# # Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License version 2 only, as # published by the Free Software Foundation. Oracle designates this # particular file as subject to the "Classpath" exception as provided # by Oracle in the LICENSE file that accompanied this code. # # This code is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # version 2 for more details (a copy is included in the LICENSE file that # accompanied this code). # # You should have received a copy of the GNU General Public License version # 2 along with this work; if not, write to the Free Software Foundation, # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. # # Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA # or visit www.oracle.com if you need additional information or have any # questions. # #!/bin/ksh # # needs ksh to run the script. set -e OPENSSL=openssl # generate a self-signed root certificate if [ ! -f root/finished ]; then if [ ! -d root ]; then mkdir root fi # SHA1withRSA 1024 ${OPENSSL} req -x509 -newkey rsa:1024 -keyout root/root_key_1024.pem \ -out root/root_cert_sha1_1024.pem -subj "/C=US/O=Example" \ -config openssl.cnf -reqexts cert_issuer -days 7650 -sha1 \ -passin pass:passphrase -passout pass:passphrase # SHA1withRSA 512 ${OPENSSL} req -x509 -newkey rsa:512 -keyout root/root_key_512.pem \ -out root/root_cert_sha1_512.pem -subj "/C=US/O=Example" \ -config openssl.cnf -reqexts cert_issuer -days 7650 -sha1 \ -passin pass:passphrase -passout pass:passphrase # MD2withRSA 2048 ${OPENSSL} req -x509 -newkey rsa:2048 -keyout root/root_key_2048.pem \ -out root/root_cert_md2_2048.pem -subj "/C=US/O=Example" \ -config openssl.cnf -reqexts cert_issuer -days 7650 -md2 \ -passin pass:passphrase -passout pass:passphrase openssl req -newkey rsa:1024 -keyout root/root_crlissuer_key.pem \ -out root/root_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \ -passin pass:passphrase -passout pass:passphrase openssl x509 -req -in root/root_crlissuer_req.pem -extfile openssl.cnf \ -extensions crl_issuer -CA root/root_cert_sha1_1024.pem \ -CAkey root/root_key_1024.pem -out root/root_crlissuer_cert.pem \ -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ -passin pass:passphrase touch root/finished fi # generate subca cert issuer if [ ! -f subca/finished ]; then if [ ! -d subca ]; then mkdir subca fi # RSA 1024 ${OPENSSL} req -newkey rsa:1024 -keyout subca/subca_key_1024.pem \ -out subca/subca_req_1024.pem -subj "/C=US/O=Example/OU=Class-1" \ -days 7650 -passin pass:passphrase -passout pass:passphrase # RSA 512 ${OPENSSL} req -newkey rsa:512 -keyout subca/subca_key_512.pem \ -out subca/subca_req_512.pem -subj "/C=US/O=Example/OU=Class-1" \ -days 7650 -passin pass:passphrase -passout pass:passphrase # SHA1withRSA 1024 signed with RSA 1024 ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \ -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \ -CAkey root/root_key_1024.pem -out subca/subca_cert_sha1_1024_1024.pem \ -CAcreateserial -sha1 \ -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase # SHA1withRSA 1024 signed with RSA 512 ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \ -extensions cert_issuer -CA root/root_cert_sha1_512.pem \ -CAkey root/root_key_512.pem -out subca/subca_cert_sha1_1024_512.pem \ -CAcreateserial -sha1 \ -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase # SHA1withRSA 512 signed with RSA 1024 ${OPENSSL} x509 -req -in subca/subca_req_512.pem -extfile openssl.cnf \ -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \ -CAkey root/root_key_1024.pem -out subca/subca_cert_sha1_512_1024.pem \ -CAcreateserial -sha1 \ -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase # SHA1withRSA 512 signed with RSA 512 ${OPENSSL} x509 -req -in subca/subca_req_512.pem -extfile openssl.cnf \ -extensions cert_issuer -CA root/root_cert_sha1_512.pem \ -CAkey root/root_key_512.pem -out subca/subca_cert_sha1_512_512.pem \ -CAcreateserial -sha1 \ -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase # MD2withRSA 1024 signed with RSA 1024 ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \ -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \ -CAkey root/root_key_1024.pem -out subca/subca_cert_md2_1024_1024.pem \ -CAcreateserial -md2 \ -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase # MD2withRSA 1024 signed with RSA 512 ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \ -extensions cert_issuer -CA root/root_cert_sha1_512.pem \ -CAkey root/root_key_512.pem -out subca/subca_cert_md2_1024_512.pem \ -CAcreateserial -md2 \ -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \ -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \ -days 7650 -passin pass:passphrase -passout pass:passphrase openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \ -extensions crl_issuer -CA root/root_cert_sha1_1024.pem \ -CAkey root/root_key_1024.pem -out subca/subca_crlissuer_cert.pem \ -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ -passin pass:passphrase touch subca/finished fi # generate certifiacte for Alice if [ ! -f subca/alice/finished ]; then if [ ! -d subca/alice ]; then mkdir -p subca/alice fi # RSA 1024 ${OPENSSL} req -newkey rsa:1024 -keyout subca/alice/alice_key_1024.pem \ -out subca/alice/alice_req_1024.pem \ -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \ -passin pass:passphrase -passout pass:passphrase # RSA 512 ${OPENSSL} req -newkey rsa:512 -keyout subca/alice/alice_key_512.pem \ -out subca/alice/alice_req_512.pem \ -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \ -passin pass:passphrase -passout pass:passphrase # SHA1withRSA 1024 signed with RSA 1024 ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \ -extfile openssl.cnf -extensions ee_of_subca \ -CA subca/subca_cert_sha1_1024_1024.pem \ -CAkey subca/subca_key_1024.pem \ -out subca/alice/alice_cert_sha1_1024_1024.pem -CAcreateserial -sha1 \ -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase # SHA1withRSA 1024 signed with RSA 512 ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \ -extfile openssl.cnf -extensions ee_of_subca \ -CA subca/subca_cert_sha1_512_1024.pem \ -CAkey subca/subca_key_512.pem \ -out subca/alice/alice_cert_sha1_1024_512.pem -CAcreateserial -sha1 \ -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase # SHA1withRSA 512 signed with RSA 1024 ${OPENSSL} x509 -req -in subca/alice/alice_req_512.pem \ -extfile openssl.cnf -extensions ee_of_subca \ -CA subca/subca_cert_sha1_1024_1024.pem \ -CAkey subca/subca_key_1024.pem \ -out subca/alice/alice_cert_sha1_512_1024.pem -CAcreateserial -sha1 \ -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase # SHA1withRSA 512 signed with RSA 512 ${OPENSSL} x509 -req -in subca/alice/alice_req_512.pem \ -extfile openssl.cnf -extensions ee_of_subca \ -CA subca/subca_cert_sha1_512_1024.pem \ -CAkey subca/subca_key_512.pem \ -out subca/alice/alice_cert_sha1_512_512.pem -CAcreateserial -sha1 \ -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase # MD2withRSA 1024 signed with RSA 1024 ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \ -extfile openssl.cnf -extensions ee_of_subca \ -CA subca/subca_cert_sha1_1024_1024.pem \ -CAkey subca/subca_key_1024.pem \ -out subca/alice/alice_cert_md2_1024_1024.pem -CAcreateserial -md2 \ -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase # MD2withRSA 1024 signed with RSA 512 ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \ -extfile openssl.cnf -extensions ee_of_subca \ -CA subca/subca_cert_sha1_512_1024.pem \ -CAkey subca/subca_key_512.pem \ -out subca/alice/alice_cert_md2_1024_512.pem -CAcreateserial -md2 \ -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase touch subca/alice/finished fi if [ ! -f root/revoked ]; then if [ ! -d root ]; then mkdir root fi if [ ! -f root/index.txt ]; then touch root/index.txt echo 00 > root/crlnumber fi openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 -md sha1 \ -crl_reason superseded -keyfile root/root_crlissuer_key.pem \ -cert root/root_crlissuer_cert.pem -out root/top_crl.pem \ -passin pass:passphrase touch root/revoked fi if [ ! -f subca/revoked ]; then if [ ! -d subca ]; then mkdir subca fi if [ ! -f subca/index.txt ]; then touch subca/index.txt echo 00 > subca/crlnumber fi # revoke alice's SHA1withRSA 1024 signed with RSA 1024 openssl ca -revoke subca/alice/alice_cert_sha1_1024_1024.pem \ -config openssl.cnf \ -name ca_subca -crl_reason superseded \ -keyfile subca/subca_crlissuer_key.pem \ -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase openssl ca -gencrl -config openssl.cnf \ -name ca_subca -crldays 7000 -md md2 \ -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ -cert subca/subca_crlissuer_cert.pem \ -out subca/subca_crl.pem \ -passin pass:passphrase touch subca/revoked fi