commit 5a81f382b2a9d9076439c4e598a977c6daa9a546
parent 12df907bebff4029abf2bacd32ac0cb6924f44d1
Author: MikoĊaj Lenczewski <mikolaj@lenczewski.org>
Date: Tue, 5 May 2026 02:13:38 +0100
Add ECC support
Diffstat:
6 files changed, 152 insertions(+), 70 deletions(-)
diff --git a/init-ca.sh b/init-ca.sh
@@ -55,10 +55,6 @@ database = \$dir/index.txt
serial = \$dir/serial
RANDFILE = \$dir/priv/.rand
-# root key and certificate
-private_key = \$dir/priv/ca.key.pem
-certificate = \$dir/cert/ca.crt.pem
-
# certificate revocation list config
crlnumber = \$dir/crlnumber
crl = \$dir/crl/ca.crl.pem
@@ -94,22 +90,37 @@ cat >>ca/openssl.cnf < frag.cnf
# create the root certificate
-# generate the key
-openssl genrsa -aes256 -out ca/priv/ca.key.pem 4096
-chmod 400 ca/priv/ca.key.pem
+# generate keys
+openssl genrsa -aes256 \
+ -out ca/priv/ca.rsa.key.pem 4096
+
+openssl genpkey -aes256 -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \
+ -out ca/priv/ca.ecc.key.pem
+
+chmod 400 ca/priv/ca.rsa.key.pem ca/priv/ca.ecc.key.pem
+
+# generate certificates
+openssl req -config ca/openssl.cnf \
+ -new -x509 -days 36500 -extensions v3_ca \
+ -subj "/C=$C/ST=$ST/O=$O/CN=$O Root CA (RSA)" \
+ -key ca/priv/ca.rsa.key.pem \
+ -out ca/cert/ca.rsa.crt.pem
-# generate the certificate
openssl req -config ca/openssl.cnf \
-new -x509 -days 36500 -extensions v3_ca \
- -subj "/C=$C/ST=$ST/O=$O/CN=$O Root CA" \
- -key ca/priv/ca.key.pem \
- -out ca/cert/ca.crt.pem
+ -subj "/C=$C/ST=$ST/O=$O/CN=$O Root CA (ECC)" \
+ -key ca/priv/ca.ecc.key.pem \
+ -out ca/cert/ca.ecc.crt.pem
-chmod 444 ca/cert/ca.crt.pem
+chmod 444 ca/cert/ca.rsa.crt.pem ca/cert/ca.ecc.crt.pem
# verify the certificate
-openssl x509 -noout -text -in ca/cert/ca.crt.pem
+openssl x509 -noout -text -in ca/cert/ca.rsa.crt.pem
+openssl x509 -noout -text -in ca/cert/ca.ecc.crt.pem
echo "NOTE: Install the root certificate on all devices"
-echo "NOTE: Root certificate is found in 'ca/cert/ca.crt.pem'"
+echo "NOTE: Root RSA key is found in 'ca/priv/ca.rsa.key.pem'"
+echo "NOTE: Root RSA certificate is found in 'ca/cert/ca.rsa.crt.pem'"
+echo "NOTE: Root ECC key is found in 'ca/priv/ca.ecc.key.pem'"
+echo "NOTE: Root ECC certificate is found in 'ca/cert/ca.ecc.crt.pem'"
echo "NOTE: Please run 'make-intermediate-ca.sh' at least once"
diff --git a/make-ca-crl.sh b/make-ca-crl.sh
@@ -5,4 +5,6 @@ set -ex
# generate the crl
openssl ca -config ca/openssl.cnf \
- -gencrl -out ca/intermediate/crl/intermediate.crl.pem
+ -cert ca/cert/ca.ecc.crt.pem -keyfile ca/priv/ca.ecc.key.pem \
+ -gencrl \
+ -out ca/intermediate/crl/intermediate-$(date '+%Y-%m-%d').crl.pem
diff --git a/make-cert.sh b/make-cert.sh
@@ -6,6 +6,7 @@ shift 2
EXTRA="$(echo $@ | xargs printf '%s\n' | paste -s -d '/' -)"
+ECC="${ECC:-1}"
PCKSPASS="${PCKSPASS:-password}"
DAYS="${DAYS:-730}"
@@ -28,14 +29,6 @@ set -ex
mkdir -p certs certs/$TYPE "certs/$TYPE/$DOMAIN"
-# generate the key
-openssl genrsa \
- -out "certs/$TYPE/$DOMAIN/$DOMAIN.key.pem" 4096
-
-chmod 600 "certs/$TYPE/$DOMAIN/$DOMAIN.key.pem"
-
-# generate the certificate
-
C=$(cat ca.country.txt)
ST=$(cat ca.state.txt)
O=$(cat ca.organization.txt)
@@ -49,23 +42,66 @@ O=$(cat ca.organization.txt)
[ "${O:-PLACEHOLDER}" = "PLACEHOLDER" ] && \
echo "Please fill in ca.organization.txt!" && exit 1
-openssl req -config ca/intermediate/current/openssl_usr.cnf \
- -key "certs/$TYPE/$DOMAIN/$DOMAIN.key.pem" \
- -new -subj "/C=$C/ST=$ST/O=$O/CN=${DOMAIN}/${EXTRA}" \
- -out "certs/$TYPE/$DOMAIN/$DOMAIN.csr.pem"
+# generate keys
+
+openssl genrsa \
