From f802c0d745ae0720802cb3f0b01086d7a434410f Mon Sep 17 00:00:00 2001 From: Philip O'Toole Date: Sat, 17 Jun 2017 18:01:22 -0700 Subject: [PATCH] Add cert-generation helper script From https://jamielinux.com/docs/openssl-certificate-authority/introduction.html --- testdata/x509/scripts/prep-certs.sh | 108 ++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 testdata/x509/scripts/prep-certs.sh diff --git a/testdata/x509/scripts/prep-certs.sh b/testdata/x509/scripts/prep-certs.sh new file mode 100644 index 00000000..92cb1157 --- /dev/null +++ b/testdata/x509/scripts/prep-certs.sh @@ -0,0 +1,108 @@ +#!/bin/bash + +# From https://jamielinux.com/docs/openssl-certificate-authority/introduction.html + +mkdir /root/ca + +cd /root/ca +mkdir certs crl newcerts private +chmod 700 private +touch index.txt +echo 1000 > serial + +wget https://jamielinux.com/docs/openssl-certificate-authority/_downloads/root-config.txt -O /root/ca/openssl.cnf + +cd /root/ca +openssl genrsa -out private/ca.key.pem 4096 + +chmod 400 private/ca.key.pem + +cd /root/ca +echo " +Enter pass phrase for ca.key.pem: secretpassword +You are about to be asked to enter information that will be incorporated +into your certificate request. +----- +Country Name (2 letter code) [XX]:GB +State or Province Name []:England +Locality Name []: +Organization Name []:Alice Ltd +Organizational Unit Name []:Alice Ltd Certificate Authority +Common Name []:Alice Ltd Root CA +Email Address []: +" +openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem + +chmod 444 certs/ca.cert.pem + +openssl x509 -noout -text -in certs/ca.cert.pem + +mkdir /root/ca/intermediate + +cd /root/ca/intermediate +mkdir certs crl csr newcerts private +chmod 700 private +touch index.txt +echo 1000 > serial +echo 1000 > /root/ca/intermediate/crlnumber + +wget https://jamielinux.com/docs/openssl-certificate-authority/_downloads/intermediate-config.txt -O /root/ca/intermediate/openssl.cnf + +cd /root/ca +openssl genrsa -out intermediate/private/intermediate.key.pem 4096 +chmod 400 intermediate/private/intermediate.key.pem + +cd /root/ca +echo " + +Enter pass phrase for intermediate.key.pem: secretpassword +You are about to be asked to enter information that will be incorporated +into your certificate request. +----- +Country Name (2 letter code) [XX]:GB +State or Province Name []:England +Locality Name []: +Organization Name []:Alice Ltd +Organizational Unit Name []:Alice Ltd Certificate Authority +Common Name []:Alice Ltd Intermediate CA +Email Address []: +" +openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem + +cd /root/ca +openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem + +chmod 444 intermediate/certs/intermediate.cert.pem + +openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem + +cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem +chmod 444 intermediate/certs/ca-chain.cert.pem + +cd /root/ca +openssl genrsa -out intermediate/private/www.example.com.key.pem 2048 +chmod 400 intermediate/private/www.example.com.key.pem + +cd /root/ca +echo " +Enter pass phrase for www.example.com.key.pem: secretpassword +You are about to be asked to enter information that will be incorporated +into your certificate request. +----- +Country Name (2 letter code) [XX]:US +State or Province Name []:California +Locality Name []:Mountain View +Organization Name []:Alice Ltd +Organizational Unit Name []:Alice Ltd Web Services +Common Name []:www.example.com +Email Address []: +" +openssl req -config intermediate/openssl.cnf -key intermediate/private/www.example.com.key.pem -new -sha256 -out intermediate/csr/www.example.com.csr.pem + +cd /root/ca +openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/www.example.com.csr.pem -out intermediate/certs/www.example.com.cert.pem +chmod 444 intermediate/certs/www.example.com.cert.pem + +openssl x509 -noout -text -in intermediate/certs/www.example.com.cert.pem + +openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/www.example.com.cert.pem