2 # $Id: gen-req.sh 21786 2007-08-01 19:37:45Z lha $
4 # This script need openssl 0.9.8a or newer, so it can parse the
5 # otherName section for pkinit certificates.
8 openssl=$HOME/src/openssl/openssl-0.9.8e/apps/openssl
20 -out cert.req > /dev/null 2>/dev/null
22 if [ "$3" = "ca" ] ; then
27 -extfile openssl.cnf \
32 ln -s ca.crt `${openssl} x509 -hash -noout -in cert.crt`.0
36 elif [ "$3" = "proxy" ] ; then
46 -extfile openssl.cnf \
74 gen_cert "/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca"
75 gen_cert "/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp"
76 gen_cert "/CN=Test cert/C=SE" "ca" "test" "usr"
77 gen_cert "/CN=Revoke cert/C=SE" "ca" "revoke" "usr"
78 gen_cert "/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke"
79 gen_cert "/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds"
80 gen_cert "/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client"
81 gen_cert "/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy
82 gen_cert "/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc"
83 gen_cert "/CN=www.test.h5l.se/C=SE" "ca" "https" "https"
84 gen_cert "/CN=Sub CA/C=SE" "ca" "sub-ca" "subca"
85 gen_cert "/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr"
86 gen_cert "/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test
87 gen_cert "/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test
88 gen_cert "/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test
89 gen_cert "/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test
90 gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test
91 gen_cert "/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test
95 cat sub-ca.crt ca.crt > sub-ca-combined.crt
96 cat test.crt test.key > test.combined.crt
97 cat pkinit-proxy.crt pkinit.crt > pkinit-proxy-chain.crt
99 # password protected key
100 ${openssl} rsa -in test.key -aes256 -passout pass:foobar -out test-pw.key
101 ${openssl} rsa -in pkinit.key -aes256 -passout pass:foo -out pkinit-pw.key
115 -passout pass:foobar \
117 -name "friendlyname-test" \
124 -inkey sub-cert.key \
125 -passout pass:foobar \
127 -name "friendlyname-sub-cert" \
128 -certfile sub-ca-combined.crt \
138 -passout pass:foobar \
140 -name "friendlyname-cert" \
152 -out test-signed-data
163 -out test-signed-data-noattr
175 -out test-signed-data-noattr-nocerts
183 -out test-enveloped-rc2-40 \
193 -out test-enveloped-rc2-64 \
203 -out test-enveloped-rc2-128 \
213 -out test-enveloped-des \
223 -out test-enveloped-des-ede3 \
233 -out test-enveloped-aes-128 \
243 -out test-enveloped-aes-256 \
252 -reqout ocsp-req1.der
256 -rsigner ocsp-responder.crt \
257 -rkey ocsp-responder.key \
259 -reqin ocsp-req1.der \
261 -respout ocsp-resp1-ocsp.der
268 -reqin ocsp-req1.der \
270 -respout ocsp-resp1-ca.der
274 -rsigner ocsp-responder.crt \
275 -rkey ocsp-responder.key \
278 -reqin ocsp-req1.der \
280 -respout ocsp-resp1-ocsp-no-cert.der
284 -rsigner ocsp-responder.crt \
285 -rkey ocsp-responder.key \
287 -reqin ocsp-req1.der \
290 -respout ocsp-resp1-keyhash.der
295 -reqout ocsp-req2.der
299 -rsigner ocsp-responder.crt \
300 -rkey ocsp-responder.key \
302 -reqin ocsp-req2.der \
304 -respout ocsp-resp2.der
312 -crl_reason superseded \
316 ${openssl} crl -in crl1.crl -outform der -out crl1.der