subca/alice/alice_cert_md2_1024_1024.pem -CAcreateserial -md2 \
1824N/A -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A # MD2withRSA 1024 signed with RSA 512
1824N/A ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
1824N/A -extfile openssl.cnf -extensions ee_of_subca \
1824N/A -CA subca/subca_cert_sha1_512_1024.pem \
1824N/A -CAkey subca/subca_key_512.pem \
1824N/A -out subca/alice/alice_cert_md2_1024_512.pem -CAcreateserial -md2 \
1824N/A -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
1824N/A
1824N/A touch subca/alice/finished
1824N/Afi
1824N/A
1824N/Aif [ ! -f root/revoked ]; then
1824N/A if [ ! -d root ]; then
1824N/A mkdir root
1824N/A fi
1824N/A
1824N/A if [ ! -f root/index.txt ]; then
1824N/A touch root/index.txt
1824N/A echo 00 > root/crlnumber
1824N/A fi
1824N/A
1824N/A openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 -md sha1 \
1824N/A -crl_reason superseded -keyfile root/root_crlissuer_key.pem \
1824N/A -cert root/root_crlissuer_cert.pem -out root/top_crl.pem \
1824N/A -passin pass:passphrase
1824N/A
1824N/A touch root/revoked
1824N/Afi
1824N/A
1824N/Aif [ ! -f subca/revoked ]; then
1824N/A if [ ! -d subca ]; then
1824N/A mkdir subca
1824N/A fi
1824N/A
1824N/A if [ ! -f subca/index.txt ]; then
1824N/A touch subca/index.txt
1824N/A echo 00 > subca/crlnumber
1824N/A fi
1824N/A
1824N/A # revoke alice's SHA1withRSA 1024 signed with RSA 1024
1824N/A openssl ca -revoke subca/alice/alice_cert_sha1_1024_1024.pem \
1824N/A -config openssl.cnf \
1824N/A -name ca_subca -crl_reason superseded \
1824N/A -keyfile subca/subca_crlissuer_key.pem \
1824N/A -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase
1824N/A
1824N/A openssl ca -gencrl -config openssl.cnf \
1824N/A -name ca_subca -crldays 7000 -md md2 \
1824N/A -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
1824N/A -cert subca/subca_crlissuer_cert.pem \
1824N/A -out subca/subca_crl.pem \
1824N/A -passin pass:passphrase
1824N/A
1824N/A touch subca/revoked
1824N/Afi