Created
November 7, 2019 23:43
-
-
Save johnsom/c9258ac2518e1ea58a25d197b4d9c4c2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# set -x -e | |
echo "Warning: This script is purely for testing purposes!" | |
echo " It may/will cut corners and create insecure content." | |
echo "" | |
if [ -d "test-certs" ]; then | |
echo "ERROR: test-certs directory already exists. Exiting." | |
exit 1 | |
fi | |
mkdir test-certs | |
chmod 700 test-certs | |
cd test-certs | |
# Create the openssl configuration file | |
/bin/cat <<EOM > openssl.cnf | |
# OpenSSL root CA configuration file. | |
[ ca ] | |
# "man ca" | |
default_ca = CA_default | |
[ CA_default ] | |
# Directory and file locations. | |
dir = ./ | |
certs = certs | |
crl_dir = crl | |
new_certs_dir = newcerts | |
database = index.txt | |
serial = serial | |
RANDFILE = private/.rand | |
# The root key and root certificate. | |
private_key = private/ca.key.pem | |
certificate = certs/ca.cert.pem | |
# For certificate revocation lists. | |
crlnumber = crlnumber | |
crl = crl/ca.crl.pem | |
crl_extensions = crl_ext | |
default_crl_days = 30 | |
# SHA-1 is deprecated, so use SHA-2 instead. | |
default_md = sha256 | |
name_opt = ca_default | |
cert_opt = ca_default | |
# 10 years | |
default_days = 7300 | |
preserve = no | |
policy = policy_strict | |
[ CA_intermediate ] | |
# Directory and file locations. | |
dir = ./intermediate_ca | |
certs = certs | |
crl_dir = crl | |
new_certs_dir = newcerts | |
database = index.txt | |
serial = serial | |
RANDFILE = private/.rand | |
# The root key and root certificate. | |
private_key = ./private/ca.key.pem | |
certificate = ./certs/ca.cert.pem | |
# For certificate revocation lists. | |
crlnumber = crlnumber | |
crl = crl/ca.crl.pem | |
crl_extensions = crl_ext | |
default_crl_days = 30 | |
# SHA-1 is deprecated, so use SHA-2 instead. | |
default_md = sha256 | |
name_opt = ca_default | |
cert_opt = ca_default | |
# 5 years | |
default_days = 3650 | |
preserve = no | |
policy = policy_strict | |
[ policy_strict ] | |
# The root CA should only sign intermediate certificates that match. | |
# See the POLICY FORMAT section of "man ca". | |
countryName = match | |
stateOrProvinceName = match | |
organizationName = match | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ req ] | |
# Options for the "req" tool ("man req"). | |
default_bits = 2048 | |
distinguished_name = req_distinguished_name | |
string_mask = utf8only | |
# SHA-1 is deprecated, so use SHA-2 instead. | |
default_md = sha256 | |
# Extension to add when the -x509 option is used. | |
x509_extensions = v3_ca | |
[ req_distinguished_name ] | |
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>. | |
countryName = Country Name (2 letter code) | |
stateOrProvinceName = State or Province Name | |
localityName = Locality Name | |
0.organizationName = Organization Name | |
organizationalUnitName = Organizational Unit Name | |
commonName = Common Name | |
emailAddress = Email Address | |
# Optionally, specify some defaults. | |
countryName_default = US | |
stateOrProvinceName_default = Oregon | |
localityName_default = Corvallis | |
0.organizationName_default = OpenStack | |
organizationalUnitName_default = Octavia | |
emailAddress_default = | |
commonName_default = example.org | |
[ v3_ca ] | |
# Extensions for a typical CA ("man x509v3_config"). | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
[ v3_intermediate_ca ] | |
# Extensions for a typical intermediate CA ("man x509v3_config"). | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true, pathlen:0 | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
[ usr_cert ] | |
# Extensions for client certificates ("man x509v3_config"). | |
basicConstraints = CA:FALSE | |
nsCertType = client, email | |
nsComment = "OpenSSL Generated Client Certificate" | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer | |
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment | |
extendedKeyUsage = clientAuth, emailProtection | |
[ server_cert ] | |
# Extensions for server certificates ("man x509v3_config"). | |
basicConstraints = CA:FALSE | |
nsCertType = server | |
nsComment = "OpenSSL Generated Server Certificate" | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer:always | |
keyUsage = critical, digitalSignature, keyEncipherment | |
extendedKeyUsage = serverAuth | |
[ crl_ext ] | |
# Extension for CRLs ("man x509v3_config"). | |
authorityKeyIdentifier=keyid:always | |
EOM | |
# Create the listener CA, certs, and pkcs12 bundle | |
echo "#### Creating the listener CA." | |
echo "" | |
mkdir listener_ca | |
cd listener_ca | |
mkdir certs crl csr newcerts private | |
chmod 700 private | |
touch index.txt | |
echo "unique_subject = yes" > index.txt.attr | |
