CONFIGDIR=$PWD/$(dirname $0)/../config
BASEDIR=$PWD/$(dirname $0)/../test
-CONFIGFILES="index.txt serial.txt ca_conf.cnf ca_proxy_conf.cnf req_conf.cnf req_proxy_conf.cnf req_proxy_proxy_conf.cnf"
+CONFIGFILES="index.txt serial.txt req_conf.cnf"
export PASSWORD='changeit'
-CATYPES='trusted fake big expired bad'
+CATYPES='trusted fake big expired bad nokeyusage root subca subsubca'
BIG_BITS=8192
SMALL_BITS=1024
+## dummy values for unused env variables in conf file
+export PROXYNAME=dummyprox
+export CA_DIR=dummyCAdir
+export CATYPE_dummyCAtype
+
function create_ca {
+ export CATYPE=$1
catype=$1
- CADIR=${catype}-ca
- if [ ! -f ${CADIR}/serial.txt ]; then
- mkdir -p ${CADIR}
- cd ${CADIR}
+ echo "+-----------------------"
+ echo "| $catype"
+ echo "+-----------------------"
+ cadir=${catype}-ca
+ if [ ! -f ${cadir}/serial.txt ]; then
+ mkdir -p ${cadir}
+ cd ${cadir}
for config in ${CONFIGFILES}; do
cp $CONFIGDIR/$config .
done
fi
export CN="the $catype CA"
- openssl req -new -x509 -out ${catype}.cert $DAYS -nodes \
- -keyout ${catype}.priv -config req_conf.cnf -extensions CA_cert
- openssl pkcs12 -export -in ${catype}.cert -inkey ${catype}.priv \
- -out ${catype}.p12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD"
+ if [ "$catype" = "subca" ]; then
+ export CA_DIR=../root-ca
+ export CATYPE=root
+ openssl req -new -out ${catype}.req $DAYS -nodes \
+ -keyout ${catype}.priv -config req_conf.cnf
+ openssl ca -in ${catype}.req -out ${catype}.cert -outdir . \
+ -md md5 -config req_conf.cnf -batch -extensions ca_cert_req -days 10000
+ else
+ if [ "$catype" = "subsubca" ]; then
+ export CA_DIR=../subca-ca
+ export CATYPE=subca
+ openssl req -new -out ${catype}.req $DAYS -nodes \
+ -keyout ${catype}.priv -config req_conf.cnf
+ openssl ca -in ${catype}.req -out ${catype}.cert -outdir . \
+ -md md5 -config req_conf.cnf -batch -extensions ca_cert_req -days 10000
+
+ else
+ openssl req -new -x509 -out ${catype}.cert $DAYS -nodes \
+ -keyout ${catype}.priv -config req_conf.cnf -extensions ca_cert_req
+ openssl pkcs12 -export -in ${catype}.cert -inkey ${catype}.priv \
+ -out ${catype}.p12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD"
+ fi
+ fi
echo -n "Generated CA certificate with "
openssl x509 -noout -subject -in ${catype}.cert
else
- echo "${CADIR}/serial.txt exists!"
+ echo "${cadir}/serial.txt exists!"
fi
}
ABSBASEDIR=$(pwd)
for catype in $CATYPES; do
- echo "+-----------------------"
- echo "| $catype"
- echo "+-----------------------"
create_ca $catype
cd $ABSBASEDIR
done
-
+### req command\r
+\r
[ req ]\r
-default_bits = $ENV::BITS\r
-default_keyfile = keyfile.pem\r
-distinguished_name = req_distinguished_name\r
-attributes = req_attributes\r
-prompt = no\r
-output_password = $ENV::PASSWORD\r
-ca_cert = CA_cert\r
+default_bits = $ENV::BITS\r
+default_keyfile = keyfile.pem\r
+distinguished_name = req_distinguished_name\r
+prompt = no\r
+output_password = $ENV::PASSWORD\r
+ca_cert = ca_cert\r
\r
[ req_distinguished_name ]\r
-countryName = UG\r
+countryName = UG\r
+localityName = Tropic\r
+organizationName = Utopia\r
+organizationalUnitName = Relaxation\r
+0.commonName = $ENV::CN\r
+\r
+[ ca_cert_req ]\r
+basicConstraints = CA:true\r
+subjectKeyIdentifier = hash\r
+authorityKeyIdentifier = keyid:always,issuer:always\r
+keyUsage = cRLSign, keyCertSign\r
+\r
+[ serial_cert_req ]\r
+serialNumber = 12341324\r
+\r
+[ email_cert_req ]\r
+emailAddress = test@home.org\r
+\r
+[ uid_cert_req ]\r
+userId = testuserid\r
+\r
+[ proxy_cert_req ]\r
+1.commonName = $ENV::PROXYNAME\r
+\r
+[ proxy_proxy_cert_req ]\r
+1.commonName = $ENV::PROXYNAME\r
+2.commonName = $ENV::PROXYNAME\r
+\r
+#### ca command\r
+\r
+[ca]\r
+default_ca = CA_default\r
+\r
+[CA_default]\r
+dir = $ENV::CA_DIR\r
+database = $dir/index.txt\r
+serial = $dir/serial.txt\r
+default_md = sha1\r
+\r
+certificate = $dir/$ENV::CATYPE.cert\r
+private_key = $dir/$ENV::CATYPE.priv\r
+\r
+policy = policy_any\r
\r
-#stateOrProvinceName = South area\r
+[policy_any]\r
+countryName = supplied\r
+stateOrProvinceName = optional\r
+localityName = optional\r
+organizationName = optional\r
+organizationalUnitName = optional\r
+commonName = supplied\r
+emailAddress = optional\r
+userId = optional\r
\r
-localityName = Tropic\r
+[ ca_cert ]\r
+basicConstraints = CA:TRUE\r
\r
-organizationName = Utopia\r
\r
-organizationalUnitName = Relaxation\r
+[ ca_server ]\r
+# This is OK for an SSL server.\r
+nsCertType = server\r
+nsComment = "OpenSSL Generated Server Certificate"\r
+# For an object signing certificate this would be used.\r
+# nsCertType = objsign\r
\r
-commonName = $ENV::CN\r
+[ ca_client ]\r
+# For normal client use this is typical\r
+nsCertType = client, email\r
+nsComment = "OpenSSL Generated Client Certificate"\r
\r
-#emailAddress = Email Address\r
+[ ca_clientserver ]\r
+# For normal client use this is typical\r
+nsCertType = server, client, email\r
+nsComment = "OpenSSL Generated Client Server Certificate"\r
+# and for everything including object signing:\r
+# nsCertType = client, email, objsign\r
\r
-[ req_attributes ]\r
-#challengePassword = $ENV::PASSWORD\r
+[ ca_fclient ]\r
+# This is typical in keyUsage for a client certificate.\r
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment\r
+nsComment = "OpenSSL Generated Client Certificate with key usage"\r
\r
-[ CA_cert ]\r
-basicConstraints = CA:true\r
-subjectKeyIdentifier=hash\r
-authorityKeyIdentifier=keyid:always,issuer:always\r
-keyUsage = cRLSign, keyCertSign\r
+[ ca_none ]\r
+nsComment = "OpenSSL Generated Client Certificate without Flags"\r
\r
[ proxy_none ]\r
+keyUsage = critical,digitalSignature,keyEncipherment\r
git://scientific.zcu.cz / glite-security-test-utils.git / commitdiff