forked from weibohe/fortio
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cert-gen
executable file
·114 lines (98 loc) · 3.85 KB
/
cert-gen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/usr/bin/env bash
# note: Script uses -batch and -subj, instead of interactive prompts.
# default environment variable values
CERT_TEMP_DIR=./cert-tmp
CA_CERT=$CERT_TEMP_DIR/ca.crt
SVR_CERT=$CERT_TEMP_DIR/server.crt
SVR_KEY=$CERT_TEMP_DIR/server.key
SAN=DNS.1:localhost,IP.1:127.0.0.1
set -e
# Skip cert creation if the certs already exist
if [ -d $CERT_TEMP_DIR ]
then
echo "Certificate directory $CERT_TEMP_DIR exists. Skipping certificate creation."
exit
fi
echo "Creating test CA cert and server cert/key..."
# create cert directory and files
mkdir -p $CERT_TEMP_DIR
touch index.txt
touch index.txt.attr
echo 1000 > serial
cat <<EOF >$CERT_TEMP_DIR/openssl.conf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
certs = $CERT_TEMP_DIR
crl_dir = $CERT_TEMP_DIR
new_certs_dir = $CERT_TEMP_DIR
database = ./index.txt
serial = ./serial
crlnumber = ./crlnumber
crl = ./crl/intermediate-ca.crl
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS.1:localhost,IP.1:127.0.0.1
EOF
# CA private key (unencrypted)
openssl genrsa -out $CERT_TEMP_DIR/ca.key 4096
# Certificate Authority (self-signed certificate)
openssl req -config $CERT_TEMP_DIR/openssl.conf -new -x509 -days 3650 -sha256 -key $CERT_TEMP_DIR/ca.key -extensions v3_ca -out $CERT_TEMP_DIR/ca.crt -subj "/CN=fake-ca"
# Server private key (unencrypted)
openssl genrsa -out $CERT_TEMP_DIR/server.key 2048
# Server certificate signing request (CSR)
openssl req -config $CERT_TEMP_DIR/openssl.conf -new -sha256 -key $CERT_TEMP_DIR/server.key -out $CERT_TEMP_DIR/server.csr -subj "/CN=fake-server"
# Certificate Authority signs CSR to grant a certificate
openssl ca -batch -config $CERT_TEMP_DIR/openssl.conf -extensions server_cert -days 365 -notext -md sha256 -in $CERT_TEMP_DIR/server.csr -out $CERT_TEMP_DIR/server.crt -cert $CERT_TEMP_DIR/ca.crt -keyfile $CERT_TEMP_DIR/ca.key
# Remove unneeded files
rm -f index.* serial* $CERT_TEMP_DIR/ca.key $CERT_TEMP_DIR/*.csr $CERT_TEMP_DIR/*.pem $CERT_TEMP_DIR/openssl.conf
echo "*******************************************************************"
echo "WARNING: Generated credentials are self-signed and should be used for testing purposes only."