2 # this script generates a set of sample keys
7 [ -f config ] && . ./config
10 rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl
13 ####### create various extensions files for the various certificate types ######
14 cat <<TESTCA > test_ca.cnf
15 subjectKeyIdentifier = hash
16 #extendedKeyUsage = critical
17 basicConstraints = CA:true
18 keyUsage = digitalSignature, nonRepudiation, keyCertSign, cRLSign
21 cat <<TESTCA > test_subca.cnf
22 subjectKeyIdentifier = hash
23 #extendedKeyUsage = critical,
24 basicConstraints = CA:true
25 keyUsage = digitalSignature, nonRepudiation, keyCertSign, cRLSign
28 cat <<TESTCA > test_req.cnf
29 basicConstraints = critical,CA:false
30 keyUsage = keyEncipherment, digitalSignature
31 extendedKeyUsage=serverAuth
32 subjectKeyIdentifier = hash
33 authorityKeyIdentifier = keyid:always,issuer:always
34 #crlDistributionPoints=URI:http://www.my.host/ca.crl
35 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
38 cat <<TESTCA > test_reqClient.cnf
39 basicConstraints = critical,CA:false
40 keyUsage = keyEncipherment, digitalSignature
41 extendedKeyUsage=clientAuth
42 subjectKeyIdentifier = hash
43 authorityKeyIdentifier = keyid:always,issuer:always
44 #crlDistributionPoints=URI:http://www.my.host/ca.crl
45 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
48 cat <<TESTCA > test_reqMail.cnf
49 basicConstraints = critical,CA:false
50 keyUsage = keyEncipherment, digitalSignature
51 extendedKeyUsage=emailProtection
52 subjectKeyIdentifier = hash
53 authorityKeyIdentifier = keyid:always,issuer:always
54 #crlDistributionPoints=URI:http://www.my.host/ca.crl
55 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
59 genca(){ #subj, internalName
61 openssl genrsa -out $2.key ${KEYSIZE}
62 openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
66 echo 01 > $2.ca/serial
68 echo unique_subject = no >$2.ca/db.attr
72 caSign(){ # key,ca,config
74 openssl ca -cert ../$2.crt -keyfile ../$2.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
79 caSign $1 root test_subca.cnf
82 genserver(){ #key, subject, config
83 openssl genrsa -out $1.key ${KEYSIZE}
84 openssl req -new -key $1.key -out $1.csr -subj "$2" -config selfsign.config
87 openssl pkcs12 -inkey $1.key -in $1.crt -CAfile env.chain.crt -chain -name $1 -export -passout pass:changeit -out $1.pkcs12
89 keytool -importkeystore -noprompt -srckeystore $1.pkcs12 -destkeystore ../config/keystore.pkcs12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcstorepass "changeit" -deststorepass "$PRIVATEPW"
93 # Generate the super Root CA
94 genca "/CN=Cacert-gigi testCA" root
95 openssl x509 -req -days 365 -in root.csr -signkey root.key -out root.crt -extfile test_ca.cnf
97 # generate the various sub-CAs
98 genca "/CN=Environment" env
100 genca "/CN=Unassured" unassured
102 genca "/CN=Assured" assured
104 genca "/CN=Codesigning" codesign
106 genca "/CN=Timestamping" timestamp
108 genca "/CN=Orga" orga
110 genca "/CN=Orga sign" orgaSign
114 cat env.crt root.crt > env.chain.crt
116 # generate orga-keys specific to gigi.
117 # first the server keys
118 genserver www "/CN=www.${DOMAIN}" test_req.cnf
119 genserver secure "/CN=secure.${DOMAIN}" test_req.cnf
120 genserver static "/CN=static.${DOMAIN}" test_req.cnf
121 genserver api "/CN=api.${DOMAIN}" test_req.cnf
123 genserver signer_client "/CN=CAcert signer handler 1" test_reqClient.cnf
124 genserver signer_server "/CN=CAcert signer 1" test_req.cnf
126 # then the email signing key
127 genserver mail "/emailAddress=support@${DOMAIN}" test_reqMail.cnf
129 keytool -list -keystore ../config/keystore.pkcs12 -storetype pkcs12 -storepass "$PRIVATEPW"
131 rm test_ca.cnf test_subca.cnf test_req.cnf test_reqMail.cnf test_reqClient.cnf
134 cat root.crt env.crt > ca.crt
135 tar cf signer_bundle.tar root.crt env.crt signer_client.crt signer_client.key signer_server.crt signer_server.key ca.crt