echo 01 > serial | |
# Make listener root CA key | |
openssl genrsa -out listener_root_ca.key 2048 | |
# Make listener root CA certificate | |
openssl req -config ../openssl.cnf -key listener_root_ca.key -new -x509 -sha256 -extensions v3_ca -days 1825 -out listener_root_ca.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ListenerRootCA" | |
# Make listener server1 key | |
openssl genrsa -out listener_server1.key 2048 | |
# Make listener server1 certificate request | |
openssl req -config ../openssl.cnf -key listener_server1.key -new -sha256 -out csr/listener_server1.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=server1.example.com" | |
# Make listener server1 certificate | |
openssl ca -config ../openssl.cnf -extensions server_cert -days 1825 -notext -md sha256 -in csr/listener_server1.csr -out listener_server1.pem -batch -keyfile listener_root_ca.key -cert listener_root_ca.pem -outdir . | |
openssl pkcs12 -export -inkey listener_server1.key -in listener_server1.pem -certfile listener_root_ca.pem -out listener_server1.p12 -passout pass: | |
cp listener_server1.p12 .. | |
# Make listener server2 key | |
openssl genrsa -out listener_server2.key 2048 | |
# Make listener server2 certificate request | |
openssl req -config ../openssl.cnf -key listener_server2.key -new -sha256 -out csr/listener_server2.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=server2.example.com" | |
# Make listener server2 certificate | |
openssl ca -config ../openssl.cnf -extensions server_cert -days 1825 -notext -md sha256 -in csr/listener_server2.csr -out listener_server2.pem -batch -keyfile listener_root_ca.key -cert listener_root_ca.pem -outdir . | |
openssl pkcs12 -export -inkey listener_server2.key -in listener_server2.pem -certfile listener_root_ca.pem -out listener_server2.p12 -passout pass: | |
cp listener_server2.p12 .. | |
cd .. | |
# Create the listener client authentication CA, crl, and certs | |
echo "" | |
echo "#### Creating the client CA." | |
echo "" | |
mkdir listener_client_ca | |
cd listener_client_ca | |
mkdir certs crl csr newcerts private | |
chmod 700 private | |
touch index.txt | |
echo "unique_subject = yes" > index.txt.attr | |
echo 01 > serial | |
echo 01 > crlnumber | |
# Make listener client authentication root CA key | |
openssl genrsa -out listener_client_root_ca.key 2048 | |
# Make listener client auth root CA certificate | |
openssl req -config ../openssl.cnf -key listener_client_root_ca.key -new -x509 -sha256 -extensions v3_ca -days 1825 -out listener_client_root_ca.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ListenerClientRootCA" | |
cp listener_client_root_ca.pem .. | |
# Make listener client key | |
openssl genrsa -out listener_client.key 2048 | |
cp listener_client.key .. | |
# Make listener client certificate request | |
openssl req -config ../openssl.cnf -key listener_client.key -new -sha256 -out csr/listener_client.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=client" | |
# Make listener client certificate | |
openssl ca -config ../openssl.cnf -extensions usr_cert -days 1825 -notext -md sha256 -in csr/listener_client.csr -out listener_client.pem -batch -keyfile listener_client_root_ca.key -cert listener_client_root_ca.pem -outdir . | |
cp listener_client.pem .. | |
# Make revoked listener client key | |
openssl genrsa -out listener_client-revoked.key 2048 | |
cp listener_client-revoked.key .. | |
# Make revoked listener client certificate request | |
openssl req -config ../openssl.cnf -key listener_client-revoked.key -new -sha256 -out csr/listener_client-revoked.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=client-revoked" | |
# Make revoked listener client certificate | |
openssl ca -config ../openssl.cnf -extensions usr_cert -days 1825 -notext -md sha256 -in csr/listener_client-revoked.csr -out listener_client-revoked.pem -batch -keyfile listener_client_root_ca.key -cert listener_client_root_ca.pem -outdir . | |
cp listener_client-revoked.pem .. | |
# Revoke the certificate | |
openssl ca -config ../openssl.cnf -keyfile listener_client_root_ca.key -cert listener_client_root_ca.pem -revoke listener_client-revoked.pem | |
openssl ca -config ../openssl.cnf -keyfile listener_client_root_ca.key -cert listener_client_root_ca.pem -gencrl -out listener_client.crl | |
cp listener_client.crl .. | |
cd .. | |
# Create the member server CA, crl, and certs | |
echo "" | |
echo "#### Creating the member server CA." | |
echo "" | |
mkdir member_server_ca | |
cd member_server_ca | |
mkdir certs crl csr newcerts private | |
chmod 700 private | |
touch index.txt | |
echo "unique_subject = yes" > index.txt.attr | |
echo 01 > serial | |
echo 01 > crlnumber | |
