1 # 2 # Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. 3 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 # 5 # This code is free software; you can redistribute it and/or modify it 6 # under the terms of the GNU General Public License version 2 only, as 7 # published by the Free Software Foundation. 8 # 9 # This code is distributed in the hope that it will be useful, but WITHOUT 10 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 # version 2 for more details (a copy is included in the LICENSE file that 13 # accompanied this code). 14 # 15 # You should have received a copy of the GNU General Public License version 16 # 2 along with this work; if not, write to the Free Software Foundation, 17 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 # 19 # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 # or visit www.oracle.com if you need additional information or have any 21 # questions. 22 # 23 24 #!/bin/ksh 25 # 26 # needs ksh to run the script. 27 28 # generate a self-signed root certificate 29 if [ ! -f root/root_cert.pem ]; then 30 if [ ! -d root ]; then 31 mkdir root 32 fi 33 34 openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \ 35 -out root/root_cert.pem -subj "/C=US/O=Example" \ 36 -config openssl.cnf -reqexts cert_issuer -days 7650 \ 37 -passin pass:passphrase -passout pass:passphrase 38 fi 39 40 # generate a sele-issued root crl issuer certificate 41 if [ ! -f root/top_crlissuer_cert.pem ]; then 42 if [ ! -d root ]; then 43 mkdir root 44 fi 45 46 openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \ 47 -out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \ 48 -passin pass:passphrase -passout pass:passphrase 49 50 openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \ 51 -extensions crl_issuer -CA root/root_cert.pem \ 52 -CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \ 53 -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ 54 -passin pass:passphrase 55 fi 56 57 # generate subca cert issuer and crl iuuser certificates 58 if [ ! -f subca/subca_cert.pem ]; then 59 if [ ! -d subca ]; then 60 mkdir subca 61 fi 62 63 openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \ 64 -out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \ 65 -days 7650 -passin pass:passphrase -passout pass:passphrase 66 67 openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \ 68 -extensions cert_issuer -CA root/root_cert.pem \ 69 -CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \ 70 -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase 71 72 openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \ 73 -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \ 74 -days 7650 -passin pass:passphrase -passout pass:passphrase 75 76 openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \ 77 -extensions crl_issuer -CA root/root_cert.pem \ 78 -CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \ 79 -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ 80 -passin pass:passphrase 81 fi 82 83 # generate dumca cert issuer and crl iuuser certificates 84 if [ ! -f dumca/dumca_cert.pem ]; then 85 if [ ! -d sumca ]; then 86 mkdir dumca 87 fi 88 89 openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \ 90 -out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \ 91 -days 7650 -passin pass:passphrase -passout pass:passphrase 92 93 openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \ 94 -extensions cert_issuer -CA root/root_cert.pem \ 95 -CAkey root/root_key.pem -out dumca/dumca_cert.pem \ 96 -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ 97 -passin pass:passphrase 98 99 openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \ 100 -out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \ 101 -days 7650 -passin pass:passphrase -passout pass:passphrase 102 103 openssl x509 -req -in dumca/dumca_crlissuer_req.pem \ 104 -extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \ 105 -CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \ 106 -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ 107 -passin pass:passphrase 108 fi 109 110 # generate certifiacte for Alice 111 if [ ! -f subca/alice/alice_cert.pem ]; then 112 if [ ! -d subca/alice ]; then 113 mkdir -p subca/alice 114 fi 115 116 openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \ 117 -out subca/alice/alice_req.pem \ 118 -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \ 119 -passin pass:passphrase -passout pass:passphrase 120 121 openssl x509 -req -in subca/alice/alice_req.pem \ 122 -extfile openssl.cnf -extensions ee_of_subca \ 123 -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \ 124 -out subca/alice/alice_cert.pem -CAcreateserial \ 125 -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase 126 fi 127 128 # generate certifiacte for Bob 129 if [ ! -f subca/bob/bob_cert.pem ]; then 130 if [ ! -d subca/bob ]; then 131 mkdir -p subca/bob 132 fi 133 134 openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \ 135 -out subca/bob/bob_req.pem \ 136 -subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \ 137 -passin pass:passphrase -passout pass:passphrase 138 139 openssl x509 -req -in subca/bob/bob_req.pem \ 140 -extfile openssl.cnf -extensions ee_of_subca \ 141 -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \ 142 -out subca/bob/bob_cert.pem -CAcreateserial \ 143 -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase 144 fi 145 146 # generate certifiacte for Susan 147 if [ ! -f subca/susan/susan_cert.pem ]; then 148 if [ ! -d subca/susan ]; then 149 mkdir -p subca/susan 150 fi 151 152 openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \ 153 -out subca/susan/susan_req.pem \ 154 -subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \ 155 -passin pass:passphrase -passout pass:passphrase 156 157 openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \ 158 -extensions ee_of_subca -CA subca/subca_cert.pem \ 159 -CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \ 160 -CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \ 161 -passin pass:passphrase 162 fi 163 164 165 # generate the top CRL 166 if [ ! -f root/top_crl.pem ]; then 167 if [ ! -d root ]; then 168 mkdir root 169 fi 170 171 if [ ! -f root/index.txt ]; then 172 touch root/index.txt 173 echo 00 > root/crlnumber 174 fi 175 176 openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \ 177 -crl_reason superseded -keyfile root/top_crlissuer_key.pem \ 178 -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \ 179 -passin pass:passphrase 180 fi 181 182 # revoke dumca 183 openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \ 184 -name ca_top -crl_reason superseded \ 185 -keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \ 186 -passin pass:passphrase 187 188 openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \ 189 -crl_reason superseded -keyfile root/top_crlissuer_key.pem \ 190 -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \ 191 -passin pass:passphrase 192 193 # revoke for subca 194 if [ ! -f subca/subca_crl.pem ]; then 195 if [ ! -d subca ]; then 196 mkdir subca 197 fi 198 199 if [ ! -f subca/index.txt ]; then 200 touch subca/index.txt 201 echo 00 > subca/crlnumber 202 fi 203 204 openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \ 205 -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ 206 -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \ 207 -passin pass:passphrase 208 fi 209 210 # revoke susan 211 openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \ 212 -name ca_subca -crl_reason superseded \ 213 -keyfile subca/subca_crlissuer_key.pem \ 214 -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase 215 216 openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \ 217 -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ 218 -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \ 219 -passin pass:passphrase