342 lines
20 KiB
Bash
342 lines
20 KiB
Bash
|
#!/bin/sh
|
||
|
|
||
|
# Script for generating RSA and ECC Intermediate CA and server/client certs based on it.
|
||
|
|
||
|
# Result is chains that looks like:
|
||
|
# RSA Server
|
||
|
# ROOT: ./certs/ca-cert.pem
|
||
|
# C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com)
|
||
|
# INTERMEDIATE: ./certs/intermediate/ca-int-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate CA/emailAddress=info@wolfssl.com
|
||
|
# INTERMEDIATE2: ./certs/intermediate/ca-int2-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate2 CA/emailAddress=info@wolfssl.com
|
||
|
# SERVER: ./certs/intermediate/server-int-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Server Chain/emailAddress=info@wolfssl.com
|
||
|
|
||
|
# RSA Client
|
||
|
# ROOT: ./certs/ca-cert.pem
|
||
|
# C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com)
|
||
|
# INTERMEDIATE: ./certs/intermediate/ca-int-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate CA/emailAddress=info@wolfssl.com
|
||
|
# INTERMEDIATE: ./certs/intermediate/ca-int2-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate2 CA/emailAddress=info@wolfssl.com
|
||
|
# CLIENT: ./certs/intermediate/client-int-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Client Chain/emailAddress=info@wolfssl.com
|
||
|
|
||
|
# ECC Server
|
||
|
# ROOT: ./certs/ca-ecc-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
|
||
|
# INTERMEDIATE: ./certs/intermediate/ca-int-ecc-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate CA ECC/emailAddress=info@wolfssl.com
|
||
|
# INTERMEDIATE2: ./certs/intermediate/ca-int-ecc-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate2 CA ECC/emailAddress=info@wolfssl.com
|
||
|
# SERVER: ./certs/intermediate/server-int-ecc-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Server Chain ECC/emailAddress=info@wolfssl.com
|
||
|
|
||
|
# ECC Client
|
||
|
# ROOT: ./certs/ca-ecc-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=www.wolfssl.com/emailAddress=info@wolfssl.com
|
||
|
# INTERMEDIATE: ./certs/intermediate/ca-int-ecc-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate CA ECC/emailAddress=info@wolfssl.com
|
||
|
# INTERMEDIATE2: ./certs/intermediate/ca-int2-ecc-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Intermediate2 CA ECC/emailAddress=info@wolfssl.com
|
||
|
# CLIENT: ./certs/intermediate/client-int-ecc-cert.pem
|
||
|
# C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Development, CN=wolfSSL Client Chain ECC/emailAddress=info@wolfssl.com
|
||
|
|
||
|
|
||
|
# Run from wolfssl-root as `./certs/intermediate/genintcerts.sh`
|
||
|
# To cleanup temp files use `./certs/intermediate/genintcerts.sh clean`
|
||
|
# To cleanup all files use `./certs/intermediate/genintcerts.sh cleanall`
|
||
|
|
||
|
dir="."