# Make member server root CA key | |
openssl genrsa -out member_server_root_ca.key 2048 | |
# Make member server root CA certificate | |
openssl req -config ../openssl.cnf -key member_server_root_ca.key -new -x509 -sha256 -extensions v3_ca -days 1825 -out member_server_root_ca.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=MemberServerRootCA" | |
cp member_server_root_ca.pem .. | |
# Make member server key | |
openssl genrsa -out member_server.key 2048 | |
cp member_server.key .. | |
# Make member server certificate request | |
openssl req -config ../openssl.cnf -key member_server.key -new -sha256 -out csr/member_server.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=member-server.example.com" | |
# Make member server certificate | |
openssl ca -config ../openssl.cnf -extensions usr_cert -days 1825 -notext -md sha256 -in csr/member_server.csr -out member_server.pem -batch -keyfile member_server_root_ca.key -cert member_server_root_ca.pem -outdir . | |
cp member_server.pem .. | |
# Make revoked member server key | |
openssl genrsa -out member_server-revoked.key 2048 | |
cp member_server-revoked.key .. | |
# Make revoked member server certificate request | |
openssl req -config ../openssl.cnf -key member_server-revoked.key -new -sha256 -out csr/member_server-revoked.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=member-server-revoked.example.com" | |
# Make revoked member server certificate | |
openssl ca -config ../openssl.cnf -extensions usr_cert -days 1825 -notext -md sha256 -in csr/member_server-revoked.csr -out member_server-revoked.pem -batch -keyfile member_server_root_ca.key -cert member_server_root_ca.pem -outdir . | |
cp member_server-revoked.pem .. | |
# Revoke the certificate | |
openssl ca -config ../openssl.cnf -keyfile member_server_root_ca.key -cert member_server_root_ca.pem -revoke member_server-revoked.pem | |
openssl ca -config ../openssl.cnf -keyfile member_server_root_ca.key -cert member_server_root_ca.pem -gencrl -out member_server.crl | |
cp member_server.crl .. | |
cd .. | |
# Create the member server client authentication CA and certs | |
echo "" | |
echo "#### Creating the member client CA." | |
echo "" | |
mkdir member_client_ca | |
cd member_client_ca | |
mkdir certs crl csr newcerts private | |
chmod 700 private | |
touch index.txt | |
echo "unique_subject = yes" > index.txt.attr | |
echo 01 > serial | |
echo 01 > crlnumber | |
# Make member client authentication root CA key | |
openssl genrsa -out member_client_root_ca.key 2048 | |
# Make member client root CA certificate | |
openssl req -config ../openssl.cnf -key member_client_root_ca.key -new -x509 -sha256 -extensions v3_ca -days 1825 -out member_client_root_ca.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=MemberClientRootCA" | |
# Make member client key | |
openssl genrsa -out member_client.key 2048 | |
# Make member client certificate request | |
openssl req -config ../openssl.cnf -key member_client.key -new -sha256 -out csr/member_client.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=member-client" | |
# Make member client certificate | |
openssl ca -config ../openssl.cnf -extensions usr_cert -days 1825 -notext -md sha256 -in csr/member_client.csr -out member_client.pem -batch -keyfile member_client_root_ca.key -cert member_client_root_ca.pem -outdir . | |
openssl pkcs12 -export -inkey member_client.key -in member_client.pem -certfile member_client_root_ca.pem -out member_client.p12 -passout pass: | |
cp member_client.p12 .. | |
# Make revoked member client key | |
openssl genrsa -out member_client-revoked.key 2048 | |
# Make revoked member client certificate request | |
openssl req -config ../openssl.cnf -key member_client-revoked.key -new -sha256 -out csr/member_client-revoked.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=member-client-revoked" | |
# Make revoked member client certificate | |
openssl ca -config ../openssl.cnf -extensions usr_cert -days 1825 -notext -md sha256 -in csr/member_client-revoked.csr -out member_client-revoked.pem -batch -keyfile member_client_root_ca.key -cert member_client_root_ca.pem -outdir . | |
openssl pkcs12 -export -inkey member_client-revoked.key -in member_client-revoked.pem -certfile member_client_root_ca.pem -out member_client-revoked.p12 -passout pass: | |
cp member_client-revoked.p12 .. | |
# Revoke the certificate | |
openssl ca -config ../openssl.cnf -keyfile member_client_root_ca.key -cert member_client_root_ca.pem -revoke member_client-revoked.pem | |
openssl ca -config ../openssl.cnf -keyfile member_client_root_ca.key -cert member_client_root_ca.pem -gencrl -out member_client.crl | |
cp member_client.crl .. | |
cd .. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment