Skip to content

Instantly share code, notes, and snippets.

@ecki ecki/ca.bat
Last active Aug 28, 2017

Embed
What would you like to do?
ECC Test CA
@rem Batch file creates 2 P12 keystores with ECC Certificates (intermediate + root in chain)
@del *.pem
@del *.csr
@del *.crt
@del *.p12
@rem -param_enc explicit not possible with Win 7
set NAME=ECC Test
@rem #
@rem # Root
@rem #
openssl ecparam -name secp384r1 -genkey -out root-priv-key.pem
openssl req -new -x509 -sha384 -key root-priv-key.pem -out root.crt -days 10y -subj "/CN=%NAME% RootCA/C=DE"
@rem #
@rem # Intermediate
@rem #
openssl ecparam -name secp384r1 -genkey -out inter-priv-key.pem
openssl req -new -sha384 -key inter-priv-key.pem -out inter.csr -subj "/CN=%NAME% ServerCA/C=DE"
openssl x509 -req -days 5y -in inter.csr -CA root.crt -CAkey root-priv-key.pem -CAcreateserial -out inter.crt
@rem #
@rem # Server All
@rem #
openssl ecparam -name secp256r1 -genkey -out server-priv-key.pem
openssl req -new -sha384 -key server-priv-key.pem -out server-all.csr -days 10 -subj "/CN=localhost"
openssl x509 -req -days 10 -in server-all.csr -CA inter.crt -CAkey inter-priv-key.pem -CAcreateserial -out server-all.crt -extensions server-all -extfile server.cnf
@rem #
@rem # Server Both
@rem #
@rem openssl ecparam -name secp256r1 -genkey -out server-both-priv-key.pem
openssl req -new -sha384 -key server-priv-key.pem -out server-both.csr -days 10 -subj "/CN=localhost"
openssl x509 -req -days 10 -in server-both.csr -CA inter.crt -CAkey inter-priv-key.pem -CAcreateserial -out server-both.crt -extensions server-both -extfile server.cnf
@rem #
@rem # Server Sign
@rem #
@rem openssl ecparam -name secp256r1 -genkey -out server-both-priv-key.pem
openssl req -new -sha384 -key server-priv-key.pem -out server-sign.csr -days 10 -subj "/CN=localhost"
openssl x509 -req -days 10 -in server-sign.csr -CA inter.crt -CAkey inter-priv-key.pem -CAcreateserial -out server-sign.crt -extensions server-sign -extfile server.cnf
@rem #
@rem # Server Exch
@rem #
@rem openssl ecparam -name secp256r1 -genkey -out server-both-priv-key.pem
openssl req -new -sha384 -key server-priv-key.pem -out server-exch.csr -days 10 -subj "/CN=localhost"
openssl x509 -req -days 10 -in server-exch.csr -CA inter.crt -CAkey inter-priv-key.pem -CAcreateserial -out server-exch.crt -extensions server-exch -extfile server.cnf
type root.crt inter.crt > chain.crt
@set PASS=pass:testtest
openssl pkcs12 -export -in server-both.crt -inkey server-priv-key.pem -out server-both.p12 -name server -CAfile chain.crt -caname root -chain -password %PASS%
openssl pkcs12 -export -in server-sign.crt -inkey server-priv-key.pem -out server-sign.p12 -name server -CAfile chain.crt -caname root -chain -password %PASS%
openssl pkcs12 -export -in server-exch.crt -inkey server-priv-key.pem -out server-exch.p12 -name server -CAfile chain.crt -caname root -chain -password %PASS%
[ server-all ]
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
subjectAltName=IP:127.0.0.1,DNS:localhost.
[ server-both ]
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyAgreement
subjectAltName=IP:127.0.0.1,DNS:localhost.
[ server-sign ]
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
keyUsage = digitalSignature
subjectAltName=IP:127.0.0.1,DNS:localhost.
[ server-exch ]
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
keyUsage = keyAgreement
subjectAltName=IP:127.0.0.1,DNS:localhost.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.