-#!/bin/bash
+#!/bin/sh
# this script generates a set of sample keys
DOMAIN="cacert.local"
KEYSIZE=4096
PRIVATEPW="changeit"
-[ -f config ] && . config
+[ -f config ] && . ./config
rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl
#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
TESTCA
+cat <<TESTCA > test_reqClient.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA
+
cat <<TESTCA > test_reqMail.cnf
basicConstraints = critical,CA:false
keyUsage = keyEncipherment, digitalSignature
TESTCA
-function genca(){ #subj, internalName
+genca(){ #subj, internalName
openssl genrsa -out $2.key ${KEYSIZE}
openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
}
-function caSign(){ # key,ca,config
- pushd $2.ca
+caSign(){ # key,ca,config
+ cd $2.ca
openssl ca -cert ../$2.crt -keyfile ../$2.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
- popd
+ cd ..
}
-function rootSign(){ # key
+rootSign(){ # key
caSign $1 root test_subca.cnf
}
-function genserver(){ #key, subject, config
+genserver(){ #key, subject, config
openssl genrsa -out $1.key ${KEYSIZE}
openssl req -new -key $1.key -out $1.csr -subj "$2" -config selfsign.config
caSign $1 env "$3"
genserver static "/CN=static.${DOMAIN}" test_req.cnf
genserver api "/CN=api.${DOMAIN}" test_req.cnf
+genserver signer_client "/CN=CAcert signer handler 1" test_reqClient.cnf
+genserver signer_server "/CN=CAcert signer 1" test_req.cnf
+
# then the email signing key
genserver mail "/emailAddress=support@${DOMAIN}" test_reqMail.cnf
keytool -list -keystore ../config/keystore.pkcs12 -storetype pkcs12 -storepass "$PRIVATEPW"
-rm test_ca.cnf test_subca.cnf test_req.cnf test_reqMail.cnf
+rm test_ca.cnf test_subca.cnf test_req.cnf test_reqMail.cnf test_reqClient.cnf
rm env.chain.crt
+
+cat root.crt env.crt > ca.crt
+tar cf signer_bundle.tar root.crt env.crt signer_client.crt signer_client.key signer_server.crt signer_server.key ca.crt
+rm ca.crt