|
||
|
|
||
|
cleanup_files(){
|
||
|
rm -f ./certs/intermediate/index.*
|
||
|
rm -f ./certs/intermediate/*.old
|
||
|
rm -f ./certs/intermediate/serial
|
||
|
rm -f ./certs/intermediate/crlnumber
|
||
|
rm -f ./certs/intermediate/*.cnf
|
||
|
rm -rf ./certs/intermediate/new_certs
|
||
|
exit 0
|
||
|
}
|
||
|
|
||
|
check_result() {
|
||
|
if [ $1 -ne 0 ]; then
|
||
|
echo "Step Failed, Abort"
|
||
|
exit 1
|
||
|
else
|
||
|
echo "Step Succeeded!"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
# Args: 1=CnfFile, 2=Key, 3=Cert
|
||
|
create_ca_config() {
|
||
|
echo "# Generated openssl conf" > "$1"
|
||
|
echo "[ ca ]" >> "$1"
|
||
|
echo "default_ca = CA_default" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ CA_default ]" >> "$1"
|
||
|
echo "certs = $dir/certs/intermediate" >> "$1"
|
||
|
echo "new_certs_dir = $dir/certs/intermediate/new_certs">> "$1"
|
||
|
echo "database = $dir/certs/intermediate/index.txt">> "$1"
|
||
|
echo "serial = $dir/certs/intermediate/serial" >> "$1"
|
||
|
echo "RANDFILE = $dir/private/.rand" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "private_key = $dir/$2" >> "$1"
|
||
|
echo "certificate = $dir/$3" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "crlnumber = $dir/certs/intermediate/crlnumber">> "$1"
|
||
|
echo "crl_extensions = crl_ext" >> "$1"
|
||
|
echo "default_crl_days = 1000" >> "$1"
|
||
|
echo "default_md = sha256" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "name_opt = ca_default" >> "$1"
|
||
|
echo "cert_opt = ca_default" >> "$1"
|
||
|
echo "default_days = 3650" >> "$1"
|
||
|
echo "preserve = no" >> "$1"
|
||
|
echo "policy = policy_loose" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ policy_strict ]" >> "$1"
|
||
|
echo "countryName = match" >> "$1"
|
||
|
echo "stateOrProvinceName = match" >> "$1"
|
||
|
echo "organizationName = match" >> "$1"
|
||
|
echo "organizationalUnitName = optional" >> "$1"
|
||
|
echo "commonName = supplied" >> "$1"
|
||
|
echo "emailAddress = optional" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ policy_loose ]" >> "$1"
|
||
|
echo "countryName = optional" >> "$1"
|
||
|
echo "stateOrProvinceName = optional" >> "$1"
|
||
|
echo "localityName = optional" >> "$1"
|
||
|
echo "organizationName = optional" >> "$1"
|
||
|
echo "organizationalUnitName = optional" >> "$1"
|
||
|
echo "commonName = supplied" >> "$1"
|
||
|
echo "emailAddress = optional" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ req ]" >> "$1"
|
||
|
echo "default_bits = 2048" >> "$1"
|
||
|
echo "distinguished_name = req_distinguished_name" >> "$1"
|
||
|
echo "string_mask = utf8only" >> "$1"
|
||
|
echo "default_md = sha256" >> "$1"
|
||
|
echo "x509_extensions = v3_ca" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ req_distinguished_name ]" >> "$1"
|
||
|
echo "countryName = US" >> "$1"
|
||
|
echo "stateOrProvinceName = Washington" >> "$1"
|
||
|
echo "localityName = Seattle" >> "$1"
|
||
|
echo "organizationName = wolfSSL" >> "$1"
|
||
|
echo "organizationalUnitName = Development" >> "$1"
|
||
|
echo "commonName = www.wolfssl.com" >> "$1"
|
||
|
echo "emailAddress = info@wolfssl.com" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ v3_ca ]" >> "$1"
|
||
|
echo "subjectKeyIdentifier = hash" >> "$1"
|
||
|
echo "authorityKeyIdentifier = keyid:always,issuer" >> "$1"
|
||
|
echo "basicConstraints = critical, CA:true" >> "$1"
|
||
|
echo "keyUsage = critical, digitalSignature, cRLSign, keyCertSign">> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ v3_intermediate_ca ]" >> "$1"
|
||
|
echo "subjectKeyIdentifier = hash" >> "$1"
|
||
|
echo "authorityKeyIdentifier = keyid:always,issuer" >> "$1"
|
||
|
echo "basicConstraints = critical, CA:true, pathlen:1" >> "$1"
|
||
|
