1 #!/bin/sh 2 3 OPENSSL=openssl 4 5 CURVE=secp384r1 6 DIGEST="-sha384" 7 DIGEST_CA="-md sha384" 8 9 echo 10 echo "---[ Root CA ]----------------------------------------------------------" 11 echo 12 13 cat ec-ca-openssl.cnf | 14 sed "s/#@CN@/commonName_default = Suite B 192-bit Root CA/" \ 15 > ec-ca-openssl.cnf.tmp 16 $OPENSSL ecparam -out ec2-ca.key -name $CURVE -genkey 17 $OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -x509 -new -key ec2-ca.key -out ec2-ca.pem -outform PEM -days 3650 $DIGEST 18 mkdir -p ec-ca/certs ec-ca/crl ec-ca/newcerts ec-ca/private 19 touch ec-ca/index.txt 20 rm ec-ca-openssl.cnf.tmp 21 22 echo 23 echo "---[ Server ]-----------------------------------------------------------" 24 echo 25 26 cat ec-ca-openssl.cnf | 27 sed "s/#@CN@/commonName_default = server.w1.fi/" | 28 sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \ 29 > ec-ca-openssl.cnf.tmp 30 $OPENSSL ecparam -out ec2-server.key -name $CURVE -genkey 31 $OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-server.key -out ec2-server.req -outform PEM $DIGEST 32 $OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-server.req -out ec2-server.pem -extensions ext_server $DIGEST_CA 33 rm ec-ca-openssl.cnf.tmp 34 35 echo 36 echo "---[ User ]-------------------------------------------------------------" 37 echo 38 39 cat ec-ca-openssl.cnf | 40 sed "s/#@CN@/commonName_default = user/" | 41 sed "s/#@ALTNAME@/subjectAltName=email:user@w1.fi/" \ 42 > ec-ca-openssl.cnf.tmp 43 $OPENSSL ecparam -out ec2-user.key -name $CURVE -genkey 44 $OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user.key -out ec2-user.req -outform PEM -extensions ext_client $DIGEST 45 $OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user.req -out ec2-user.pem -extensions ext_client $DIGEST_CA 46 rm ec-ca-openssl.cnf.tmp 47 48 echo 49 echo "---[ User p256 ]--------------------------------------------------------" 50 echo 51 52 cat ec-ca-openssl.cnf | 53 sed "s/#@CN@/commonName_default = user-p256/" | 54 sed "s/#@ALTNAME@/subjectAltName=email:user-p256@w1.fi/" \ 55 > ec-ca-openssl.cnf.tmp 56 $OPENSSL ecparam -out ec2-user-p256.key -name prime256v1 -genkey 57 $OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -nodes -key ec2-user-p256.key -out ec2-user-p256.req -outform PEM -extensions ext_client -sha256 58 $OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile ec2-ca.key -cert ec2-ca.pem -create_serial -in ec2-user-p256.req -out ec2-user-p256.pem -extensions ext_client -md sha256 59 rm ec-ca-openssl.cnf.tmp 60 61 echo 62 echo "---[ Verify ]-----------------------------------------------------------" 63 echo 64 65 $OPENSSL verify -CAfile ec2-ca.pem ec2-server.pem 66 $OPENSSL verify -CAfile ec2-ca.pem ec2-user.pem 67 $OPENSSL verify -CAfile ec2-ca.pem ec2-user-p256.pem 68