2 # this script generates a set of sample keys
7 [ -f config ] && . ./config
10 rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl
13 ####### create various extensions files for the various certificate types ######
14 cat <<TESTCA > test_ca.cnf
15 subjectKeyIdentifier = hash
16 #extendedKeyUsage = critical
17 basicConstraints = CA:true
18 keyUsage = digitalSignature, nonRepudiation, keyCertSign, cRLSign
21 cat <<TESTCA > test_subca.cnf
22 subjectKeyIdentifier = hash
23 #extendedKeyUsage = critical,
24 basicConstraints = CA:true
25 keyUsage = digitalSignature, nonRepudiation, keyCertSign, cRLSign
28 cat <<TESTCA > test_req.cnf
29 basicConstraints = critical,CA:false
30 keyUsage = keyEncipherment, digitalSignature
31 extendedKeyUsage=serverAuth
32 subjectKeyIdentifier = hash
33 authorityKeyIdentifier = keyid:always,issuer:always
34 #crlDistributionPoints=URI:http://www.my.host/ca.crl
35 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
38 cat <<TESTCA > test_reqMail.cnf
39 basicConstraints = critical,CA:false
40 keyUsage = keyEncipherment, digitalSignature
41 extendedKeyUsage=emailProtection
42 subjectKeyIdentifier = hash
43 authorityKeyIdentifier = keyid:always,issuer:always
44 #crlDistributionPoints=URI:http://www.my.host/ca.crl
45 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
49 genca(){ #subj, internalName
51 openssl genrsa -out $2.key ${KEYSIZE}
52 openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
56 echo 01 > $2.ca/serial
58 echo unique_subject = no >$2.ca/db.attr
62 caSign(){ # key,ca,config
64 openssl ca -cert ../$2.crt -keyfile ../$2.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
69 caSign $1 root test_subca.cnf
72 genserver(){ #key, subject, config
73 openssl genrsa -out $1.key ${KEYSIZE}
74 openssl req -new -key $1.key -out $1.csr -subj "$2" -config selfsign.config
77 openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12
79 keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore ../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "changeit" -deststorepass "$PRIVATEPW"
83 # Generate the super Root CA
84 genca "/CN=Cacert-gigi testCA" root
85 openssl x509 -req -days 365 -in root.csr -signkey root.key -out root.crt -extfile test_ca.cnf
87 # generate the various sub-CAs
88 genca "/CN=Environment" env
90 genca "/CN=Unassured" unassured
92 genca "/CN=Assured" assured
94 genca "/CN=Codesigning" codesign
96 genca "/CN=Timestamping" timestamp
100 genca "/CN=Orga sign" orgaSign
104 cat env.crt root.crt > env.chain.crt
106 # generate orga-keys specific to gigi.
107 # first the server keys
108 genserver www "/CN=www.${DOMAIN}" test_req.cnf
109 genserver secure "/CN=secure.${DOMAIN}" test_req.cnf
110 genserver static "/CN=static.${DOMAIN}" test_req.cnf
111 genserver api "/CN=api.${DOMAIN}" test_req.cnf
113 # then the email signing key
114 genserver mail "/emailAddress=support@${DOMAIN}" test_reqMail.cnf
116 keytool -list -keystore ../config/keystore.pkcs12 -storetype pkcs12 -storepass "$PRIVATEPW"
118 rm test_ca.cnf test_subca.cnf test_req.cnf test_reqMail.cnf