gd-tools/cpr-1.10.5/test/data/generate-certificates.sh
2024-02-07 16:32:30 -04:00

77 lines
2.3 KiB
Bash
Executable file

#!/bin/sh
# Generate a CA with a self-signed root certificate that then signs the server certificate
# Based on the OpenSSL Cookbook by Ivan Ristic:
# https://www.feistyduck.com/library/openssl-cookbook/online/
#
# Especially, see chapter 1.5. Creating a private Certification Authority:
# https://www.feistyduck.com/library/openssl-cookbook/online/openssl-command-line/private-ca.html
export KEY_PATH=keys
export CRT_PATH=certificates
export CA_PATH=ca
# Create environment.
# $CA_PATH is deleted in the end.
# If new certificates need to be issued, this needs to be done before the cleanup in the end.
mkdir -p $KEY_PATH $CRT_PATH $CA_PATH/db $CA_PATH/private $CA_PATH/certificates
touch $CA_PATH/db/index
openssl rand -hex 16 > $CA_PATH/db/serial
# Generate all private keys
openssl genpkey -algorithm ed25519 -out $KEY_PATH/root-ca.key
openssl genpkey -algorithm ed25519 -out $KEY_PATH/server.key
openssl genpkey -algorithm ed25519 -out $KEY_PATH/client.key
# For the server, we also need the public key
openssl pkey -in $KEY_PATH/server.key -pubout -out $KEY_PATH/server.pub
# Generate a Certificate Signing Request for the Root CA based on a config file
openssl req -new \
-config root-ca.cnf -out root-ca.csr \
-key $KEY_PATH/root-ca.key
# Self-sign the root certificate
openssl ca -batch \
-selfsign -config root-ca.cnf \
-extensions ca_ext \
-in root-ca.csr -out $CRT_PATH/root-ca.crt -notext
# Create a Certificate Signing request for the server certificate
openssl req -new \
-config server.cnf -out server.csr \
-key $KEY_PATH/server.key
openssl req -text -in server.csr -noout
# Issue the server certificate
openssl ca -batch \
-config root-ca.cnf \
-extensions server_ext \
-extfile server.cnf -extensions ext \
-in server.csr -out $CRT_PATH/server.crt -notext \
-days 1825
# Create a Certificate Signing request for the client certificate
openssl req -new \
-config client.cnf -out client.csr \
-key $KEY_PATH/client.key
# Issue the client certificate
openssl ca -batch \
-config root-ca.cnf \
-extensions client_ext \
-in client.csr -out $CRT_PATH/client.crt -notext \
-days 1825
# Clean up
# IMPORTANT: If new certificates should be issued, $CA_PATH and its files MUST NOT be deleted!
# New certificates can be created in this script before cleaning up.
rm -rf *.csr $CA_PATH