gencert


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

#!/bin/ksh

# $Header$
#
# gencert - generate new CA, server and user certificates for NSS testing.
#
# Note that this script requires the Korn shell.

NSSDIR=/path/to/NSS_3_9_RTM/
NSPRDIR=/path/to/nspr4.4.1/

export LD_LIBRARY_PATH=$NSPRDIR/lib:$NSSDIR/lib
CERTUTIL=$NSSDIR/bin/certutil

# Note: In order for the client tests that ship with this module to work
# properly with this test certificate you need to ensure that the domain of
# the server is the same as your domain. Otherwise you will get an error message
# like -12776 (requested domain name does not match the server's certificate).

CA_CERTDN="CN=Certificate Shack, O=TestCentral, C=US"
SERVER_CERTDN="CN=www.testcentral.com, O=TestCentral, C=US"
ALPHA_CERTDN="E=alpha@testcentral.com, CN=Frank Alpha, UID=alpha, OU=People, O=TestCentral, C=US"

# size of the keys - this needs to be 512 for export servers
KEYSIZE=1024

# validity of the certs in months
VALIDITY=48

# starting point of serial numbers. 1 is the CA, 2 is the client cert "alpha"
# 3 is the server cert "Server-Cert".
CERTSERIAL=0

if [ $# -lt 1 ]
then
    echo "usage: $0 <destdir>" 1>&2
    exit 1
fi
if [ ! -d $1 -o ! -w $1 ]
then
    echo "ERROR: $1 must be writable directory." 1>&2
    exit 1
fi

DEST=$1

echo "httptest" > $DEST/pw.txt

echo ""
echo "#####################################################################"
echo "Generating new server certificate and key database. The password"
echo "is httptest"
echo "#####################################################################"
$CERTUTIL -N -d $DEST -f $DEST/pw.txt

echo ""
echo "#####################################################################"
echo "Generating self-signed client CA certificate"
echo "#####################################################################"
(ps -elf; date; netstat -a) > $DEST/noise
let CERTSERIAL=CERTSERIAL+1
# 5 9 n  -> Cert signing key
# y 10 y  -> basic constraints: CA cert
# 5 6 7 9 n  -> SSL, S/MIME, Object signing CA
echo "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | \
$CERTUTIL -S -d $DEST -n cacert \
            -s "$CA_CERTDN" \
            -x \
            -t CTu,CTu,CTu \
            -g $KEYSIZE \
            -m $CERTSERIAL \
            -v $VALIDITY \
            -f $DEST/pw.txt \
            -z $DEST/noise \
            -2 \
            -1 \
            -5

echo ""
echo "#####################################################################"
echo "Generating user certificate for \"alpha\"."
echo "#####################################################################"
(ps -elf; date; netstat -a) > $DEST/noise
let CERTSERIAL=CERTSERIAL+1
# 0 2 9 n  -> Key usage: Key Encipherment, Digital Signature
# 0 9 n  -> SSL Client
echo "0\n2\n9\nn\n0\n9\nn\n" | \
$CERTUTIL -S -d $DEST -n alpha \
            -s "$ALPHA_CERTDN" \
            -c cacert \
            -t u,pu,u \
            -g $KEYSIZE \
            -m $CERTSERIAL \
            -v $VALIDITY \
            -f $DEST/pw.txt \
            -z $DEST/noise \
            -1 \
            -5

echo ""
echo "#####################################################################"
echo "Generating server certificate request"
echo "#####################################################################"
(ps -elf; date; netstat -a) > $DEST/noise
$CERTUTIL -R -d $DEST \
            -s "$SERVER_CERTDN" \
            -o $DEST/tmpcertreq \
            -g $KEYSIZE \
            -z $DEST/noise \
            -f $DEST/pw.txt

echo ""
echo "#####################################################################"
echo "Generating server certificate"
echo "#####################################################################"
let CERTSERIAL=CERTSERIAL+1
echo "2\n9\nn\n1\n9\nn\n" | \
$CERTUTIL -C -d $DEST \
            -c cacert \
            -i $DEST/tmpcertreq \
            -o $DEST/tmpcert.der \
            -m $CERTSERIAL \
            -v $VALIDITY \
            -f $DEST/pw.txt \
            -1 \
            -5

rm $DEST/tmpcertreq

echo ""
echo "#####################################################################"
echo "Importing server certificate into server cert DB"
echo "#####################################################################"
$CERTUTIL -A -d $DEST -n Server-Cert \
            -t u,u,u \
            -i $DEST/tmpcert.der \
            -f $DEST/pw.txt

rm $DEST/tmpcert.der

echo ""
echo "#####################################################################"
echo "Cleaning up"
echo "#####################################################################"
rm $DEST/pw.txt
rm $DEST/noise

echo ""
echo "The database password is httptest"
echo ""

exit 0