3 # Script to create self-signed certificates in directory $1.
8 cat > openssl-ca.cnf << EOF
10 RANDFILE = \$ENV::HOME/.rnd
12 ####################################################################
14 default_ca = CA_default # The default ca section
19 default_days = 1000 # How long to certify for
20 default_crl_days = 30 # How long before next CRL
21 default_md = sha256 # Use public key default MD
22 preserve = no # Keep passed DN ordering
24 x509_extensions = ca_extensions # The extensions to add to the cert
26 email_in_dn = no # Don't concat the email in the DN
27 copy_extensions = copy # Required to copy SANs from CSR to cert
29 ####################################################################
33 default_keyfile = cakey.pem
34 distinguished_name = ca_distinguished_name
35 x509_extensions = ca_extensions
36 string_mask = utf8only
38 ####################################################################
39 [ ca_distinguished_name ]
41 organizationName = Nokia OY
43 # commonName_default = Test Server
44 # emailAddress = test@server.com
45 stateOrProvinceName = Uusimaa
48 ####################################################################
51 subjectKeyIdentifier = hash
52 authorityKeyIdentifier = keyid:always, issuer
53 basicConstraints = critical, CA:true
54 keyUsage = keyCertSign, cRLSign
57 cat > openssl-server.cnf << EOF
59 RANDFILE = \$ENV::HOME/.rnd
61 ####################################################################
65 default_keyfile = serverkey.pem
66 distinguished_name = server_distinguished_name
67 req_extensions = server_req_extensions
68 string_mask = utf8only
70 ####################################################################
71 [ server_distinguished_name ]
73 organizationName = Nokia NET
74 commonName = Test Server
75 # emailAddress = test@server.com
76 stateOrProvinceName = Uusimaa
79 ####################################################################
80 [ server_req_extensions ]
82 subjectKeyIdentifier = hash
83 basicConstraints = CA:FALSE
84 keyUsage = digitalSignature, keyEncipherment
85 subjectAltName = @alternate_names
86 nsComment = "OpenSSL Generated Certificate"
88 ####################################################################
94 cat > openssl-client.cnf << EOF
96 RANDFILE = \$ENV::HOME/.rnd
98 ####################################################################
102 default_keyfile = clientkey.pem
103 distinguished_name = client_distinguished_name
104 req_extensions = client_req_extensions
105 string_mask = utf8only
107 ####################################################################
108 [ client_distinguished_name ]
110 organizationName = Customer X
111 commonName = Customer
112 emailAddress = test@client.com
114 ####################################################################
115 [ client_req_extensions ]
117 subjectKeyIdentifier = hash
118 basicConstraints = CA:FALSE
119 keyUsage = digitalSignature, keyEncipherment
120 subjectAltName = @alternate_names
121 nsComment = "OpenSSL Generated Certificate"
123 ####################################################################
126 DNS.1 = ramuller.zoo.dynamic.nsn-net.net
127 DNS.2 = www.client.com
128 DNS.3 = mail.client.com
129 DNS.4 = ftp.client.com
132 cat > openssl-ca-sign.cnf << EOF
134 RANDFILE = \$ENV::HOME/.rnd
136 ####################################################################
138 default_ca = CA_default # The default ca section
142 default_days = 1000 # How long to certify for
143 default_crl_days = 30 # How long before next CRL
144 default_md = sha256 # Use public key default MD
145 preserve = no # Keep passed DN ordering
147 x509_extensions = ca_extensions # The extensions to add to the cert
149 email_in_dn = no # Don't concat the email in the DN
150 copy_extensions = copy # Required to copy SANs from CSR to cert
152 certificate = \$base_dir/cacert.pem # The CA certifcate
153 private_key = \$base_dir/cakey.pem # The CA private key
154 new_certs_dir = \$base_dir # Location for new certs after signing
155 database = \$base_dir/index.txt # Database index file
156 serial = \$base_dir/serial.txt # The current serial number
158 unique_subject = no # Set to 'no' to allow creation of
159 # several certificates with same subject.
161 ####################################################################
165 default_keyfile = cakey.pem
166 distinguished_name = ca_distinguished_name
167 x509_extensions = ca_extensions
168 string_mask = utf8only
170 ####################################################################
171 [ ca_distinguished_name ]
173 organizationName = Nokia OY
175 # commonName_default = Test Server
176 # emailAddress = test@server.com
177 stateOrProvinceName = Uusimaa
180 ####################################################################
183 subjectKeyIdentifier = hash
184 authorityKeyIdentifier = keyid:always, issuer
185 basicConstraints = critical, CA:true
186 keyUsage = keyCertSign, cRLSign
188 ####################################################################
190 countryName = optional
191 stateOrProvinceName = optional
192 localityName = optional
193 organizationName = optional
194 organizationalUnitName = optional
195 commonName = supplied
196 emailAddress = optional
198 ####################################################################
200 subjectKeyIdentifier = hash
201 authorityKeyIdentifier = keyid,issuer
202 basicConstraints = CA:FALSE
203 keyUsage = digitalSignature, keyEncipherment
206 openssl req -config openssl-ca.cnf -x509 -newkey rsa:2048 -sha256 -nodes -out cacert.pem -outform PEM
207 openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out servercert.csr -outform PEM
208 openssl req -config openssl-client.cnf -newkey rsa:2048 -sha256 -nodes -out clientcert.csr -outform PEM
210 echo '01' > serial.txt
211 echo -n > index-ri.txt
212 echo '01' > serial-ri.txt
213 echo -e "y\ny\n" | openssl ca -config openssl-ca-sign.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr
214 echo -e "y\ny\n" | openssl ca -config openssl-ca-sign.cnf -policy signing_policy -extensions signing_req -out clientcert.pem -infiles clientcert.csr