Last active
August 29, 2015 14:25
-
-
Save kinichiro/85888a3753b6701f0718 to your computer and use it in GitHub Desktop.
openssl ca command test script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# sign.sh | |
# | |
# input : none | |
# output : all files generated by this script go under $ssldir | |
# | |
openssl_bin=../apps/.libs/openssl | |
export LD_LIBRARY_PATH=../crypto/.libs/:../ssl/.libs/: | |
function section_message { | |
echo "" | |
echo "#---------#---------#---------#---------#---------#---------#---------#--------" | |
echo "===" | |
echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`" | |
echo "===" | |
} | |
function start_message { | |
echo "" | |
echo "[TEST] $1" | |
} | |
function check_exit_status { | |
status=$1 | |
if [ $status -ne 0 ] ; then | |
echo ":-< error occurs, exit status = [ $status ]" | |
exit $status | |
else | |
echo ":-) success. " | |
fi | |
} | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
# | |
# create ssldir, and all files generated by this script goes under this dir. | |
# | |
ssldir="test" | |
if [ -d $ssldir ] ; then | |
echo "directory [ $ssldir ] exists, this script deletes this directory ..." | |
/bin/rm -rf $ssldir | |
fi | |
mkdir -p $ssldir | |
export OPENSSL_CONF=$ssldir/openssl.cnf | |
touch $OPENSSL_CONF | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
section_message "setup local CA" | |
# | |
# prepare test openssl.cnf | |
# | |
ca_dir=$ssldir/testCA | |
server_dir=$ssldir/server | |
cat << __EOF__ > $ssldir/openssl.cnf | |
oid_section = new_oids | |
[ new_oids ] | |
tsa_policy1 = 1.2.3.4.1 | |
tsa_policy2 = 1.2.3.4.5.6 | |
tsa_policy3 = 1.2.3.4.5.7 | |
[ ca ] | |
default_ca = CA_default | |
[ CA_default ] | |
dir = ./$ca_dir | |
crl_dir = \$dir/crl | |
database = \$dir/index.txt | |
new_certs_dir = \$dir/newcerts | |
serial = \$dir/serial | |
crlnumber = \$dir/crlnumber | |
default_days = 1 | |
default_md = default | |
policy = policy_match | |
[ policy_match ] | |
countryName = match | |
stateOrProvinceName = match | |
organizationName = match | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
[ req ] | |
distinguished_name = req_distinguished_name | |
[ req_distinguished_name ] | |
countryName = Country Name | |
countryName_default = JP | |
countryName_min = 2 | |
countryName_max = 2 | |
stateOrProvinceName = State or Province Name | |
stateOrProvinceName_default = Tokyo | |
organizationName = Organization Name | |
organizationName_default = TEST_DUMMY_COMPANY | |
commonName = Common Name | |
[ tsa ] | |
default_tsa = tsa_config1 | |
[ tsa_config1 ] | |
dir = ./$tsa_dir | |
serial = \$dir/serial | |
crypto_device = builtin | |
digests = sha1, sha256, sha384, sha512 | |
default_policy = tsa_policy1 | |
other_policies = tsa_policy2, tsa_policy3 | |
[ tsa_ext ] | |
keyUsage = critical,nonRepudiation | |
extendedKeyUsage = critical,timeStamping | |
[ ocsp_ext ] | |
basicConstraints = CA:FALSE | |
keyUsage = nonRepudiation,digitalSignature,keyEncipherment | |
extendedKeyUsage = OCSPSigning | |
__EOF__ | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
# | |
# setup test CA | |
# | |
mkdir -p $ca_dir | |
mkdir -p $server_dir | |
mkdir -p $ca_dir/certs | |
mkdir -p $ca_dir/private | |
mkdir -p $ca_dir/crl | |
mkdir -p $ca_dir/newcerts | |
chmod 700 $ca_dir/private | |
echo "01" > $ca_dir/serial | |
touch $ca_dir/index.txt | |
touch $ca_dir/crlnumber | |
echo "01" > $ca_dir/crlnumber | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
# --- CA initiate (generate CA key and cert) --- | |
start_message "req ... generate CA key and self signed cert" | |
ca_cert=$ca_dir/ca_cert.pem | |
ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass | |
subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/' | |
$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \ | |
-days 1 -passout pass:$ca_pass -batch -subj $subj | |
check_exit_status $? | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
# --- server-admin operations (generate server key and csr) --- | |
section_message "server-admin operations (generate server key and csr)" | |
start_message "req ... generate server csr#1" | |
server_key=$server_dir/server_key.pem | |
server_csr=$server_dir/server_csr.pem | |
server_pass=test-server-pass | |
subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=localhost.test_dummy.com/' | |
$openssl_bin req -new -keyout $server_key -out $server_csr -passout pass:$server_pass -subj $subj | |
check_exit_status $? | |
#---------#---------#---------#---------#---------#---------#---------#--------- | |
# --- CA operations (issue cert for server) --- | |
section_message "CA operations (issue cert for server)" | |
start_message "ca ... issue cert for server csr#1" | |
server_cert=$server_dir/server_cert.pem | |
cmd="$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass -in $server_csr -out $server_cert" | |
echo "cmd = [$cmd]" | |
`$cmd` | |
check_exit_status $? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment