1#!/bin/bash 2 3# Copyright (c) 2012 The Chromium Authors. All rights reserved. 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# This script generates certificates that can be used to test SSL client 8# authentication. Outputs for automated tests are stored in 9# net/data/ssl/certificates, but may be re-generated for manual testing. 10# 11# This script generates two chains of test client certificates: 12# 13# 1. A (end-entity) -> B -> C (self-signed root) 14# 2. D (end-entity) -> E -> C (self-signed root) 15# 16# In which A, B, C, D, and E all have distinct keypairs. Both client 17# certificates share the same root, but are issued by different 18# intermediates. The names of these intermediates are hardcoded within 19# unit tests, and thus should not be changed. 20 21try () { 22 echo "$@" 23 "$@" || exit 1 24} 25 26try rm -rf out 27try mkdir out 28 29echo Create the serial number files and indices. 30serial=1000 31for i in B C E 32do 33 try /bin/sh -c "echo $serial > out/$i-serial" 34 serial=$(expr $serial + 1) 35 touch out/$i-index.txt 36 touch out/$i-index.txt.attr 37done 38 39echo Generate the keys. 40for i in A B C D E 41do 42 try openssl genrsa -out out/$i.key 2048 43done 44 45echo Generate the C CSR 46COMMON_NAME="C Root CA" \ 47 CA_DIR=out \ 48 ID=C \ 49 try openssl req \ 50 -new \ 51 -key out/C.key \ 52 -out out/C.csr \ 53 -config client-certs.cnf 54 55echo C signs itself. 56COMMON_NAME="C Root CA" \ 57 CA_DIR=out \ 58 ID=C \ 59 try openssl x509 \ 60 -req -days 3650 \ 61 -in out/C.csr \ 62 -extensions ca_cert \ 63 -extfile client-certs.cnf \ 64 -signkey out/C.key \ 65 -out out/C.pem 66 67echo Generate the intermediates 68COMMON_NAME="B CA" \ 69 CA_DIR=out \ 70 ID=B \ 71 try openssl req \ 72 -new \ 73 -key out/B.key \ 74 -out out/B.csr \ 75 -config client-certs.cnf 76 77COMMON_NAME="C CA" \ 78 CA_DIR=out \ 79 ID=C \ 80 try openssl ca \ 81 -batch \ 82 -extensions ca_cert \ 83 -in out/B.csr \ 84 -out out/B.pem \ 85 -config client-certs.cnf 86 87COMMON_NAME="E CA" \ 88 CA_DIR=out \ 89 ID=E \ 90 try openssl req \ 91 -new \ 92 -key out/E.key \ 93 -out out/E.csr \ 94 -config client-certs.cnf 95 96COMMON_NAME="C CA" \ 97 CA_DIR=out \ 98 ID=C \ 99 try openssl ca \ 100 -batch \ 101 -extensions ca_cert \ 102 -in out/E.csr \ 103 -out out/E.pem \ 104 -config client-certs.cnf 105 106echo Generate the leaf certs 107for id in A D 108do 109 COMMON_NAME="Client Cert $id" \ 110 ID=$id \ 111 try openssl req \ 112 -new \ 113 -key out/$id.key \ 114 -out out/$id.csr \ 115 -config client-certs.cnf 116done 117 118echo B signs A 119COMMON_NAME="B CA" \ 120 CA_DIR=out \ 121 ID=B \ 122 try openssl ca \ 123 -batch \ 124 -extensions user_cert \ 125 -in out/A.csr \ 126 -out out/A.pem \ 127 -config client-certs.cnf 128 129echo E signs D 130COMMON_NAME="E CA" \ 131 CA_DIR=out \ 132 ID=E \ 133 try openssl ca \ 134 -batch \ 135 -extensions user_cert \ 136 -in out/D.csr \ 137 -out out/D.pem \ 138 -config client-certs.cnf 139 140echo Package the client certs and private keys into PKCS12 files 141# This is done for easily importing all of the certs needed for clients. 142try /bin/sh -c "cat out/A.pem out/A.key out/B.pem out/C.pem > out/A-chain.pem" 143try /bin/sh -c "cat out/D.pem out/D.key out/E.pem out/C.pem > out/D-chain.pem" 144 145try openssl pkcs12 \ 146 -in out/A-chain.pem \ 147 -out client_1.p12 \ 148 -export \ 149 -passout pass:chrome 150 151try openssl pkcs12 \ 152 -in out/D-chain.pem \ 153 -out client_2.p12 \ 154 -export \ 155 -passout pass:chrome 156 157echo Package the client certs for unit tests 158try cp out/A.pem ../certificates/client_1.pem 159try cp out/A.key ../certificates/client_1.key 160try cp out/B.pem ../certificates/client_1_ca.pem 161 162try cp out/D.pem ../certificates/client_2.pem 163try cp out/D.key ../certificates/client_2.key 164try cp out/E.pem ../certificates/client_2_ca.pem 165