1: #!/bin/sh
    2: 
    3: # For a list of supported curves, use "apps/openssl ecparam -list_curves".
    4: 
    5: # Path to the openssl distribution
    6: OPENSSL_DIR=../..
    7: # Path to the openssl program
    8: OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
    9: # Option to find configuration file
   10: OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
   11: # Directory where certificates are stored
   12: CERTS_DIR=./Certs
   13: # Directory where private key files are stored
   14: KEYS_DIR=$CERTS_DIR
   15: # Directory where combo files (containing a certificate and corresponding
   16: # private key together) are stored
   17: COMBO_DIR=$CERTS_DIR
   18: # cat command
   19: CAT=/bin/cat
   20: # rm command
   21: RM=/bin/rm
   22: # mkdir command
   23: MKDIR=/bin/mkdir
   24: # The certificate will expire these many days after the issue date.
   25: DAYS=1500
   26: TEST_CA_CURVE=secp160r1
   27: TEST_CA_FILE=secp160r1TestCA
   28: TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"
   29: 
   30: TEST_SERVER_CURVE=secp160r2
   31: TEST_SERVER_FILE=secp160r2TestServer
   32: TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"
   33: 
   34: TEST_CLIENT_CURVE=secp160r2
   35: TEST_CLIENT_FILE=secp160r2TestClient
   36: TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"
   37: 
   38: # Generating an EC certificate involves the following main steps
   39: # 1. Generating curve parameters (if needed)
   40: # 2. Generating a certificate request
   41: # 3. Signing the certificate request 
   42: # 4. [Optional] One can combine the cert and private key into a single
   43: #    file and also delete the certificate request
   44: 
   45: $MKDIR -p $CERTS_DIR
   46: $MKDIR -p $KEYS_DIR
   47: $MKDIR -p $COMBO_DIR
   48: 
   49: echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"
   50: echo "==============================================================="
   51: $OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem
   52: 
   53: # Generate a new certificate request in $TEST_CA_FILE.req.pem. A 
   54: # new ecdsa (actually ECC) key pair is generated on the parameters in
   55: # $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem
   56: # WARNING: By using the -nodes option, we force the private key to be 
   57: # stored in the clear (rather than encrypted with a password).
   58: $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
   59:     -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
   60:     -newkey ec:$TEST_CA_CURVE.pem -new \
   61:     -out $CERTS_DIR/$TEST_CA_FILE.req.pem
   62: 
   63: # Sign the certificate request in $TEST_CA_FILE.req.pem using the
   64: # private key in $TEST_CA_FILE.key.pem and include the CA extension.
   65: # Make the certificate valid for 1500 days from the time of signing.
   66: # The certificate is written into $TEST_CA_FILE.cert.pem
   67: $OPENSSL_CMD x509 -req -days $DAYS \
   68:     -in $CERTS_DIR/$TEST_CA_FILE.req.pem \
   69:     -extfile $OPENSSL_DIR/apps/openssl.cnf \
   70:     -extensions v3_ca \
   71:     -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
   72:     -out $CERTS_DIR/$TEST_CA_FILE.cert.pem
   73: 
   74: # Display the certificate
   75: $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
   76: 
   77: # Place the certificate and key in a common file
   78: $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
   79:          > $COMBO_DIR/$TEST_CA_FILE.pem
   80: $CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
   81: 
   82: # Remove the cert request file (no longer needed)
   83: $RM $CERTS_DIR/$TEST_CA_FILE.req.pem
   84: 
   85: echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
   86: echo "=========================================================================="
   87: # Generate parameters for curve $TEST_SERVER_CURVE, if needed
   88: $OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
   89: 
   90: # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 
   91: # new ecdsa (actually ECC) key pair is generated on the parameters in
   92: # $TEST_SERVER_CURVE.pem and the private key is saved in 
   93: # $TEST_SERVER_FILE.key.pem
   94: # WARNING: By using the -nodes option, we force the private key to be 
   95: # stored in the clear (rather than encrypted with a password).
   96: $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
   97:     -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
   98:     -newkey ec:$TEST_SERVER_CURVE.pem -new \
   99:     -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
  100: 
  101: # Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
  102: # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
  103: # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
  104: # file for this CA, create one. Make the certificate valid for $DAYS days
  105: # from the time of signing. The certificate is written into 
  106: # $TEST_SERVER_FILE.cert.pem
  107: $OPENSSL_CMD x509 -req -days $DAYS \
  108:     -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
  109:     -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
  110:     -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
  111:     -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
  112: 
  113: # Display the certificate 
  114: $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
  115: 
  116: # Place the certificate and key in a common file
  117: $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
  118:          > $COMBO_DIR/$TEST_SERVER_FILE.pem
  119: $CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
  120: 
  121: # Remove the cert request file (no longer needed)
  122: $RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
  123: 
  124: echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
  125: echo "=========================================================================="
  126: # Generate parameters for curve $TEST_CLIENT_CURVE, if needed
  127: $OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
  128: 
  129: # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 
  130: # new ecdsa (actually ECC) key pair is generated on the parameters in
  131: # $TEST_CLIENT_CURVE.pem and the private key is saved in 
  132: # $TEST_CLIENT_FILE.key.pem
  133: # WARNING: By using the -nodes option, we force the private key to be 
  134: # stored in the clear (rather than encrypted with a password).
  135: $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
  136:              -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
  137:              -newkey ec:$TEST_CLIENT_CURVE.pem -new \
  138:              -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
  139: 
  140: # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
  141: # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
  142: # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
  143: # file for this CA, create one. Make the certificate valid for $DAYS days
  144: # from the time of signing. The certificate is written into 
  145: # $TEST_CLIENT_FILE.cert.pem
  146: $OPENSSL_CMD x509 -req -days $DAYS \
  147:     -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
  148:     -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
  149:     -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
  150:     -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
  151: 
  152: # Display the certificate 
  153: $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
  154: 
  155: # Place the certificate and key in a common file
  156: $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
  157:          > $COMBO_DIR/$TEST_CLIENT_FILE.pem
  158: $CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
  159: 
  160: # Remove the cert request file (no longer needed)
  161: $RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
  162: 
  163: 
  164: