1#!/bin/sh 2 3OPENSSL=openssl 4 5DIGEST="-sha512" 6DIGEST_CA="-md sha512" 7 8echo 9echo "---[ Root CA ]----------------------------------------------------------" 10echo 11 12cat ec-ca-openssl.cnf | 13 sed "s/#@CN@/commonName_default = SHA384 and SHA512 Root CA/" \ 14 > ec-ca-openssl.cnf.tmp 15$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -x509 -new -newkey rsa:4096 -nodes -keyout sha512-ca.key -out sha512-ca.pem -outform PEM -days 3650 $DIGEST 16mkdir -p ec-ca/certs ec-ca/crl ec-ca/newcerts ec-ca/private 17touch ec-ca/index.txt 18rm ec-ca-openssl.cnf.tmp 19 20echo 21echo "---[ Server SHA-512 ]---------------------------------------------------" 22echo 23 24cat ec-ca-openssl.cnf | 25 sed "s/#@CN@/commonName_default = sha512.server.w1.fi/" | 26 sed "s/#@ALTNAME@/subjectAltName=critical,DNS:sha512.server.w1.fi/" \ 27 > ec-ca-openssl.cnf.tmp 28$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -newkey rsa:3500 -nodes -keyout sha512-server.key -out sha512-server.req -outform PEM $DIGEST 29$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile sha512-ca.key -cert sha512-ca.pem -create_serial -in sha512-server.req -out sha512-server.pem -extensions ext_server $DIGEST_CA 30rm ec-ca-openssl.cnf.tmp 31 32echo 33echo "---[ Server SHA-384 ]---------------------------------------------------" 34echo 35 36cat ec-ca-openssl.cnf | 37 sed "s/#@CN@/commonName_default = sha384.server.w1.fi/" | 38 sed "s/#@ALTNAME@/subjectAltName=critical,DNS:sha384.server.w1.fi/" \ 39 > ec-ca-openssl.cnf.tmp 40$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -newkey rsa:3072 -nodes -keyout sha384-server.key -out sha384-server.req -outform PEM $DIGEST 41$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile sha512-ca.key -cert sha512-ca.pem -create_serial -in sha384-server.req -out sha384-server.pem -extensions ext_server -md sha384 42rm ec-ca-openssl.cnf.tmp 43 44echo 45echo "---[ User SHA-512 ]-----------------------------------------------------" 46echo 47 48cat ec-ca-openssl.cnf | 49 sed "s/#@CN@/commonName_default = user-sha512/" | 50 sed "s/#@ALTNAME@/subjectAltName=email:user-sha512@w1.fi/" \ 51 > ec-ca-openssl.cnf.tmp 52$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -newkey rsa:3400 -nodes -keyout sha512-user.key -out sha512-user.req -outform PEM -extensions ext_client $DIGEST 53$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile sha512-ca.key -cert sha512-ca.pem -create_serial -in sha512-user.req -out sha512-user.pem -extensions ext_client $DIGEST_CA 54rm ec-ca-openssl.cnf.tmp 55 56echo 57echo "---[ User SHA-384 ]-----------------------------------------------------" 58echo 59 60cat ec-ca-openssl.cnf | 61 sed "s/#@CN@/commonName_default = user-sha384/" | 62 sed "s/#@ALTNAME@/subjectAltName=email:user-sha384@w1.fi/" \ 63 > ec-ca-openssl.cnf.tmp 64$OPENSSL req -config ec-ca-openssl.cnf.tmp -batch -new -newkey rsa:2900 -nodes -keyout sha384-user.key -out sha384-user.req -outform PEM -extensions ext_client $DIGEST 65$OPENSSL ca -config ec-ca-openssl.cnf.tmp -batch -keyfile sha512-ca.key -cert sha512-ca.pem -create_serial -in sha384-user.req -out sha384-user.pem -extensions ext_client -md sha384 66rm ec-ca-openssl.cnf.tmp 67 68echo 69echo "---[ Verify ]-----------------------------------------------------------" 70echo 71 72$OPENSSL verify -CAfile sha512-ca.pem sha512-server.pem 73$OPENSSL verify -CAfile sha512-ca.pem sha384-server.pem 74$OPENSSL verify -CAfile sha512-ca.pem sha512-user.pem 75$OPENSSL verify -CAfile sha512-ca.pem sha384-user.pem 76