echo "keyUsage = critical, digitalSignature, cRLSign, keyCertSign">> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ v3_intermediate2_ca ]" >> "$1"
|
||
|
echo "subjectKeyIdentifier = hash" >> "$1"
|
||
|
echo "authorityKeyIdentifier = keyid:always,issuer" >> "$1"
|
||
|
echo "basicConstraints = critical, CA:true, pathlen:1" >> "$1"
|
||
|
echo "keyUsage = critical, digitalSignature, cRLSign, keyCertSign">> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ usr_cert ]" >> "$1"
|
||
|
echo "basicConstraints = CA:FALSE" >> "$1"
|
||
|
echo "nsCertType = client, email" >> "$1"
|
||
|
echo "subjectKeyIdentifier = hash" >> "$1"
|
||
|
echo "authorityKeyIdentifier = keyid,issuer" >> "$1"
|
||
|
echo "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment">> "$1"
|
||
|
echo "extendedKeyUsage = clientAuth, emailProtection" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ server_cert ]" >> "$1"
|
||
|
echo "basicConstraints = CA:FALSE" >> "$1"
|
||
|
echo "nsCertType = server" >> "$1"
|
||
|
echo "subjectKeyIdentifier = hash" >> "$1"
|
||
|
echo "authorityKeyIdentifier = keyid,issuer:always" >> "$1"
|
||
|
echo "keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement">> "$1"
|
||
|
echo "extendedKeyUsage = serverAuth" >> "$1"
|
||
|
echo "" >> "$1"
|
||
|
echo "[ crl_ext ]" >> "$1"
|
||
|
echo "authorityKeyIdentifier=keyid:always" >> "$1"
|
||
|
}
|
||
|
|
||
|
# Args: 1=reqcnf, 2=signcnf, 3=keyfile, 4=certfile, 5=ext, 6=subj, 7=days
|
||
|
create_cert() {
|
||
|
openssl req -config ./certs/intermediate/$1.cnf -new -sha256 \
|
||
|
-key $3 \
|
||
|
-out ./certs/intermediate/tmp.csr \
|
||
|
-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=$6/emailAddress=info@wolfssl.com"
|
||
|
check_result $?
|
||
|
openssl ca -config ./certs/intermediate/$2.cnf -extensions $5 -days $7 -notext -md sha256 \
|
||
|
-in ./certs/intermediate/tmp.csr -out ./certs/intermediate/$4.pem -batch
|
||
|
check_result $?
|
||
|
rm ./certs/intermediate/tmp.csr
|
||
|
|
||
|
# Convert Cert to DER
|
||
|
openssl x509 -in ./certs/intermediate/$4.pem -inform PEM -out ./certs/intermediate/$4.der -outform DER
|
||
|
check_result $?
|
||
|
|
||
|
# Add text to cert PEM file
|
||
|
openssl x509 -in ./certs/intermediate/$4.pem -text > ./certs/intermediate/tmp.pem
|
||
|
check_result $?
|
||
|
mv ./certs/intermediate/tmp.pem ./certs/intermediate/$4.pem
|
||
|
}
|
||
|
|
||
|
if [ "$1" = "clean" ]; then
|
||
|
echo "Cleaning temp files"
|
||
|
cleanup_files
|
||
|
fi
|
||
|
if [ "$1" = "cleanall" ]; then
|
||
|
echo "Cleaning all files"
|
||
|
rm -f ./certs/intermediate/*.pem
|
||
|
rm -f ./certs/intermediate/*.der
|
||
|
rm -f ./certs/intermediate/*.csr
|
||
|
cleanup_files
|
||
|
fi
|
||
|
|
||
|
# Make sure required CA files exist and are populated
|
||
|
rm -f ./certs/intermediate/index.*
|
||
|
touch ./certs/intermediate/index.txt
|
||
|
if [ ! -f ./certs/intermediate/serial ]; then
|
||
|
echo 1000 > ./certs/intermediate/serial
|
||
|
fi
|
||
|
if [ ! -f ./certs/intermediate/crlnumber ]; then
|
||
|
echo 2000 > ./certs/intermediate/crlnumber
|
||
|
fi
|
||
|
if [ ! -d ./certs/intermediate/new_certs ]; then
|
||
|
mkdir ./certs/intermediate/new_certs
|
||
|
fi
|
||
|
|
||
|
|
||
|
# RSA
|
||
|
echo "Creating RSA CA configuration cnf files"
|
||
|
create_ca_config ./certs/intermediate/wolfssl_root.cnf certs/ca-key.pem certs/ca-cert.pem
|
||
|
create_ca_config ./certs/intermediate/wolfssl_int.cnf certs/intermediate/ca-int-key.pem certs/intermediate/ca-int-cert.pem
|
||
|
create_ca_config ./certs/intermediate/wolfssl_int2.cnf certs/intermediate/ca-int2-key.pem certs/intermediate/ca-int2-cert.pem
|
||
|
|
||
|
if [ ! -f ./certs/intermediate/ca-int-key.pem ]; then
|
||
|
echo "Make Intermediate RSA CA Key"
|
||
|
openssl genrsa -out ./certs/intermediate/ca-int-key.pem 2048
|
||
|
check_result $?
