fix: simple signer correctly parse profile-EKUs

[gigi.git] / keys / generateKeys.sh

diff --git a/keys/generateKeys.sh b/keys/generateKeys.sh
index e316cb6087f98a792a7d84417e96fa3c590da03c..e9f75a7340b7fa1b00147e837b6ab4d6eadd9503 100755 (executable)
--- a/keys/generateKeys.sh
+++ b/keys/generateKeys.sh
@@ -1,10 +1,10 @@
-#!/bin/bash
+#!/bin/sh
 # this script generates a set of sample keys
 DOMAIN="cacert.local"
 KEYSIZE=4096
 PRIVATEPW="changeit"
 
-[ -f config ] && . config
+[ -f config ] && . ./config
 
 
 rm -Rf *.csr *.crt *.key *.pkcs12 *.ca *.crl
@@ -35,6 +35,16 @@ authorityKeyIdentifier = keyid:always,issuer:always
 #authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
 TESTCA
 
+cat <<TESTCA > test_reqClient.cnf
+basicConstraints = critical,CA:false
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage=clientAuth
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+#crlDistributionPoints=URI:http://www.my.host/ca.crl
+#authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+TESTCA
+
 cat <<TESTCA > test_reqMail.cnf
 basicConstraints = critical,CA:false
 keyUsage = keyEncipherment, digitalSignature
@@ -46,7 +56,7 @@ authorityKeyIdentifier = keyid:always,issuer:always
 TESTCA
 
 
-function genca(){ #subj, internalName
+genca(){ #subj, internalName
 
     openssl genrsa -out $2.key ${KEYSIZE}
     openssl req -new -key $2.key -out $2.csr -subj "$1/O=Test Environment CA Ltd./OU=Test Environment CAs"
@@ -59,17 +69,17 @@ function genca(){ #subj, internalName
 
 }
 
-function caSign(){ # key,ca,config
-    pushd $2.ca
+caSign(){ # key,ca,config
+    cd $2.ca
     openssl ca -cert ../$2.crt -keyfile ../$2.key -in ../$1.csr -out ../$1.crt -days 365 -batch -config ../selfsign.config -extfile ../$3
-    popd
+    cd ..
 }
 
-function rootSign(){ # key
+rootSign(){ # key
     caSign $1 root test_subca.cnf
 }
 
-function genserver(){ #key, subject, config
+genserver(){ #key, subject, config
     openssl genrsa -out $1.key ${KEYSIZE}
     openssl req -new -key $1.key -out $1.csr -subj "$2" -config selfsign.config
     caSign $1 env "$3"
@@ -110,10 +120,17 @@ genserver secure "/CN=secure.${DOMAIN}" test_req.cnf
 genserver static "/CN=static.${DOMAIN}" test_req.cnf
 genserver api "/CN=api.${DOMAIN}" test_req.cnf
 
+genserver signer_client "/CN=CAcert signer handler 1" test_reqClient.cnf
+genserver signer_server "/CN=CAcert signer 1" test_req.cnf
+
 # then the email signing key
 genserver mail "/emailAddress=support@${DOMAIN}" test_reqMail.cnf
 
 keytool -list -keystore ../config/keystore.pkcs12 -storetype pkcs12 -storepass "$PRIVATEPW"
 
-rm test_ca.cnf test_subca.cnf test_req.cnf test_reqMail.cnf
+rm test_ca.cnf test_subca.cnf test_req.cnf test_reqMail.cnf test_reqClient.cnf
 rm env.chain.crt
+
+cat root.crt env.crt > ca.crt
+tar cf signer_bundle.tar root.crt env.crt signer_client.crt signer_client.key signer_server.crt signer_server.key ca.crt
+rm ca.crt