+ -out "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.key.pem" 4096
-openssl ca -config ca/intermediate/current/openssl_usr.cnf \
- -days $DAYS -notext -extensions ${TYPE}_cert \
- -in "certs/$TYPE/$DOMAIN/$DOMAIN.csr.pem" \
- -out "certs/$TYPE/$DOMAIN/$DOMAIN.crt.pem"
+openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \
+ -out "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.key.pem"
-chmod 644 "certs/$TYPE/$DOMAIN/$DOMAIN.crt.pem"
+chmod 600 \
+ "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.key.pem" \
+ "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.key.pem"
+
+# generate the certificate
+
+if [ "${ECC}" = "1" ]; then
+ openssl req -config ca/intermediate/current/openssl_usr.cnf \
+ -new -subj "/C=$C/ST=$ST/O=$O/CN=${DOMAIN}/${EXTRA}" \
+ -key "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.key.pem" \
+ -out "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.csr.pem"
+
+ openssl ca -config ca/intermediate/current/openssl_usr.cnf \
+ -cert ca/intermediate/current/cert/intermediate.ecc.crt.pem \
+ -keyfile ca/intermediate/current/priv/intermediate.ecc.key.pem \
+ -days $DAYS -notext -extensions ${TYPE}_cert \
+ -in "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.csr.pem" \
+ -out "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem"
+
+ chmod 644 "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem"
+else
+ openssl req -config ca/intermediate/current/openssl_usr.cnf \
+ -new -subj "/C=$C/ST=$ST/O=$O/CN=${DOMAIN}/${EXTRA}" \
+ -key "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.key.pem" \
+ -out "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.csr.pem"
+
+ openssl ca -config ca/intermediate/current/openssl_usr.cnf \
+ -cert ca/intermediate/current/cert/intermediate.rsa.crt.pem \
+ -keyfile ca/intermediate/current/priv/intermediate.rsa.key.pem \
+ -days $DAYS -notext -extensions ${TYPE}_cert \
+ -in "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.csr.pem" \
+ -out "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem"
+
+ chmod 644 "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem"
+fi
# verify the certificate
-openssl x509 -noout -text -in "certs/$TYPE/$DOMAIN/$DOMAIN.crt.pem"
-openssl verify -CAfile ca/intermediate/current/cert/ca-chain.pem \
- "certs/$TYPE/$DOMAIN/$DOMAIN.crt.pem"
+if [ "${ECC}" = "1" ]; then
+ openssl x509 -noout -text -in "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem"
+ openssl verify -CAfile ca/intermediate/current/cert/ca-chain.pem \
+ "certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem"
+else
+ openssl x509 -noout -text -in "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem"
+ openssl verify -CAfile ca/intermediate/current/cert/ca-chain.pem \
+ "certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem"
+fi
# publish certificate
-echo "NOTE: Certificate key is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.key.pem'"
-echo "NOTE: Certificate is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.crt.pem'"
+if [ "${ECC}" = "1" ]; then
+ echo "NOTE: ECC key is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.ecc.key.pem'"
+ echo "NOTE: ECC certificate is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.ecc.crt.pem'"
+else
+ echo "NOTE: RSA key is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.rsa.key.pem'"
+ echo "NOTE: RSA certificate is found in 'certs/$TYPE/$DOMAIN/$DOMAIN.rsa.crt.pem'"
+fi
diff --git a/make-intermediate-ca.sh b/make-intermediate-ca.sh
@@ -61,10 +61,6 @@ database = \$dir/index.txt
serial = \$dir/serial