|
||
|
openssl rsa -in ./certs/intermediate/ca-int-key.pem -inform PEM -out ./certs/intermediate/ca-int-key.der -outform DER
|
||
|
check_result $?
|
||
|
fi
|
||
|
if [ ! -f ./certs/intermediate/ca-int2-key.pem ]; then
|
||
|
echo "Make Intermediate2 RSA CA Key"
|
||
|
openssl genrsa -out ./certs/intermediate/ca-int2-key.pem 2048
|
||
|
check_result $?
|
||
|
openssl rsa -in ./certs/intermediate/ca-int2-key.pem -inform PEM -out ./certs/intermediate/ca-int2-key.der -outform DER
|
||
|
check_result $?
|
||
|
fi
|
||
|
|
||
|
echo "Create RSA Intermediate CA signed by root"
|
||
|
create_cert wolfssl_int wolfssl_root ./certs/intermediate/ca-int-key.pem ca-int-cert v3_intermediate_ca "wolfSSL Intermediate CA" 7300
|
||
|
|
||
|
echo "Create RSA Intermediate2 CA signed by RSA Intermediate"
|
||
|
create_cert wolfssl_int2 wolfssl_int ./certs/intermediate/ca-int2-key.pem ca-int2-cert v3_intermediate2_ca "wolfSSL Intermediate2 CA" 7300
|
||
|
|
||
|
echo "Create RSA Server Certificate signed by intermediate2"
|
||
|
create_cert wolfssl_int2 wolfssl_int2 ./certs/server-key.pem server-int-cert server_cert "wolfSSL Server Chain" 3650
|
||
|
|
||
|
echo "Create RSA Client Certificate signed by intermediate2"
|
||
|
create_cert wolfssl_int2 wolfssl_int2 ./certs/client-key.pem client-int-cert usr_cert "wolfSSL Client Chain" 3650
|
||
|
|
||
|
echo "Generate CRLs for new certificates"
|
||
|
openssl ca -config ./certs/intermediate/wolfssl_root.cnf -gencrl -crldays 1000 -out ./certs/crl/ca-int.pem -keyfile ./certs/intermediate/ca-int-key.pem -cert ./certs/intermediate/ca-int-cert.pem
|
||
|
check_result $?
|
||
|
openssl ca -config ./certs/intermediate/wolfssl_int.cnf -gencrl -crldays 1000 -out ./certs/crl/ca-int2.pem -keyfile ./certs/intermediate/ca-int2-key.pem -cert ./certs/intermediate/ca-int2-cert.pem
|
||
|
check_result $?
|
||
|
openssl ca -config ./certs/intermediate/wolfssl_int2.cnf -gencrl -crldays 1000 -out ./certs/crl/server-int.pem -keyfile ./certs/server-key.pem -cert ./certs/intermediate/server-int-cert.pem
|
||
|
check_result $?
|
||
|
openssl ca -config ./certs/intermediate/wolfssl_int2.cnf -gencrl -crldays 1000 -out ./certs/crl/client-int.pem -keyfile ./certs/client-key.pem -cert ./certs/intermediate/client-int-cert.pem
|
||
|
check_result $?
