1df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt#!/bin/sh 2df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 3df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtif [ -z "$OPENSSL" ]; then 4df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt OPENSSL=openssl 5df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfi 6df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtexport OPENSSL_CONF=$PWD/openssl.cnf 7df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry ShmidtPASS=whatever 8af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtif [ -z "$DOMAIN" ]; then 9af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt DOMAIN=w1.fi 10af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtfi 11af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtCOMPANY=w1.fi 12af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtOPER_ENG="engw1.fi TESTING USE" 13af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtOPER_FI="finw1.fi TESTIKÄYTTÖ" 14af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtCNR="Hotspot 2.0 Trust Root CA - 99" 15af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtCNO="ocsp.$DOMAIN" 16af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtCNV="osu-revoked.$DOMAIN" 17af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtCNOC="osu-client.$DOMAIN" 18af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtOSU_SERVER_HOSTNAME="osu.$DOMAIN" 19af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtDEBUG=0 20af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtOCSP_URI="http://$CNO:8888/" 21af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtLOGO_URI="http://osu.w1.fi/w1fi_logo.png" 22af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtLOGO_HASH256="4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d" 23af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtLOGO_HASH1="5e1d5085676eede6b02da14d31c523ec20ffba0b" 24af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt 25af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# Command line overrides 26af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtUSAGE=$( cat <<EOF 27af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtUsage:\n 28af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -c: Company name, used to generate Subject name CN for Intermediate CA\n 29af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -C: Subject name CN of the Root CA ($CNR)\n 30af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -D: Enable debugging (set -x, etc)\n 31af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -g: Logo sha1 hash ($LOGO_HASH1)\n 32af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -G: Logo sha256 hash ($LOGO_HASH256)\n 33af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -h: Show this help message\n 34af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -l: Logo URI ($LOGO_URI)\n 35af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -m: Domain ($DOMAIN)\n 36af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -o: Subject name CN for OSU-Client Server ($CNOC)\n 37af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -O: Subject name CN for OCSP Server ($CNO)\n 38af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -p: passphrase for private keys ($PASS)\n 39af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -r: Operator-english ($OPER_ENG)\n 40af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -R: Operator-finish ($OPER_FI)\n 41af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -S: OSU Server name ($OSU_SERVER_HOSTNAME)\n 42af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -u: OCSP-URI ($OCSP_URI)\n 43af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# -V: Subject name CN for OSU-Revoked Server ($CNV)\n 44af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtEOF 45af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt) 46af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt 47af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtwhile getopts "c:C:Dg:G:l:m:o:O:p:r:R:S:u:V:h" flag 48af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt do 49af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt case $flag in 50af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt c) COMPANY=$OPTARG;; 51af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt C) CNR=$OPTARG;; 52af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt D) DEBUG=1;; 53af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt g) LOGO_HASH1=$OPTARG;; 54af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt G) LOGO_HASH256=$OPTARG;; 55af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt h) echo -e $USAGE; exit 0;; 56af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt l) LOGO_URI=$OPTARG;; 57af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt m) DOMAIN=$OPTARG;; 58af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt o) CNOC=$OPTARG;; 59af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt O) CNO=$OPTARG;; 60af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt p) PASS=$OPTARG;; 61af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt r) OPER_ENG=$OPTARG;; 62af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt R) OPER_FI=$OPTARG;; 63af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt S) OSU_SERVER_HOSTNAME=$OPTARG;; 64af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt u) OCSP_URI=$OPTARG;; 65af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt V) CNV=$OPTARG;; 66af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt *) echo "Unknown flag: $flag"; echo -e $USAGE; exit 1;; 67af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt esac 68af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtdone 69df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 70df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfail() 71df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt{ 72df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo "$*" 73df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt exit 1 74df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt} 75df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 76df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 77df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Root CA ]----------------------------------------------------------" 78df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 79df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 80af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtif [ $DEBUG = 1 ] 81af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtthen 82af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt set -x 83af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtfi 84af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt 85af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt# Set the passphrase and some other common config accordingly. 86af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtcat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \ 87af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt > my-openssl-root.cnf 88af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt 89af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtcat openssl.cnf | sed "s/@PASSWORD@/$PASS/" | 90af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtsed "s,@OCSP_URI@,$OCSP_URI," | 91af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtsed "s,@LOGO_URI@,$LOGO_URI," | 92af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtsed "s,@LOGO_HASH1@,$LOGO_HASH1," | 93af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtsed "s,@LOGO_HASH256@,$LOGO_HASH256," | 94af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtsed "s/@DOMAIN@/$DOMAIN/" \ 95af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt > my-openssl.cnf 96af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt 97af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt 98af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtcat my-openssl-root.cnf | sed "s/#@CN@/commonName_default = $CNR/" > openssl.cnf.tmp 99df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtmkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private 100df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidttouch rootCA/index.txt 101df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtif [ -e rootCA/private/cakey.pem ]; then 102df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Use existing Root CA" 103df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtelse 104df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Generate Root CA private key" 105df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key" 106df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Sign Root CA certificate" 107df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate" 108af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt $OPENSSL x509 -in rootCA/cacert.pem -out rootCA/cacert.der -outform DER || fail "Failed to create