RANDFILE = \$dir/priv/.rand
-# root key and certificate
-private_key = \$dir/priv/intermediate.key.pem
-certificate = \$dir/cert/intermediate.crt.pem
-
# certificate revocation list config
crlnumber = \$dir/crlnumber
crl = \$dir/crl/intermediate.crl.pem
@@ -110,10 +106,6 @@ database = \$dir/index.txt
serial = \$dir/serial
RANDFILE = \$dir/priv/.rand
-# root key and certificate
-private_key = \$dir/priv/intermediate.key.pem
-certificate = \$dir/cert/intermediate.crt.pem
-
# certificate revocation list config
crlnumber = \$dir/crlnumber
crl = \$dir/crl/intermediate.crl.pem
@@ -152,43 +144,72 @@ cat >>$INTERMEDIATE_CA_ROOT/openssl_usr.cnf < frag.cnf
# create the intermediate pair
-# generate the key
-openssl genrsa -aes256 -out $INTERMEDIATE_CA_ROOT/priv/intermediate.key.pem 4096
-chmod 400 $INTERMEDIATE_CA_ROOT/priv/intermediate.key.pem
+# generate keys
+openssl genrsa -aes256 \
+ -out $INTERMEDIATE_CA_ROOT/priv/intermediate.rsa.key.pem 4096
+
+openssl genpkey -aes256 -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \
+ -out $INTERMEDIATE_CA_ROOT/priv/intermediate.ecc.key.pem
-# generate the certificate
+chmod 400 \
+ $INTERMEDIATE_CA_ROOT/priv/intermediate.rsa.key.pem \
+ $INTERMEDIATE_CA_ROOT/priv/intermediate.ecc.key.pem
+
+# generate certificates
openssl req -config $INTERMEDIATE_CA_ROOT/openssl.cnf \
- -new -subj "/C=$C/ST=$ST/O=$O/CN=$O Intermediate CA" \
- -key $INTERMEDIATE_CA_ROOT/priv/intermediate.key.pem \
- -out $INTERMEDIATE_CA_ROOT/csr/intermediate.csr.pem
+ -new -subj "/C=$C/ST=$ST/O=$O/CN=$O Intermediate CA (RSA)" \
+ -key $INTERMEDIATE_CA_ROOT/priv/intermediate.rsa.key.pem \
+ -out $INTERMEDIATE_CA_ROOT/csr/intermediate.rsa.csr.pem
openssl ca -config ca/openssl.cnf \
+ -cert ca/cert/ca.rsa.crt.pem -keyfile ca/priv/ca.rsa.key.pem \
-days 3650 -notext -extensions v3_intermediate_ca \
- -in $INTERMEDIATE_CA_ROOT/csr/intermediate.csr.pem \
- -out $INTERMEDIATE_CA_ROOT/cert/intermediate.crt.pem
+ -in $INTERMEDIATE_CA_ROOT/csr/intermediate.rsa.csr.pem \
+ -out $INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem
-chmod 444 $INTERMEDIATE_CA_ROOT/cert/intermediate.crt.pem
+openssl req -config $INTERMEDIATE_CA_ROOT/openssl.cnf \
+ -new -subj "/C=$C/ST=$ST/O=$O/CN=$O Intermediate CA (ECC)" \
+ -key $INTERMEDIATE_CA_ROOT/priv/intermediate.ecc.key.pem \
+ -out $INTERMEDIATE_CA_ROOT/csr/intermediate.ecc.csr.pem
+
+openssl ca -config ca/openssl.cnf \
+ -cert ca/cert/ca.ecc.crt.pem -keyfile ca/priv/ca.ecc.key.pem \
+ -days 3650 -notext -extensions v3_intermediate_ca \
+ -in $INTERMEDIATE_CA_ROOT/csr/intermediate.ecc.csr.pem \
+ -out $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem
+
+chmod 444 \
+ $INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem \
+ $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem
# verify the certificate
-openssl x509 -noout -text -in $INTERMEDIATE_CA_ROOT/cert/intermediate.crt.pem
-openssl verify -CAfile ca/cert/ca.crt.pem $INTERMEDIATE_CA_ROOT/cert/intermediate.crt.pem
+openssl x509 -noout -text -in $INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem
+openssl x509 -noout -text -in $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem
+
+openssl verify -CAfile ca/cert/ca.rsa.crt.pem $INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem
+openssl verify -CAfile ca/cert/ca.ecc.crt.pem $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem
# create the ocsp pair
-openssl genrsa -out $INTERMEDIATE_CA_ROOT/priv/$OCSP_URI.ocsp.key.pem 4096
-chmod 400 $INTERMEDIATE_CA_ROOT/priv/$OCSP_URI.ocsp.key.pem