|
||
|
|
||
|
echo "Assemble test chains - peer first, then intermediate2, then intermediate"
|
||
|
openssl x509 -in ./certs/intermediate/server-int-cert.pem > ./certs/intermediate/server-chain.pem
|
||
|
openssl x509 -in ./certs/intermediate/ca-int2-cert.pem >> ./certs/intermediate/server-chain.pem
|
||
|
openssl x509 -in ./certs/intermediate/ca-int-cert.pem >> ./certs/intermediate/server-chain.pem
|
||
|
|
||
|
openssl x509 -in ./certs/intermediate/server-int-cert.pem > ./certs/intermediate/server-chain-short.pem
|
||
|
openssl x509 -in ./certs/intermediate/ca-int2-cert.pem >> ./certs/intermediate/server-chain-short.pem
|
||
|
|
||
|
cat ./certs/intermediate/server-int-cert.der ./certs/intermediate/ca-int2-cert.der ./certs/intermediate/ca-int-cert.der > ./certs/intermediate/server-chain.der
|
||
|
|
||
|
openssl x509 -in ./certs/intermediate/client-int-cert.pem > ./certs/intermediate/client-chain.pem
|
||
|
openssl x509 -in ./certs/intermediate/ca-int2-cert.pem >> ./certs/intermediate/client-chain.pem
|
||
|
openssl x509 -in ./certs/intermediate/ca-int-cert.pem >> ./certs/intermediate/client-chain.pem
|
||
|
cat ./certs/intermediate/client-int-cert.der ./certs/intermediate/ca-int2-cert.der ./certs/intermediate/ca-int-cert.der > ./certs/intermediate/client-chain.der
|
||
|
|
||
|
echo "Assemble cert chain with extra cert for testing alternate chains"
|
||
|
cp ./certs/intermediate/server-chain.pem ./certs/intermediate/server-chain-alt.pem
|
||
|
cp ./certs/intermediate/client-chain.pem ./certs/intermediate/client-chain-alt.pem
|
||
|
openssl x509 -in ./certs/external/ca-google-root.pem >> ./certs/intermediate/server-chain-alt.pem
|
||
|
openssl x509 -in ./certs/external/ca-google-root.pem >> ./certs/intermediate/client-chain-alt.pem
|
||
|
|
||
|
|
||
|
# ECC
|
||
|
echo "Creating ECC CA configuration cnf files"
|
||
|
create_ca_config ./certs/intermediate/wolfssl_root_ecc.cnf certs/ca-ecc-key.pem certs/ca-ecc-cert.pem
|
||
|
create_ca_config ./certs/intermediate/wolfssl_int_ecc.cnf certs/intermediate/ca-int-ecc-key.pem certs/intermediate/ca-int-ecc-cert.pem
|
||
|
create_ca_config ./certs/intermediate/wolfssl_int2_ecc.cnf certs/intermediate/ca-int2-ecc-key.pem certs/intermediate/ca-int2-ecc-cert.pem
|
||
|
|
||
|
if [ ! -f ./certs/intermediate/ca-int-ecc-key.pem ]; then
|
||
|
echo "Make Intermediate ECC CA Key"
|
||
|
openssl ecparam -name prime256v1 -genkey -noout -out ./certs/intermediate/ca-int-ecc-key.pem
|
||
|
check_result $?
|
||
|
openssl ec -in ./certs/intermediate/ca-int-ecc-key.pem -inform PEM -out ./certs/intermediate/ca-int-ecc-key.der -outform DER
|
||
|
check_result $?
|
||
|
fi
|
||
|
if [ ! -f ./certs/intermediate/ca-int2-ecc-key.pem ]; then
|
||
|
echo "Make Intermediate2 ECC CA Key"
|
||
|
openssl ecparam -name prime256v1 -genkey -noout -out ./certs/intermediate/ca-int2-ecc-key.pem
|
||
|
check_result $?
|
||
|
openssl ec -in ./certs/intermediate/ca-int2-ecc-key.pem -inform PEM -out ./certs/intermediate/ca-int2-ecc-key.der -outform DER
|
||
|
check_result $?
