1#!/bin/sh 2 3if [ -z "$OPENSSL" ]; then 4 OPENSSL=openssl 5fi 6export OPENSSL_CONF=$PWD/openssl.cnf 7PASS=whatever 8 9fail() 10{ 11 echo "$*" 12 exit 1 13} 14 15echo 16echo "---[ Root CA ]----------------------------------------------------------" 17echo 18 19cat openssl-root.cnf | sed "s/#@CN@/commonName_default = Hotspot 2.0 Trust Root CA - 99/" > openssl.cnf.tmp 20mkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private 21touch rootCA/index.txt 22if [ -e rootCA/private/cakey.pem ]; then 23 echo " * Use existing Root CA" 24else 25 echo " * Generate Root CA private key" 26 $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key" 27 echo " * Sign Root CA certificate" 28 $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate" 29fi 30if [ ! -e rootCA/crlnumber ]; then 31 echo 00 > rootCA/crlnumber 32fi 33 34echo 35echo "---[ Intermediate CA ]--------------------------------------------------" 36echo 37 38cat openssl.cnf | sed "s/#@CN@/commonName_default = w1.fi Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp 39mkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private 40touch demoCA/index.txt 41if [ -e demoCA/private/cakey.pem ]; then 42 echo " * Use existing Intermediate CA" 43else 44 echo " * Generate Intermediate CA private key" 45 $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/careq.pem || fail "Failed to generate Intermediate CA private key" 46 echo " * Sign Intermediate CA certificate" 47 $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate" 48 # horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin 49 openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS 50fi 51if [ ! -e demoCA/crlnumber ]; then 52 echo 00 > demoCA/crlnumber 53fi 54 55echo 56echo "OCSP responder" 57echo 58 59cat openssl.cnf | sed "s/#@CN@/commonName_default = ocsp.w1.fi/" > openssl.cnf.tmp 60$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP 61$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP 62 63echo 64echo "---[ Server - to be revoked ] ------------------------------------------" 65echo 66 67cat openssl.cnf | sed "s/#@CN@/commonName_default = osu-revoked.w1.fi/" > openssl.cnf.tmp 68$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key 69$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server 70$OPENSSL ca -revoke server-revoked.pem -key $PASS 71 72echo 73echo "---[ Server - with client ext key use ] ---------------------------------" 74echo 75 76cat openssl.cnf | sed "s/#@CN@/commonName_default = osu-client.w1.fi/" > openssl.cnf.tmp 77$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key 78$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client 79 80echo 81echo "---[ User ]-------------------------------------------------------------" 82echo 83 84cat openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp 85$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key 86$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client 87 88echo 89echo "---[ Server ]-----------------------------------------------------------" 90echo 91 92ALT="DNS:osu.w1.fi" 93ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engw1.fi TESTING USE" 94ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:finw1.fi TESTIKÄYTTÖ" 95 96cat openssl.cnf | 97 sed "s/#@CN@/commonName_default = osu.w1.fi/" | 98 sed "s/^##organizationalUnitName/organizationalUnitName/" | 99 sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" | 100 sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \ 101 > openssl.cnf.tmp 102echo $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server 103$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server || fail "Failed to generate server request" 104$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server.csr -out server.pem -key $PASS -days 730 -extensions ext_server -policy policy_osu_server || fail "Failed to sign server certificate" 105 106#dump logotype details for debugging 107$OPENSSL x509 -in server.pem -out server.der -outform DER 108openssl asn1parse -in server.der -inform DER | grep HEX | tail -1 | sed 's/.*://' | xxd -r -p > logo.der 109openssl asn1parse -in logo.der -inform DER > logo.asn1 110 111 112echo 113echo "---[ CRL ]---------------------------------------------------------------" 114echo 115 116$OPENSSL ca -config $PWD/openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS 117 118echo 119echo "---[ Verify ]------------------------------------------------------------" 120echo 121 122$OPENSSL verify -CAfile rootCA/cacert.pem demoCA/cacert.pem 123$OPENSSL verify -CAfile rootCA/cacert.pem -untrusted demoCA/cacert.pem *.pem 124 125cat rootCA/cacert.pem demoCA/cacert.pem > ca.pem 126