mk-ocsp-cert-chain.sh
#!/bin/sh
opensslcmd() {
LD_LIBRARY_PATH=../.. ../../apps/openssl $@
}
# report the openssl version
opensslcmd version
echo "Creating private keys and certs..."
#####
# root CA private key
opensslcmd genpkey \
-algorithm EC \
-pkeyopt ec_paramgen_curve:secp521r1 \
-pkeyopt ec_param_enc:named_curve \
-out root-key.pem
# root CA certificate (self-signed)
opensslcmd req \
-config ca.cnf \
-x509 \
-days 3650 \
-key root-key.pem \
-subj /CN=TestRootCA \
-out root-cert.pem
#####
# intermediate CA private key
opensslcmd genpkey \
-algorithm EC \
-pkeyopt ec_paramgen_curve:secp384r1 \
-pkeyopt ec_param_enc:named_curve \
-out intermediate-key.pem
# intermediate CA certificate-signing-request
opensslcmd req \
-config ca.cnf \
-new \
-key intermediate-key.pem \
-subj /CN=TestIntermediateCA \
-out intermediate-csr.pem
# intermediate CA certificate (signed by root CA)
opensslcmd req \
-config ca.cnf \
-x509 \
-days 1825 \
-CA root-cert.pem \
-CAkey root-key.pem \
-in intermediate-csr.pem \
-copy_extensions copyall \
-out intermediate-cert.pem
#####
# server key
opensslcmd genpkey \
-algorithm EC \
-pkeyopt ec_paramgen_curve:prime256v1 \
-pkeyopt ec_param_enc:named_curve \
-out server-key.pem
# server certificate-signing-request
opensslcmd req \
-config ca.cnf \
-extensions usr_cert \
-new \
-key server-key.pem \
-subj /CN=TestServerCA \
-out server-csr.pem
# server certificate (signed by intermediate CA)
opensslcmd req \
-config ca.cnf \
-extensions usr_cert \
-x509 \
-days 365 \
-CA intermediate-cert.pem \
-CAkey intermediate-key.pem \
-in server-csr.pem \
-copy_extensions copyall \
-out server-cert.pem
#####
rm -f index.txt index.txt.attr
echo -n > index.txt
opensslcmd ca \
-config ca.cnf \
-valid server-cert.pem \
-keyfile intermediate-key.pem \
-cert intermediate-cert.pem
rm -f index.txt.old
#####
cat server-cert.pem server-key.pem intermediate-cert.pem > server.pem
cat intermediate-cert.pem intermediate-key.pem > ocsp.pem
echo "Done."
