1#!/bin/sh
2
3OPENSSL=openssl
4
5echo
6echo "---[ Intermediate CA - Server ]-----------------------------------------"
7echo
8
9cat ec-ca-openssl.cnf |
10	sed "s/ec-ca/rootCA/" |
11	sed "s/#@CN@/commonName_default = Server Intermediate CA/" \
12	> openssl.cnf.tmp
13mkdir -p iCA-server/certs iCA-server/crl iCA-server/newcerts iCA-server/private
14touch iCA-server/index.txt
15$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/private/cakey.pem -out iCA-server/careq.pem -outform PEM -days 3652 -sha256
16$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out iCA-server/cacert.pem -days 3652 -batch -keyfile ca-key.pem -cert ca.pem -extensions v3_ca -outdir rootCA/newcerts -infiles iCA-server/careq.pem
17cat iCA-server/cacert.pem ca.pem  > iCA-server/ca-and-root.pem
18rm openssl.cnf.tmp
19
20echo
21echo "---[ Intermediate CA - User ]-------------------------------------------"
22echo
23
24cat ec-ca-openssl.cnf |
25	sed "s/ec-ca/rootCA/" |
26	sed "s/#@CN@/commonName_default = User Intermediate CA/" \
27	> openssl.cnf.tmp
28mkdir -p iCA-user/certs iCA-user/crl iCA-user/newcerts iCA-user/private
29touch iCA-user/index.txt
30$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/private/cakey.pem -out iCA-user/careq.pem -outform PEM -days 3652 -sha256
31$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out iCA-user/cacert.pem -days 3652 -batch -keyfile ca-key.pem -cert ca.pem -extensions v3_ca -outdir rootCA/newcerts -infiles iCA-user/careq.pem
32cat iCA-user/cacert.pem ca.pem  > iCA-user/ca-and-root.pem
33rm openssl.cnf.tmp
34
35echo
36echo "---[ Server ]-----------------------------------------------------------"
37echo
38
39cat ec-ca-openssl.cnf |
40	sed "s/ec-ca/iCA-server/" |
41	sed "s/#@CN@/commonName_default = server.w1.fi/" |
42	sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server.w1.fi/" \
43	> openssl.cnf.tmp
44$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/server.key -out iCA-server/server.req -outform PEM -sha256
45$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem -create_serial -in iCA-server/server.req -out iCA-server/server.pem -extensions ext_server -md sha256
46cat iCA-server/cacert.pem iCA-server/server.pem > iCA-server/server_and_ica.pem
47rm openssl.cnf.tmp
48
49echo
50echo "---[ Server - revoked ]-------------------------------------------------"
51echo
52
53cat ec-ca-openssl.cnf |
54	sed "s/ec-ca/iCA-server/" |
55	sed "s/#@CN@/commonName_default = server-revoked.w1.fi/" |
56	sed "s/#@ALTNAME@/subjectAltName=critical,DNS:server-revoked.w1.fi/" \
57	> openssl.cnf.tmp
58$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/server-revoked.key -out iCA-server/server-revoked.req -outform PEM -sha256
59$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem -create_serial -in iCA-server/server-revoked.req -out iCA-server/server-revoked.pem -extensions ext_server -md sha256
60$OPENSSL ca -config openssl.cnf.tmp -revoke iCA-server/server-revoked.pem -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem
61cat iCA-server/cacert.pem iCA-server/server-revoked.pem > iCA-server/server-revoked_and_ica.pem
62rm openssl.cnf.tmp
63
64echo
65echo "---[ User ]-----------------------------------------------------------"
66echo
67
68cat ec-ca-openssl.cnf |
69	sed "s/ec-ca/iCA-user/" |
70	sed "s/#@CN@/commonName_default = user.w1.fi/" |
71	sed "s/#@ALTNAME@/subjectAltName=critical,DNS:user.w1.fi/" \
72	> openssl.cnf.tmp
73$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-user/user.key -out iCA-user/user.req -outform PEM -sha256
74$OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-user/private/cakey.pem -cert iCA-user/cacert.pem -create_serial -in iCA-user/user.req -out iCA-user/user.pem -extensions ext_client -md sha256
75cat iCA-user/user.pem iCA-user/cacert.pem > iCA-user/user_and_ica.pem
76rm openssl.cnf.tmp
77
78echo
79echo "---[ Verify ]-----------------------------------------------------------"
80echo
81
82$OPENSSL verify -CAfile ca.pem iCA-server/cacert.pem
83$OPENSSL verify -CAfile ca.pem iCA-user/cacert.pem
84$OPENSSL verify -CAfile ca.pem -untrusted iCA-server/cacert.pem iCA-server/server.pem
85$OPENSSL verify -CAfile ca.pem -untrusted iCA-server/cacert.pem iCA-server/server-revoked.pem
86$OPENSSL verify -CAfile ca.pem iCA-user/cacert.pem
87$OPENSSL verify -CAfile ca.pem -untrusted iCA-user/cacert.pem iCA-user/user.pem
88