1#!/bin/sh 2 3OPENSSL=openssl 4 5echo 6echo "---[ DH parameters ]----------------------------------------------------" 7echo 8 9if [ -r dh_param_3072.pem ]; then 10 echo "Use already generated dh_param_3072.pem" 11else 12 openssl dhparam -out dh_param_3072.pem 3072 13fi 14 15echo 16echo "---[ Root CA ]----------------------------------------------------------" 17echo 18 19if [ -r rsa3072-ca.key ]; then 20 echo "Use already generated Root CA" 21else 22 cat ec-ca-openssl.cnf | 23 sed "s/#@CN@/commonName_default = Suite B RSA 3k Root CA/" | 24 sed s%\./ec-ca$%./rsa3072-ca% \ 25 > rsa3072-ca-openssl.cnf.tmp 26 $OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -x509 -new -newkey rsa:3072 -nodes -keyout rsa3072-ca.key -out rsa3072-ca.pem -outform PEM -days 3650 -sha384 27 mkdir -p rsa3072-ca/certs rsa3072-ca/crl rsa3072-ca/newcerts rsa3072-ca/private 28 touch rsa3072-ca/index.txt 29 rm rsa3072-ca-openssl.cnf.tmp 30fi 31 32echo 33echo "---[ Server ]-----------------------------------------------------------" 34echo 35 36cat ec-ca-openssl.cnf | 37 sed "s/#@CN@/commonName_default = rsa3072.server.w1.fi/" | 38 sed "s/#@ALTNAME@/subjectAltName=critical,DNS:rsa3072.server.w1.fi/" | 39 sed s%\./ec-ca$%./rsa3072-ca% \ 40 > rsa3072-ca-openssl.cnf.tmp 41if [ ! -r rsa3072-server.req ]; then 42 $OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout rsa3072-server.key -out rsa3072-server.req -outform PEM -sha384 43fi 44$OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-server.req -out rsa3072-server.pem -extensions ext_server -days 730 -md sha384 45rm rsa3072-ca-openssl.cnf.tmp 46 47echo 48echo "---[ User SHA-384 ]-----------------------------------------------------" 49echo 50 51cat ec-ca-openssl.cnf | 52 sed "s/#@CN@/commonName_default = user-rsa3072/" | 53 sed "s/#@ALTNAME@/subjectAltName=email:user-rsa3072@w1.fi/" | 54 sed s%\./ec-ca$%./rsa3072-ca% \ 55 > rsa3072-ca-openssl.cnf.tmp 56if [ ! -r rsa3072-user.req ]; then 57 $OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout rsa3072-user.key -out rsa3072-user.req -outform PEM -extensions ext_client -sha384 58fi 59$OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-user.req -out rsa3072-user.pem -extensions ext_client -days 730 -md sha384 60rm rsa3072-ca-openssl.cnf.tmp 61 62echo 63echo "---[ User RSA2048 ]-----------------------------------------------------" 64echo 65 66cat ec-ca-openssl.cnf | 67 sed "s/#@CN@/commonName_default = user-rsa3072-rsa2048/" | 68 sed "s/#@ALTNAME@/subjectAltName=email:user-rsa3072-rsa2048@w1.fi/" | 69 sed s%\./ec-ca$%./rsa3072-ca% \ 70 > rsa3072-ca-openssl.cnf.tmp 71if [ ! -r rsa3072-user-rsa2048.req ]; then 72 $OPENSSL req -config rsa3072-ca-openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout rsa3072-user-rsa2048.key -out rsa3072-user-rsa2048.req -outform PEM -extensions ext_client -sha384 73fi 74$OPENSSL ca -config rsa3072-ca-openssl.cnf.tmp -batch -keyfile rsa3072-ca.key -cert rsa3072-ca.pem -create_serial -in rsa3072-user-rsa2048.req -out rsa3072-user-rsa2048.pem -extensions ext_client -days 730 -md sha384 75rm rsa3072-ca-openssl.cnf.tmp 76 77echo 78echo "---[ Verify ]-----------------------------------------------------------" 79echo 80 81$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-server.pem 82$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-user.pem 83$OPENSSL verify -CAfile rsa3072-ca.pem rsa3072-user-rsa2048.pem 84