-
Notifications
You must be signed in to change notification settings - Fork 1
/
1-create-certs.sh
executable file
·133 lines (108 loc) · 5.42 KB
/
1-create-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/bash
####################################################################
# A script to create development certificates for Mutual TLS testing
####################################################################
set -e
#
# Certificate parameters
#
SSL_ROOT_CERT_NAME='Root CA for TLS Testing'
SSL_INTERMEDIATE_CERT_NAME='Issuing CA for TLS Testing'
TLS_CERT_FILE_PREFIX='example.tls'
TLS_CERT_PASSWORD='Password1'
TLS_CERT_NAME='CN=*.example.com'
ACCREDITED_ROOT_CERT_NAME='Root CA for Client Certificates'
ACCREDITED_INTERMEDIATE_CERT_NAME='Issuing CA for Client Certificates'
CLIENT_CERT_NAME="example.client"
CLIENT_CERT_FILE_PREFIX='example.client'
CLIENT_CERT_PASSWORD='Password1'
SSL_CA_NAME='trusted-ca'
ACCREDITED_CA_NAME='accredited-ca'
SSA_CA_NAME='ssa-ca'
# Get local directory
D=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
#
# Create a root certificate authority for server certificates
#
"$D"/pki/create_ca.sh "$SSL_CA_NAME" "$SSL_ROOT_CERT_NAME" "$SSL_INTERMEDIATE_CERT_NAME"
"$D"/pki/create_ca.sh "$ACCREDITED_CA_NAME" "$ACCREDITED_ROOT_CERT_NAME" "$ACCREDITED_INTERMEDIATE_CERT_NAME"
"$D"/pki/create_ca.sh "$SSA_CA_NAME" "Root CA for Open Banking Brazil" "Software Statement Assertion Issuer"
#
# Create the SSL certificate that back end components will use
#
cd "$D"/pki/"$SSL_CA_NAME"
openssl genrsa -aes256 -passout pass:$TLS_CERT_PASSWORD -out "$D"/pki/"$SSL_CA_NAME"/intermediate/private/"$TLS_CERT_FILE_PREFIX".key 2048
chmod 400 "$D"/pki/"$SSL_CA_NAME"/intermediate/private/"$TLS_CERT_FILE_PREFIX".key
echo '*** Successfully created TLS key.'
openssl req \
-new \
-config "$D"/pki/openssl.cnf \
-extensions server_cert \
-passin pass:$TLS_CERT_PASSWORD \
-key "$D"/pki/"$SSL_CA_NAME"/intermediate/private/"$TLS_CERT_FILE_PREFIX".key \
-out "$D"/pki/"$SSL_CA_NAME"/intermediate/csr/"$TLS_CERT_FILE_PREFIX".csr \
-subj "/${TLS_CERT_NAME//,//}"
echo '*** Successfully created TLS server certificate signing request.'
openssl ca -config "$D"/pki/openssl-intermediate.cnf \
-batch \
-extensions server_cert \
-days 365 \
-notext \
-md sha256 \
-in "$D"/pki/"$SSL_CA_NAME"/intermediate/csr/"$TLS_CERT_FILE_PREFIX".csr \
-out "$D"/pki/"$SSL_CA_NAME"/intermediate/certs/"$TLS_CERT_FILE_PREFIX".cer
echo '*** Successfully created TLS server certificate.'
openssl pkcs12 \
-export -inkey "$D"/pki/"$SSL_CA_NAME"/intermediate/private/"$TLS_CERT_FILE_PREFIX".key \
-in "$D"/pki/"$SSL_CA_NAME"/intermediate/certs/"$TLS_CERT_FILE_PREFIX".cer \
-passin pass:$TLS_CERT_PASSWORD \
-name $TLS_CERT_NAME \
-out "$D"/pki/"$SSL_CA_NAME"/intermediate/private/"$TLS_CERT_FILE_PREFIX".p12 \
-passout pass:$TLS_CERT_PASSWORD
echo '*** Successfully exported TLS certificate to a PKCS#12 file.'
#
# Create the client certificate that the example TPP will use
#
cd "$D"/pki/"$ACCREDITED_CA_NAME"
openssl genrsa -aes256 -passout pass:$CLIENT_CERT_PASSWORD -out "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/private/"$CLIENT_CERT_FILE_PREFIX".key 2048
echo '*** Successfully created client key'
openssl req \
-config "$D"/pki/openssl-client.cnf \
-new \
-passin pass:$CLIENT_CERT_PASSWORD \
-key "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/private/"$CLIENT_CERT_FILE_PREFIX".key \
-out "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/csr/"$CLIENT_CERT_FILE_PREFIX".csr
echo '*** Successfully created client certificate signing request'
openssl ca -config "$D"/pki/openssl-intermediate.cnf \
-batch \
-extensions obb_cert \
-days 365 \
-notext \
-md sha256 \
-in "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/csr/"$CLIENT_CERT_FILE_PREFIX".csr \
-out "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/certs/"$CLIENT_CERT_FILE_PREFIX".cer
echo '*** Successfully created client certificate'
openssl pkcs12 \
-export \
-inkey "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/private/"$CLIENT_CERT_FILE_PREFIX".key \
-in "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/certs/"$CLIENT_CERT_FILE_PREFIX".cer \
-passin pass:$CLIENT_CERT_PASSWORD \
-name $CLIENT_CERT_NAME \
-out "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/private/"$CLIENT_CERT_FILE_PREFIX".p12 \
-passout pass:$CLIENT_CERT_PASSWORD
echo '*** Successfully exported client certificate to a PKCS#12 file'
# Copy trustchains of all created CAs to certs folder
mv "$D"/pki/*.trustchain.pem "$D"/certs
# Copy server certificate and keystore to certs
mv "$D"/pki/"$SSL_CA_NAME"/intermediate/private/"$TLS_CERT_FILE_PREFIX.p12" "$D"/certs
cp "$D"/pki/"$SSL_CA_NAME"/intermediate/certs/"$TLS_CERT_FILE_PREFIX.cer" "$D"/certs
# Copy client certificate and keystore to
mv "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/private/"$CLIENT_CERT_FILE_PREFIX".p12 "$D"/certs
cp "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/certs/"$CLIENT_CERT_FILE_PREFIX".cer "$D"/certs
## Copy trusted issuers and signature verification keys
cp "$D"/pki/"$ACCREDITED_CA_NAME"/intermediate/certs/intermediate.ca.cer "$D"/certs/ssl-client-truststore/"$ACCREDITED_CA_NAME".issuer.cer
cp "$D"/pki/"$SSA_CA_NAME"/intermediate/certs/intermediate.ca.cer "$D"/certs/signature-verification/"$SSA_CA_NAME".issuer.cer
## Required for signing the software statement
cp "$D"/pki/"$SSA_CA_NAME"/intermediate/private/intermediate.ca.key "$D"/certs/"$SSA_CA_NAME".issuer.key
openssl rsa -in "$D"/certs/"$SSA_CA_NAME".issuer.key -pubout -out "$D"/certs/"$SSA_CA_NAME".issuer.pub
echo '*** Successfully moved generated certificates and keys to certs folder.'