| #!/bin/sh |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| # |
| # This is the configuration file to treate the CA certificate of the |
| # _DEMONSTRATION ONLY_ 'Coyote' Certificate Authority. |
| # This CA is used to sign the localhost.crt and user.crt |
| # because self-signed server certificates are not accepted by all browsers. |
| # NEVER USE THIS CA YOURSELF FOR REAL LIFE! INSTEAD EITHER USE A PUBLICALLY |
| # KNOWN CA OR CREATE YOUR OWN CA! |
| |
| if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi |
| |
| PASSPHRASE="pass:secret" |
| # Encrypt all keys |
| GENRSA="$OPENSSL genrsa -des3" |
| # Uncomment for no key encryption |
| # GENRSA="$OPENSSL genrsa" |
| REQ="$OPENSSL req -new" |
| CA="$OPENSSL ca" |
| X509="$OPENSSL x509" |
| |
| $OPENSSL rand -out .rnd 8192 |
| $GENRSA -passout $PASSPHRASE -out ca.key -rand .rnd 1024 |
| |
| cat >ca.cfg <<EOT |
| [ ca ] |
| default_ca = default_db |
| [ default_db ] |
| dir = . |
| certs = . |
| new_certs_dir = ca.certs |
| database = ca.index |
| serial = ca.serial |
| RANDFILE = .rnd |
| certificate = ca.crt |
| private_key = ca.key |
| default_days = 365 |
| default_crl_days = 30 |
| default_md = md5 |
| preserve = no |
| name_opt = ca_default |
| cert_opt = ca_default |
| unique_subject = no |
| [ server_policy ] |
| countryName = supplied |
| stateOrProvinceName = supplied |
| localityName = supplied |
| organizationName = supplied |
| organizationalUnitName = supplied |
| commonName = supplied |
| emailAddress = supplied |
| [ server_cert ] |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always |
| extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC |
| basicConstraints = critical,CA:false |
| [ user_policy ] |
| commonName = supplied |
| emailAddress = supplied |
| [ user_cert ] |
| subjectAltName = email:copy |
| basicConstraints = critical,CA:false |
| authorityKeyIdentifier = keyid:always |
| extendedKeyUsage = clientAuth,emailProtection |
| |
| [ req ] |
| default_bits = 1024 |
| default_keyfile = ca.key |
| distinguished_name = default_ca |
| x509_extensions = extensions |
| string_mask = nombstr |
| req_extensions = req_extensions |
| input_password = secret |
| output_password = secret |
| [ default_ca ] |
| countryName = Country Code |
| countryName_value = US |
| countryName_min = 2 |
| countryName_max = 2 |
| stateOrProvinceName = State Name |
| stateOrProvinceName_value = Delaware |
| localityName = Locality Name |
| localityName_value = Wilmington |
| organizationName = Organization Name |
| organizationName_value = Apache Software Foundation |
| organizationalUnitName = Organizational Unit Name |
| organizationalUnitName_value = Apache Tomcat |
| commonName = Common Name |
| commonName_value = Apache Tomcat demo root CA |
| commonName_max = 64 |
| emailAddress = Email Address |
| emailAddress_value = coyote@tomcat.apache.org |
| emailAddress_max = 40 |
| [ extensions ] |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always |
| basicConstraints = critical,CA:true |
| [ req_extensions ] |
| nsCertType = objsign,email,server |
| EOT |
| |
| $REQ -x509 -days 3650 -batch -config ca.cfg -key ca.key -out ca.crt |
| |
| # Create cabundle.crt that can be used for CAfile |
| cat >cabundle.crt <<EOT |
| Tomcat Demo Root CA |
| ========================================= |
| `$X509 -noout -fingerprint -in ca.crt` |
| PEM Data: |
| `$X509 -in ca.crt` |
| `$X509 -noout -text -in ca.crt` |
| EOT |
| |
| $GENRSA -passout $PASSPHRASE -out localhost.key -rand .rnd 1024 |
| |
| cat >localhost.cfg <<EOT |
| [ req ] |
| default_bits = 1024 |
| distinguished_name = localhost |
| string_mask = nombstr |
| req_extensions = extensions |
| input_password = secret |
| output_password = secret |
| [ localhost ] |
| countryName = Country Code |
| countryName_value = US |
| countryName_min = 2 |
| countryName_max = 2 |
| stateOrProvinceName = State Name |
| stateOrProvinceName_value = Delaware |
| localityName = Locality Name |
| localityName_value = Wilmington |
| organizationName = Organization Name |
| organizationName_value = Apache Software Foundation |
| organizationalUnitName = Organizational Unit Name |
| organizationalUnitName_value = Apache Tomcat |
| commonName = Common Name |
| commonName_value = Apache Tomcat localhost secure demo server |
| commonName_max = 64 |
| emailAddress = Email Address |
| emailAddress_value = tomcat@localhost.edu |
| emailAddress_max = 40 |
| [ extensions ] |
| nsCertType = server |
| basicConstraints = critical,CA:false |
| EOT |
| |
| $REQ -passin $PASSPHRASE -batch -config localhost.cfg -key localhost.key -out localhost.csr |
| rm -f localhost.cfg |
| |
| # make sure environment exists |
| if [ ! -d ca.certs ]; then |
| mkdir ca.certs |
| echo '01' >ca.serial |
| cp /dev/null ca.index |
| fi |
| |
| $CA -passin $PASSPHRASE -batch -config ca.cfg -extensions server_cert -policy server_policy -out x.crt -infiles localhost.csr |
| $X509 -in x.crt -out localhost.crt |
| rm -f x.crt |
| # Create PKCS12 localhost certificate |
| $OPENSSL pkcs12 -export -passout $PASSPHRASE -passin $PASSPHRASE -in localhost.crt -inkey localhost.key -certfile ca.crt -out localhost.p12 |
| |
| $GENRSA -passout $PASSPHRASE -out user.key -rand .rnd 1024 |
| |
| cat >user.cfg <<EOT |
| [ req ] |
| default_bits = 1024 |
| distinguished_name = admin |
| string_mask = nombstr |
| req_extensions = extensions |
| input_password = secret |
| output_password = secret |
| [ admin ] |
| commonName = User Name |
| commonName_value = Localhost Administrator |
| commonName_max = 64 |
| emailAddress = Email Address |
| emailAddress_value = admin@localhost.edu |
| emailAddress_max = 40 |
| [ extensions ] |
| nsCertType = client,email |
| basicConstraints = critical,CA:false |
| EOT |
| |
| $REQ -passin $PASSPHRASE -batch -config user.cfg -key user.key -out user.csr |
| rm -f user.cfg |
| $CA -passin $PASSPHRASE -batch -config ca.cfg -extensions user_cert -policy user_policy -out x.crt -infiles user.csr |
| $X509 -in x.crt -out user.crt |
| rm -f x.crt |
| |
| # $OPENSSL verify -CAfile ca.crt localhost.crt |
| # $OPENSSL verify -CAfile ca.crt user.crt |
| |
| # Create PKCS12 user certificate |
| $OPENSSL pkcs12 -export -passout $PASSPHRASE -passin $PASSPHRASE -in user.crt -inkey user.key -certfile ca.crt -out user.p12 |
| |
| rm -f ca.cfg |
| rm -f *.old |
| rm -f ca.index.attr |
| rm -f .rnd |