1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
#!/bin/sh
rm -rf tmp/external
mkdir -p tmp/external
certutil -N -d tmp/external -f password.txt
openssl rand -out tmp/external/noise.bin 2048
echo "## Generating external CA certificate..."
ROOTCA_SKID="0x`openssl rand -hex 20`"
echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \
certutil -S \
-d tmp/external \
-f password.txt \
-z tmp/external/noise.bin \
-n "External CA" \
-s "CN=External CA,O=EXTERNAL" \
-x \
-t "CTu,Cu,Cu" \
-m $RANDOM\
-2 \
--keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
--extSKID
# --nsCertType sslCA,smimeCA,objectSigningCA
echo "## Exporting external CA certificate..."
certutil -L -d tmp/external -n "External CA" -a > tmp/external.crt
echo "## Signing the CA signing certificate..."
SUBCA_SKID="0x`openssl rand -hex 20`"
SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp"
echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" | \
certutil -C \
-d tmp/external \
-f password.txt \
-m $RANDOM \
-a \
-i tmp/ca_signing.csr \
-o tmp/ca_signing.crt \
-c "External CA" \
--extSKID \
-2 -3 \
--keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
--extAIA \
--extSKID
echo "## Generating certificate chain..."
certutil -A -d tmp/external -n "CA Signing Certificate" -t "CT,C,C" -a -i tmp/ca_signing.crt
#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -out tmp/cert_chain.p7b
#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -certfile tmp/ca_signing.crt -out tmp/cert_chain.p7b
#certutil -C \
# -d tmp/external \
# -f password.txt \
# -m $RANDOM \
# -a \
# -i tmp/ca_signing.csr \
# -o tmp/ca_signing.crt \
# -c "External CA"
|