|
||
|
fi
|
||
|
|
||
|
echo "Create ECC Intermediate CA signed by root"
|
||
|
create_cert wolfssl_int_ecc wolfssl_root_ecc ./certs/intermediate/ca-int-ecc-key.pem ca-int-ecc-cert v3_intermediate_ca "wolfSSL Intermediate CA ECC" 7300
|
||
|
|
||
|
echo "Create ECC Intermediate2 CA signed by Intermediate"
|
||
|
create_cert wolfssl_int2_ecc wolfssl_int_ecc ./certs/intermediate/ca-int2-ecc-key.pem ca-int2-ecc-cert v3_intermediate2_ca "wolfSSL Intermediate2 CA ECC" 7300
|
||
|
|
||
|
echo "Create ECC Server Certificate signed by intermediate2"
|
||
|
create_cert wolfssl_int2_ecc wolfssl_int2_ecc ./certs/ecc-key.pem server-int-ecc-cert server_cert "wolfSSL Server Chain ECC" 3650
|
||
|
|
||
|
echo "Create ECC Client Certificate signed by intermediate2"
|
||
|
create_cert wolfssl_int2_ecc wolfssl_int2_ecc ./certs/ecc-client-key.pem client-int-ecc-cert usr_cert "wolfSSL Client Chain ECC" 3650
|
||
|
|
||
|
echo "Generate CRLs for new certificates"
|
||
|
openssl ca -config ./certs/intermediate/wolfssl_root_ecc.cnf -gencrl -crldays 1000 -out ./certs/crl/ca-int-ecc.pem -keyfile ./certs/intermediate/ca-int-ecc-key.pem -cert ./certs/intermediate/ca-int-ecc-cert.pem
|
||
|
check_result $?
|
||
|
openssl ca -config ./certs/intermediate/wolfssl_int_ecc.cnf -gencrl -crldays 1000 -out ./certs/crl/ca-int2-ecc.pem -keyfile ./certs/intermediate/ca-int2-ecc-key.pem -cert ./certs/intermediate/ca-int2-ecc-cert.pem
|
||
|
check_result $?
|
||
|
openssl ca -config ./certs/intermediate/wolfssl_int2_ecc.cnf -gencrl -crldays 1000 -out ./certs/crl/server-int-ecc.pem -keyfile ./certs/ecc-key.pem -cert ./certs/intermediate/server-int-ecc-cert.pem
|
||
|
check_result $?
|
||
|
openssl ca -config ./certs/intermediate/wolfssl_int2_ecc.cnf -gencrl -crldays 1000 -out ./certs/crl/client-int-ecc.pem -keyfile ./certs/ecc-client-key.pem -cert ./certs/intermediate/client-int-ecc-cert.pem
|
||
|
check_result $?
|
||
|
|
||
|
echo "Assemble test chains - peer first, then intermediate2, then intermediate"
|
||
|
openssl x509 -in ./certs/intermediate/server-int-ecc-cert.pem > ./certs/intermediate/server-chain-ecc.pem
|
||
|
openssl x509 -in ./certs/intermediate/ca-int2-ecc-cert.pem >> ./certs/intermediate/server-chain-ecc.pem
|
||
|
openssl x509 -in ./certs/intermediate/ca-int-ecc-cert.pem >> ./certs/intermediate/server-chain-ecc.pem
|
||
|
cat ./certs/intermediate/server-int-ecc-cert.der ./certs/intermediate/ca-int2-ecc-cert.der ./certs/intermediate/ca-int-ecc-cert.der > ./certs/intermediate/server-chain-ecc.der
|
||
|
|
||
|
openssl x509 -in ./certs/intermediate/client-int-ecc-cert.pem > ./certs/intermediate/client-chain-ecc.pem
|
||
|
openssl x509 -in ./certs/intermediate/ca-int2-ecc-cert.pem >> ./certs/intermediate/client-chain-ecc.pem
|
||
|
openssl x509 -in ./certs/intermediate/ca-int-ecc-cert.pem >> ./certs/intermediate/client-chain-ecc.pem
|
||
|
cat ./certs/intermediate/client-int-ecc-cert.der ./certs/intermediate/ca-int2-ecc-cert.der ./certs/intermediate/ca-int-ecc-cert.der > ./certs/intermediate/client-chain-ecc.der
|
||
|
|
||
|
echo "Assemble cert chain with extra untrusted cert for testing alternate chains"
|
||
|
cp ./certs/intermediate/server-chain-ecc.pem ./certs/intermediate/server-chain-alt-ecc.pem
|
||
|
cp ./certs/intermediate/client-chain-ecc.pem ./certs/intermediate/client-chain-alt-ecc.pem
|
||
|
openssl x509 -in ./certs/external/ca-google-root.pem >> ./certs/intermediate/server-chain-alt-ecc.pem
|
||
|
openssl x509 -in ./certs/external/ca-google-root.pem >> ./certs/intermediate/client-chain-alt-ecc.pem
|