1df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt#!/bin/sh 2df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 3df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtif [ -z "$OPENSSL" ]; then 4df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt OPENSSL=openssl 5df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfi 6df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtexport OPENSSL_CONF=$PWD/openssl.cnf 7df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry ShmidtPASS=whatever 8df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 9df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfail() 10df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt{ 11df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo "$*" 12df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt exit 1 13df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt} 14df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 15df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 16df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Root CA ]----------------------------------------------------------" 17df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 18df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 19df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtcat openssl-root.cnf | sed "s/#@CN@/commonName_default = Hotspot 2.0 Trust Root CA - 99/" > openssl.cnf.tmp 20df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtmkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private 21df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidttouch rootCA/index.txt 22df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtif [ -e rootCA/private/cakey.pem ]; then 23df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Use existing Root CA" 24df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtelse 25df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Generate Root CA private key" 26df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key" 27df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Sign Root CA certificate" 28df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate" 29df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfi 30df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtif [ ! -e rootCA/crlnumber ]; then 31df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo 00 > rootCA/crlnumber 32df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfi 33df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 34df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 35df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Intermediate CA ]--------------------------------------------------" 36df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 37df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 38df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtcat openssl.cnf | sed "s/#@CN@/commonName_default = w1.fi Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp 39df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtmkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private 40df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidttouch demoCA/index.txt 41df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtif [ -e demoCA/private/cakey.pem ]; then 42df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Use existing Intermediate CA" 43df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtelse 44df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Generate Intermediate CA private key" 45df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/careq.pem || fail "Failed to generate Intermediate CA private key" 46df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Sign Intermediate CA certificate" 47df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate" 48df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt # horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin 49df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS 50df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfi 51df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtif [ ! -e demoCA/crlnumber ]; then 52df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo 00 > demoCA/crlnumber 53df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfi 54df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 55df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 56df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "OCSP responder" 57df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 58df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 59df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtcat openssl.cnf | sed "s/#@CN@/commonName_default = ocsp.w1.fi/" > openssl.cnf.tmp 60df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP 61df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP 62df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 63df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 64df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Server - to be revoked ] ------------------------------------------" 65df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 66df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 67df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtcat openssl.cnf | sed "s/#@CN@/commonName_default = osu-revoked.w1.fi/" > openssl.cnf.tmp 68df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key 69df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server 70df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL ca -revoke server-revoked.pem -key $PASS 71df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 72df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 73df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Server - with client ext key use ] ---------------------------------" 74df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 75df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 76df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtcat openssl.cnf | sed "s/#@CN@/commonName_default = osu-client.w1.fi/" > openssl.cnf.tmp 77df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key 78df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client 79df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 80df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 81df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ User ]-------------------------------------------------------------" 82df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 83df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 84df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtcat openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp 85df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key 86df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client 87df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 88df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 89df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Server ]-----------------------------------------------------------" 90df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 91df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 92df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry ShmidtALT="DNS:osu.w1.fi" 93df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry ShmidtALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engw1.fi TESTING USE" 94df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry ShmidtALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:finw1.fi TESTIKÄYTTÖ" 95df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 96df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtcat openssl.cnf | 97df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt sed "s/#@CN@/commonName_default = osu.w1.fi/" | 98df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt sed "s/^##organizationalUnitName/organizationalUnitName/" | 99df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" | 100df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \ 101df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt > openssl.cnf.tmp 102df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server 103df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server || fail "Failed to generate server request" 104df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server.csr -out server.pem -key $PASS -days 730 -extensions ext_server -policy policy_osu_server || fail "Failed to sign server certificate" 105df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 106df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt#dump logotype details for debugging 107df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL x509 -in server.pem -out server.der -outform DER 108df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtopenssl asn1parse -in server.der -inform DER | grep HEX | tail -1 | sed 's/.*://' | xxd -r -p > logo.der 109df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtopenssl asn1parse -in logo.der -inform DER > logo.asn1 110df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 111df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 112df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 113df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ CRL ]---------------------------------------------------------------" 114df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 115df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 116df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS 117df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 118df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 119df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Verify ]------------------------------------------------------------" 120df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 121df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 122df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL verify -CAfile rootCA/cacert.pem demoCA/cacert.pem 123df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL verify -CAfile rootCA/cacert.pem -untrusted demoCA/cacert.pem *.pem 124df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 125df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtcat rootCA/cacert.pem demoCA/cacert.pem > ca.pem 126