-
Notifications
You must be signed in to change notification settings - Fork 0
/
createCerts.sh
executable file
·131 lines (115 loc) · 3.29 KB
/
createCerts.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/bin/bash
##############################################################
# A script to create a token signing certificate and a Root CA
##############################################################
rm -rf certs
mkdir -p certs
cd certs
set -e
#
# Point to the OpenSSL configuration file for macOS or Windows
#
case "$(uname -s)" in
Darwin)
export OPENSSL_CONF='/System/Library/OpenSSL/openssl.cnf'
;;
MINGW64*)
export OPENSSL_CONF='C:/Program Files/Git/usr/ssl/openssl.cnf';
export MSYS_NO_PATHCONV=1;
;;
esac
ROOT_CERT_FILE_PREFIX='root'
ROOT_CERT_DESCRIPTION='Root CA for x5c Testing'
INTERMEDIATE_CERT_FILE_PREFIX='intermediate'
INTERMEDIATE_CERT_DESCRIPTION='Intermediate CA for x5c Testing'
SIGNING_CERT_FILE_PREFIX='signing'
SIGNING_PKCS12_PASSWORD='Password1'
#
# Create the root CA key
#
openssl genrsa -out $ROOT_CERT_FILE_PREFIX.key 2048
echo '*** Successfully created Root CA key'
#
# Create a root CA with a 10 year lifetime
#
openssl req \
-x509 \
-new \
-nodes \
-key $ROOT_CERT_FILE_PREFIX.key \
-out $ROOT_CERT_FILE_PREFIX.pem \
-subj "/CN=$ROOT_CERT_DESCRIPTION" \
-reqexts v3_req \
-extensions v3_ca \
-sha256 \
-days 3650
echo '*** Successfully created Root CA'
#
# Create the intermediate CA key
#
openssl genrsa -out $INTERMEDIATE_CERT_FILE_PREFIX.key 2048
echo '*** Successfully created intermediate key'
#
# Create the intermediate signing request file
#
openssl req \
-new \
-key $INTERMEDIATE_CERT_FILE_PREFIX.key \
-out $INTERMEDIATE_CERT_FILE_PREFIX.csr \
-subj "/CN=x5c-test-intermediate-cert"
echo '*** Successfully created intermediate certificate request'
#
# Create an intermediate CA with a 10 year lifetime
#
openssl x509 \
-req \
-in $INTERMEDIATE_CERT_FILE_PREFIX.csr \
-CA $ROOT_CERT_FILE_PREFIX.pem \
-CAkey $ROOT_CERT_FILE_PREFIX.key \
-CAcreateserial \
-out $INTERMEDIATE_CERT_FILE_PREFIX.pem \
-sha256 \
-days 3650
echo '*** Successfully created Intermediate CA'
#
# Create the signing key
#
openssl genrsa -out $SIGNING_CERT_FILE_PREFIX.key 2048
echo '*** Successfully created signing key'
#
# Create the certificate signing request file
#
openssl req \
-new \
-key $SIGNING_CERT_FILE_PREFIX.key \
-out $SIGNING_CERT_FILE_PREFIX.csr \
-subj "/CN=x5c-test-signing-cert"
echo '*** Successfully created token signing certificate request'
#
# Create the signing certificate and private key with a 6 month lifetime
#
openssl x509 \
-req \
-in $SIGNING_CERT_FILE_PREFIX.csr \
-CA $INTERMEDIATE_CERT_FILE_PREFIX.pem \
-CAkey $INTERMEDIATE_CERT_FILE_PREFIX.key \
-CAcreateserial \
-out $SIGNING_CERT_FILE_PREFIX.pem \
-sha256 \
-days 180
echo '*** Successfully created token signing certificate'
#
# Include the full chain in the certificate file
#
cat signing.pem intermediate.pem root.pem > tokenSigningCertChain.pem
#
# Create a password protected PKCS#12 file with the private key and trust chain, to be imported into the Curity Identity Server to
#
openssl pkcs12 \
-export \
-inkey $SIGNING_CERT_FILE_PREFIX.key \
-in tokenSigningCertChain.pem \
-name $SIGNING_CERT_FILE_PREFIX \
-out $SIGNING_CERT_FILE_PREFIX.p12 \
-passout pass:$SIGNING_PKCS12_PASSWORD
echo '*** Successfully exported token signing certificate to a PKCS#12 file'