blob: c616189e63454aa2b1428964dc7b67dee4f156b5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
#!/bin/sh
CERTTOOL="${CERTTOOL:-../../../src/certtool${EXEEXT}}"
OUTPUT=out
TEMPLATE=tmpl
NUM="$1"
if test "${NUM}" = ""; then
echo "usage: $0 number"
exit 1
fi
LAST=`expr ${NUM} - 1`
rm -rf "${OUTPUT}"
mkdir -p "${OUTPUT}"
#KEY_TYPE_ROOT="--key-type rsa-pss --bits 2048 --hash sha384 --salt-size 64"
KEY_TYPE_ROOT="--key-type ecdsa --curve secp521r1"
KEY_TYPE_SUBCA="--key-type rsa-pss --bits 2048 --hash sha256 --salt-size 64"
KEY_TYPE="--key-type ecdsa --curve secp521r1"
counter=0
while test ${counter} -lt ${NUM}; do
if test ${counter} = ${LAST}; then
name="server-${counter}"
else
name="CA-${counter}"
fi
if test ${counter} = 0; then
"${CERTTOOL}" ${KEY_TYPE} --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null
# ROOT CA
echo "cn = ${name}" >"${TEMPLATE}"
echo "ca" >>"${TEMPLATE}"
echo "expiration_days = -1" >>"${TEMPLATE}"
echo "cert_signing_key" >>"${TEMPLATE}"
echo "crl_signing_key" >>"${TEMPLATE}"
"${CERTTOOL}" --generate-self-signed --load-privkey "${OUTPUT}/${name}.key" --outfile \
"${OUTPUT}/${name}.crt" --template "${TEMPLATE}" 2>/dev/null
echo "expiration_days = -1" >>"${TEMPLATE}"
"${CERTTOOL}" --generate-crl --load-ca-privkey "${OUTPUT}/${name}.key" --load-ca-certificate "${OUTPUT}/${name}.crt" --outfile \
"${OUTPUT}/${name}.crl" --template "${TEMPLATE}" 2>/dev/null
else
if test ${counter} = ${LAST}; then
"${CERTTOOL}" ${KEY_TYPE} --generate-privkey >"${OUTPUT}/${name}.key" 2>/dev/null
# END certificate
echo "cn = ${name}" >"${TEMPLATE}"
echo "dns_name = localhost" >>"${TEMPLATE}"
echo "expiration_days = -1" >>"${TEMPLATE}"
echo "signing_key" >>"${TEMPLATE}"
echo "encryption_key" >>"${TEMPLATE}"
"${CERTTOOL}" --generate-certificate --load-privkey "${OUTPUT}/${name}.key" \
--load-ca-certificate "${OUTPUT}/${prev_name}.crt" \
--load-ca-privkey "${OUTPUT}/${prev_name}.key" \
--outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" -d 4 #2>/dev/null
else
"${CERTTOOL}" ${KEY_TYPE_SUBCA} --generate-privkey >"${OUTPUT}/${name}.key" -d 4 #2>/dev/null
# intermediate CA
echo "cn = ${name}" >"${TEMPLATE}"
echo "ca" >>"${TEMPLATE}"
echo "expiration_days = -1" >>"${TEMPLATE}"
echo "cert_signing_key" >>"${TEMPLATE}"
echo "signing_key" >>"${TEMPLATE}"
"${CERTTOOL}" --generate-certificate --load-privkey "${OUTPUT}/${name}.key" \
--load-ca-certificate "${OUTPUT}/${prev_name}.crt" \
--load-ca-privkey "${OUTPUT}/${prev_name}.key" \
--outfile "${OUTPUT}/${name}.crt" --template "${TEMPLATE}" -d 4 #2>/dev/null
fi
fi
counter=`expr ${counter} + 1`
prev_name=${name}
done
counter=`expr ${NUM} - 1`
while test ${counter} -ge 0; do
if test ${counter} = ${LAST}; then
name="server-${counter}"
else
name="CA-${counter}"
fi
cat "${OUTPUT}/${name}.crt" >> "${OUTPUT}/chain"
counter=`expr ${counter} - 1`
done
|
