4 # This script need openssl 0.9.8a or newer, so it can parse the
5 # otherName section for pkinit certificates.
10 # workaround until openssl -objects lands
11 if ${openssl} version |
grep '^OpenSSL 1\.[1-9]' >/dev
/null
; then
12 config
=openssl
.1.1.cnf
14 config
=openssl
.1.0.cnf
19 keytype
=${6:-rsa:4096}
28 -out cert.req
> /dev
/null
2>/dev
/null
30 if [ "$3" = "ca" ] ; then
40 ln -s ca.crt
`${openssl} x509 -hash -noout -in cert.crt`.0
44 elif [ "$3" = "proxy" ] ; then
82 gen_cert
"/CN=hx509 Test Root CA/C=SE" "root" "ca" "v3_ca"
83 gen_cert
"/CN=OCSP responder/C=SE" "ca" "ocsp-responder" "ocsp"
84 gen_cert
"/CN=Test cert/C=SE" "ca" "test" "usr"
85 gen_cert
"/CN=Revoke cert/C=SE" "ca" "revoke" "usr"
86 gen_cert
"/CN=Test cert KeyEncipherment/C=SE" "ca" "test-ke-only" "usr_ke"
87 gen_cert
"/CN=Test cert DigitalSignature/C=SE" "ca" "test-ds-only" "usr_ds"
88 gen_cert
"/CN=pkinit/C=SE" "ca" "pkinit" "pkinit_client"
89 $openssl ecparam
-name secp256r1
-out eccurve.pem
90 gen_cert
"/CN=pkinit-ec/C=SE" "ca" "pkinit-ec" "pkinit_client" "XXX" ec
:eccurve.pem
91 gen_cert
"/C=SE/CN=pkinit/CN=pkinit-proxy" "pkinit" "proxy" "proxy_cert" pkinit-proxy
92 gen_cert
"/CN=kdc/C=SE" "ca" "kdc" "pkinit_kdc"
93 gen_cert
"/CN=www.test.h5l.se/C=SE" "ca" "https" "https"
94 gen_cert
"/CN=Sub CA/C=SE" "ca" "sub-ca" "subca"
95 gen_cert
"/CN=Test sub cert/C=SE" "sub-ca" "sub-cert" "usr"
96 gen_cert
"/C=SE/CN=Test cert/CN=proxy" "test" "proxy" "proxy_cert" proxy-test
97 gen_cert
"/C=SE/CN=Test cert/CN=proxy/CN=child" "proxy-test" "proxy" "proxy_cert" proxy-level-test
98 gen_cert
"/C=SE/CN=Test cert/CN=no-proxy" "test" "proxy" "usr_cert" no-proxy-test
99 gen_cert
"/C=SE/CN=Test cert/CN=proxy10" "test" "proxy" "proxy10_cert" proxy10-test
100 gen_cert
"/C=SE/CN=Test cert/CN=proxy10/CN=child" "proxy10-test" "proxy" "proxy10_cert" proxy10-child-test
101 gen_cert
"/C=SE/CN=Test cert/CN=proxy10/CN=child/CN=child" "proxy10-child-test" "proxy" "proxy10_cert" proxy10-child-child-test
105 cat sub-ca.crt ca.crt
> sub-ca-combined.crt
106 cat test.crt
test.key
> test.combined.crt
107 cat pkinit-proxy.crt pkinit.crt
> pkinit-proxy-chain.crt
109 # password protected key
110 ${openssl} rsa
-in test.key
-aes256 -passout pass
:foobar
-out test-pw.key
111 ${openssl} rsa
-in pkinit.key
-aes256 -passout pass
:foo
-out pkinit-pw.key
125 -passout pass
:foobar \
127 -name "friendlyname-test" \
134 -inkey sub-cert.key \
135 -passout pass
:foobar \
137 -name "friendlyname-sub-cert" \
138 -certfile sub-ca-combined.crt \
148 -passout pass
:foobar \
150 -name "friendlyname-cert" \
162 -out test-signed-data
173 -out test-signed-data-noattr
185 -out test-signed-data-noattr-nocerts
196 -out test-signed-sha-1
207 -out test-signed-sha-256
218 -out test-signed-sha-512
227 -out test-enveloped-rc2-40 \
237 -out test-enveloped-rc2-64 \
247 -out test-enveloped-rc2-128 \
257 -out test-enveloped-des \
267 -out test-enveloped-des-ede3 \
277 -out test-enveloped-aes-128 \
287 -out test-enveloped-aes-256 \
296 -reqout ocsp-req1.der
300 -rsigner ocsp-responder.crt \
301 -rkey ocsp-responder.key \
303 -reqin ocsp-req1.der \
305 -respout ocsp-resp1-ocsp.der
312 -reqin ocsp-req1.der \
314 -respout ocsp-resp1-ca.der
318 -rsigner ocsp-responder.crt \
319 -rkey ocsp-responder.key \
322 -reqin ocsp-req1.der \
324 -respout ocsp-resp1-ocsp-no-cert.der
328 -rsigner ocsp-responder.crt \
329 -rkey ocsp-responder.key \
331 -reqin ocsp-req1.der \
334 -respout ocsp-resp1-keyhash.der
339 -reqout ocsp-req2.der
343 -rsigner ocsp-responder.crt \
344 -rkey ocsp-responder.key \
346 -reqin ocsp-req2.der \
348 -respout ocsp-resp2.der
356 -crl_reason superseded \
360 ${openssl} crl
-in crl1.crl
-outform der
-out crl1.der