rootCA DER" 109af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt sha256sum rootCA/cacert.der > rootCA/cacert.fingerprint || fail "Failed to create rootCA fingerprint" 110df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfi 111df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtif [ ! -e rootCA/crlnumber ]; then 112df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo 00 > rootCA/crlnumber 113df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfi 114df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 115df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 116df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Intermediate CA ]--------------------------------------------------" 117df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 118df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 119af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtcat my-openssl.cnf | sed "s/#@CN@/commonName_default = $COMPANY Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp 120df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtmkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private 121df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidttouch demoCA/index.txt 122df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtif [ -e demoCA/private/cakey.pem ]; then 123df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Use existing Intermediate CA" 124df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtelse 125df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Generate Intermediate CA private key" 126df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/careq.pem || fail "Failed to generate Intermediate CA private key" 127df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo " * Sign Intermediate CA certificate" 128df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate" 129df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt # horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin 130df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS 131af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt $OPENSSL x509 -in demoCA/cacert.pem -out demoCA/cacert.der -outform DER || fail "Failed to create demoCA DER." 132af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt sha256sum demoCA/cacert.der > demoCA/cacert.fingerprint || fail "Failed to create demoCA fingerprint" 133df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfi 134df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtif [ ! -e demoCA/crlnumber ]; then 135df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt echo 00 > demoCA/crlnumber 136df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtfi 137df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 138df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 139df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "OCSP responder" 140df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 141df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 142af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtcat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNO/" > openssl.cnf.tmp 143df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP 144af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem" 145df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 146df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 147df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Server - to be revoked ] ------------------------------------------" 148df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 149df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 150af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtcat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNV/" > openssl.cnf.tmp 151df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key 152df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server 153df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL ca -revoke server-revoked.pem -key $PASS 154df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 155df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 156df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Server - with client ext key use ] ---------------------------------" 157af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtecho "---[ Only used for negative-testing for OSU-client implementation ] -----" 158df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 159df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 160af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtcat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNOC/" > openssl.cnf.tmp 161af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key || fail "Could not create server-client.key" 162af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create server-client.pem" 163df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 164df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 165df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ User ]-------------------------------------------------------------" 166df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 167df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 168af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtcat my-openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp 169af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key || fail "Could not create user.key" 170af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create user.pem" 171df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 172df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 173df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Server ]-----------------------------------------------------------" 174df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 175df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 176af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtALT="DNS:$OSU_SERVER_HOSTNAME" 177af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG" 178af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry ShmidtALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI" 179df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 180af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidtcat my-openssl.cnf | 181af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" | 182df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt sed "s/^##organizationalUnitName/organizationalUnitName/" | 183df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" | 184df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \ 185df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt > openssl.cnf.tmp 186df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server 187df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server || fail "Failed to generate server request" 188df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server.csr -out server.pem -key $PASS -days 730 -extensions ext_server -policy policy_osu_server || fail "Failed to sign server certificate" 189df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 190df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt#dump logotype details for debugging 191df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL x509 -in server.pem -out server.der -outform DER 192df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtopenssl asn1parse -in server.der -inform DER | grep HEX | tail -1 | sed 's/.*://' | xxd -r -p > logo.der 193df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtopenssl asn1parse -in logo.der -inform DER > logo.asn1 194df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 195df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 196df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 197df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ CRL ]---------------------------------------------------------------" 198df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 199df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 200af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5Dmitry Shmidt$OPENSSL ca -config $PWD/my-openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS 201df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 202df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 203df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho "---[ Verify ]------------------------------------------------------------" 204df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtecho 205df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 206df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL verify -CAfile rootCA/cacert.pem demoCA/cacert.pem 207df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt$OPENSSL verify -CAfile rootCA/cacert.pem -untrusted demoCA/cacert.pem *.pem 208df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt 209df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidtcat rootCA/cacert.pem demoCA/cacert.pem > ca.pem 210