3 OPENSSL=../../apps/openssl
4 OPENSSL_CONF=../../apps/openssl.cnf
7 # Root CA: create certificate directly
8 CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \
9 -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
10 # Intermediate CA: request first
11 CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \
12 -keyout intkey.pem -out intreq.pem -newkey rsa:2048
13 # Sign request: CA extensions
14 $OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \
15 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
17 # Server certificate: create request first
18 CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \
19 -keyout skey.pem -out req.pem -newkey rsa:1024
20 # Sign request: end entity extensions
21 $OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
22 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
24 # Client certificate: request first
25 CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \
26 -keyout ckey.pem -out creq.pem -newkey rsa:1024
27 # Sign using intermediate CA
28 $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
29 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
31 # Revoked certificate: request first
32 CN="Test Revoked Cert" $OPENSSL req -config ca.cnf -nodes \
33 -keyout revkey.pem -out rreq.pem -newkey rsa:1024
34 # Sign using intermediate CA
35 $OPENSSL x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
36 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
38 # OCSP responder certificate: request first
39 CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \
40 -keyout respkey.pem -out respreq.pem -newkey rsa:1024
41 # Sign using intermediate CA and responder extensions
42 $OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
43 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
45 # Example creating a PKCS#3 DH certificate.
49 [ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
51 # Now a DH private key
52 $OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem
53 # Create DH public key file
54 $OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem
55 # Certificate request, key just reuses old one as it is ignored when the
57 CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \
58 -key skey.pem -out dhsreq.pem
59 # Sign request: end entity DH extensions
60 $OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
61 -force_pubkey dhspub.pem \
62 -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
64 # DH client certificate
66 $OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem
67 $OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem
68 CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \
69 -key skey.pem -out dhcreq.pem
70 $OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
71 -force_pubkey dhcpub.pem \
72 -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
74 # Examples of CRL generation without the need to use 'ca' to issue
76 # Create zero length index file
78 # Create initial crl number file
80 # Add entries for server and client certs
81 $OPENSSL ca -valid server.pem -keyfile root.pem -cert root.pem \
82 -config ca.cnf -md sha1
83 $OPENSSL ca -valid client.pem -keyfile root.pem -cert root.pem \
84 -config ca.cnf -md sha1
85 $OPENSSL ca -valid rev.pem -keyfile root.pem -cert root.pem \
86 -config ca.cnf -md sha1
88 $OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
89 -md sha1 -crldays 1 -out crl1.pem
90 # Revoke a certificate
91 openssl ca -revoke rev.pem -crl_reason superseded \
92 -keyfile root.pem -cert root.pem -config ca.cnf -md sha1
93 # Generate another CRL
94 $OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
95 -md sha1 -crldays 1 -out crl2.pem