summaryrefslogtreecommitdiffstats
path: root/scripts/ca-external-openssl-sign.sh
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2017-09-14 16:15:33 +0200
committerEndi S. Dewata <edewata@redhat.com>2017-09-14 16:15:33 +0200
commit931c891fffd8811ac229728ae8132d72132f20f7 (patch)
treeb56e93242962e3f3f3a51e78563065c2f0dd131f /scripts/ca-external-openssl-sign.sh
parentf06c93dd855ca8ad38298a7bbb799f6192a0e239 (diff)
downloadpki-dev-931c891fffd8811ac229728ae8132d72132f20f7.tar.gz
pki-dev-931c891fffd8811ac229728ae8132d72132f20f7.tar.xz
pki-dev-931c891fffd8811ac229728ae8132d72132f20f7.zip
Updated CA scripts.
Diffstat (limited to 'scripts/ca-external-openssl-sign.sh')
-rwxr-xr-xscripts/ca-external-openssl-sign.sh106
1 files changed, 106 insertions, 0 deletions
diff --git a/scripts/ca-external-openssl-sign.sh b/scripts/ca-external-openssl-sign.sh
new file mode 100755
index 0000000..1d76d0d
--- /dev/null
+++ b/scripts/ca-external-openssl-sign.sh
@@ -0,0 +1,106 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/external.cfg << EOF
+HOME = tmp
+RANDFILE = tmp/random.bin
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+
+default_days = 1000 # how long to certify for
+default_crl_days = 30 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+x509_extensions = ca_extensions # The extensions to add to the cert
+
+email_in_dn = no # Don't concat the email in the DN
+copy_extensions = copy # Required to copy SANs from CSR to cert
+
+####################################################################
+[ req ]
+default_bits = 4096
+default_keyfile = tmp/external.key
+distinguished_name = ca_distinguished_name
+x509_extensions = ca_extensions
+string_mask = utf8only
+
+####################################################################
+[ ca_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Maryland
+
+localityName = Locality Name (eg, city)
+localityName_default = Baltimore
+
+organizationName = Organization Name (eg, company)
+organizationName_default = Test CA, Limited
+
+organizationalUnitName = Organizational Unit (eg, division)
+organizationalUnitName_default = Server Research Department
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_default = Test CA
+
+emailAddress = Email Address
+emailAddress_default = test@example.com
+
+####################################################################
+[ ca_extensions ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
+EOF
+
+openssl req \
+ -config tmp/external.cfg \
+ -newkey rsa:2048 \
+ -keyout tmp/external.key \
+ -nodes \
+ -x509 \
+ -out tmp/external.crt \
+ -subj "/O=EXTERNAL/CN=External CA" \
+ -days 365
+
+openssl x509 -text -noout -in tmp/external.crt
+
+################################################################################
+# Issuing CA signing certificate
+
+cat > tmp/ca_signing-ext.cfg << EOF
+[ ca_extensions ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
+EOF
+
+openssl x509 -req \
+ -CA tmp/external.crt \
+ -CAkey tmp/external.key \
+ -CAcreateserial \
+ -in tmp/ca_signing.csr \
+ -out tmp/ca_signing.crt \
+ -extfile tmp/external.cfg \
+ -extensions ca_extensions \
+ -set_serial 1
+
+openssl x509 -text -noout -in tmp/ca_signing.crt
+
+################################################################################
+# Exporting certificate chain
+
+openssl crl2pkcs7 -nocrl \
+ -certfile tmp/external.crt \
+ -out tmp/cert_chain.p7b