1 #!/bin/bash 2 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. 4 # Use of this source code is governed by a BSD-style license that can be 5 # found in the LICENSE file. 6 7 # This script generates certificates that can be used to test SSL client 8 # authentication. Outputs for automated tests are stored in 9 # net/data/ssl/certificates, but may be re-generated for manual testing. 10 # 11 # This script generates two chains of test client certificates: 12 # 13 # 1. A (end-entity) -> B -> C (self-signed root) 14 # 2. D (end-entity) -> E -> C (self-signed root) 15 # 16 # In which A, B, C, D, and E all have distinct keypairs. Both client 17 # certificates share the same root, but are issued by different 18 # intermediates. The names of these intermediates are hardcoded within 19 # unit tests, and thus should not be changed. 20 21 try () { 22 echo "$@" 23 $@ || exit 1 24 } 25 26 try rm -rf out 27 try mkdir out 28 29 echo Create the serial number files and indices. 30 serial = 100 31 for i in B C E 32 do 33 try echo $serial > out/$i-serial 34 serial=$(expr $serial + 1) 35 touch out/$i-index.txt 36 touch out/$i-index.txt.attr 37 done 38 39 echo Generate the keys. 40 for i in A B C D E 41 do 42 try openssl genrsa -out out/$i.key 2048 43 done 44 45 echo Generate the C CSR 46 COMMON_NAME="C Root CA" \ 47 CA_DIR=out \ 48 ID=C \ 49 try openssl req \ 50 -new \ 51 -key out/C.key \ 52 -out out/C.csr \ 53 -config client-certs.cnf 54 55 echo C signs itself. 56 COMMON_NAME="C Root CA" \ 57 CA_DIR=out \ 58 ID=C \ 59 try openssl x509 \ 60 -req -days 3650 \ 61 -in out/C.csr \ 62 -extensions ca_cert \ 63 -signkey out/C.key \ 64 -out out/C.pem 65 66 echo Generate the intermediates 67 COMMON_NAME="B CA" \ 68 CA_DIR=out \ 69 ID=B \ 70 try openssl req \ 71 -new \ 72 -key out/B.key \ 73 -out out/B.csr \ 74 -config client-certs.cnf 75 76 COMMON_NAME="C CA" \ 77 CA_DIR=out \ 78 ID=C \ 79 try openssl ca \ 80 -batch \ 81 -extensions ca_cert \ 82 -in out/B.csr \ 83 -out out/B.pem \ 84 -config client-certs.cnf 85 86 COMMON_NAME="E CA" \ 87 CA_DIR=out \ 88 ID=E \ 89 try openssl req \ 90 -new \ 91 -key out/E.key \ 92 -out out/E.csr \ 93 -config client-certs.cnf 94 95 COMMON_NAME="C CA" \ 96 CA_DIR=out \ 97 ID=C \ 98 try openssl ca \ 99 -batch \ 100 -extensions ca_cert \ 101 -in out/E.csr \ 102 -out out/E.pem \ 103 -config client-certs.cnf 104 105 echo Generate the leaf certs 106 for id in A D 107 do 108 COMMON_NAME="Client Cert $id" \ 109 ID=$id \ 110 try openssl req \ 111 -new \ 112 -key out/$id.key \ 113 -out out/$id.csr \ 114 -config client-certs.cnf 115 done 116 117 echo B signs A 118 COMMON_NAME="B CA" \ 119 CA_DIR=out \ 120 ID=B \ 121 try openssl ca \ 122 -batch \ 123 -extensions user_cert \ 124 -in out/A.csr \ 125 -out out/A.pem \ 126 -config client-certs.cnf 127 128 echo E signs D 129 COMMON_NAME="E CA" \ 130 CA_DIR=out \ 131 ID=E \ 132 try openssl ca \ 133 -batch \ 134 -extensions user_cert \ 135 -in out/D.csr \ 136 -out out/D.pem \ 137 -config client-certs.cnf 138 139 echo Package the client certs and private keys into PKCS12 files 140 # This is done for easily importing all of the certs needed for clients. 141 cat out/A.pem out/A.key out/B.pem out/C.pem > out/A-chain.pem 142 cat out/D.pem out/D.key out/E.pem out/C.pem > out/D-chain.pem 143 144 try openssl pkcs12 \ 145 -in out/A-chain.pem \ 146 -out client_1.p12 \ 147 -export \ 148 -passout pass:chrome 149 150 try openssl pkcs12 \ 151 -in out/D-chain.pem \ 152 -out client_2.p12 \ 153 -export \ 154 -passout pass:chrome 155 156 echo Package the client certs for unit tests 157 cp out/A.pem client_1.pem 158 cp out/A.key client_1.key 159 cp out/B.pem client_1_ca.pem 160 161 cp out/D.pem client_2.pem 162 cp out/D.key client_2.key 163 cp out/E.pem client_2_ca.pem 164