+openssl genpkey -aes256 -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \
+ -out $INTERMEDIATE_CA_ROOT/priv/$OCSP_URI.ocsp.ecc.key.pem
+
+chmod 400 $INTERMEDIATE_CA_ROOT/priv/$OCSP_URI.ocsp.ecc.key.pem
openssl req -config $INTERMEDIATE_CA_ROOT/openssl.cnf \
-new -subj="/C=$C/ST=$ST/O=$O/CN=$OCSP_URI" \
- -key "$INTERMEDIATE_CA_ROOT/priv/$OCSP_URI.ocsp.key.pem" \
- -out "$INTERMEDIATE_CA_ROOT/csr/$OCSP_URI.ocsp.csr.pem"
+ -key "$INTERMEDIATE_CA_ROOT/priv/$OCSP_URI.ocsp.ecc.key.pem" \
+ -out "$INTERMEDIATE_CA_ROOT/csr/$OCSP_URI.ocsp.ecc.csr.pem"
openssl ca -config $INTERMEDIATE_CA_ROOT/openssl.cnf \
+ -cert $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem \
+ -keyfile $INTERMEDIATE_CA_ROOT/priv/intermediate.ecc.key.pem \
-days 3650 -notext -extensions ocsp \
- -in "$INTERMEDIATE_CA_ROOT/csr/$OCSP_URI.ocsp.csr.pem" \
- -out "$INTERMEDIATE_CA_ROOT/cert/$OCSP_URI.ocsp.crt.pem"
+ -in "$INTERMEDIATE_CA_ROOT/csr/$OCSP_URI.ocsp.ecc.csr.pem" \
+ -out "$INTERMEDIATE_CA_ROOT/cert/$OCSP_URI.ocsp.ecc.crt.pem"
-openssl x509 -noout -text -in "$INTERMEDIATE_CA_ROOT/cert/$OCSP_URI.ocsp.crt.pem"
+# cerify the ocsp pair
+openssl x509 -noout -text -in "$INTERMEDIATE_CA_ROOT/cert/$OCSP_URI.ocsp.ecc.crt.pem"
# create root ca crl
@@ -196,13 +217,19 @@ $(dirname $0)/make-ca-crl.sh
# create chain of trust
-cat $INTERMEDIATE_CA_ROOT/cert/intermediate.crt.pem > $INTERMEDIATE_CA_ROOT/cert/ca-chain.pem
+cat ca/cert/ca.rsa.crt.pem $INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem \
+ ca/cert/ca.ecc.crt.pem $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem \
+ > $INTERMEDIATE_CA_ROOT/cert/ca-chain.pem
# create symlink
ln -sf $DATE ca/intermediate/current
-echo "NOTE: Generated CRL is found in '$INTERMEDIATE_CA_ROOT/crl/intermediate.crl.pem'"
+echo "NOTE: Generated CRL is found in '$INTERMEDIATE_CA_ROOT/crl/intermediate-$DATE.crl.pem'"
echo "NOTE: Please run 'make-ca-crl.sh' on a regular basis (once every 30 days) to update it"
-echo "NOTE: OCSP key is found in '$INTERMEDIATE_CA_ROOT/priv/*.ocsp.key.pem'"
-echo "NOTE: OCSP cert is found in '$INTERMEDIATE_CA_ROOT/cert/*.ocsp.crt.pem'"
+echo "NOTE: Intermediate RSA key is found in '$INTERMEDIATE_CA_ROOT/priv/intermediate.rsa.key.pem'"
+echo "NOTE: Intermediate RSA certificate is found in '$INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem'"
+echo "NOTE: Intermediate ECC key is found in '$INTERMEDIATE_CA_ROOT/priv/intermediate.ecc.key.pem'"
+echo "NOTE: Intermediate ECC certificate is found in '$INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem'"
+echo "NOTE: OCSP key is found in '$INTERMEDIATE_CA_ROOT/priv/*.ocsp.ecc.key.pem'"
+echo "NOTE: OCSP cert is found in '$INTERMEDIATE_CA_ROOT/cert/*.ocsp.ecc.crt.pem'"
echo "NOTE: Chain of Trust is found in '$INTERMEDIATE_CA_ROOT/cert/ca-chain.pem'"
diff --git a/revoke-cert.sh b/revoke-cert.sh
@@ -9,6 +9,7 @@ case "$TYPE" in
*)
echo "Usage: $0 <server|client> <fqdn>"
+ exit 1
;;
esac
@@ -17,5 +18,9 @@ if [ -z "$DOMAIN" ]; then
exit 1
fi
+set -ex
+
openssl ca -config ca/intermediate/current/openssl_usr.cnf \
- -revoke "certs/$TYPE/$DOMAIN/$DOMAIN.crt.pem"
+ -cert ca/intermediate/current/cert/intermediate.ecc.crt.pem \
+ -keyfile ca/intermediate/current/priv/intermediate.ecc.key.pem \
+ -revoke "certs/$TYPE/$DOMAIN/$DOMAIN".*."crt.pem"
diff --git a/revoke-intermediate-ca.sh b/revoke-intermediate-ca.sh
@@ -1,8 +1,9 @@
#!/bin/sh
-set -x
+set -ex
openssl ca -config ca/openssl.cnf \
+ -cert ca/cert/ca.ecc.crt.pem -keyfile ca/priv/ca.ecc.key.pem \
-revoke $1
$(dirname $0)/make-ca-crl.sh
