ca

ca.git
git clone git://git.lenczewski.org/ca.git
Log | Files | Refs | README

init-ca.sh (2859B)

      1 #!/bin/sh
      2 
      3 set -ex
      4 
      5 # initial directory structure
      6 
      7 mkdir -p ca \
      8 	ca/cert \
      9 	ca/crl \
     10 	ca/new \
     11 	ca/priv
     12 
     13 chmod 700 ca/priv
     14 
     15 touch ca/index.txt
     16 touch ca/serial
     17 
     18 SERIAL=$(date '+%Y%m%d')
     19 echo $SERIAL > ca/serial
     20 
     21 echo 1000 > ca/crlnumber
     22 
     23 # create openssl ca config
     24 
     25 C=$(cat ca.country.txt)
     26 ST=$(cat ca.state.txt)
     27 O=$(cat ca.organization.txt)
     28 
     29 [ "${C:-PLACEHOLDER}" = "PLACEHOLDER" ] && \
     30 	echo "Please fill in ca.country.txt!" && exit 1
     31 
     32 [ "${ST:-PLACEHOLDER}" = "PLACEHOLDER" ] && \
     33 	echo "Please fill in ca.state.txt!" && exit 1
     34 
     35 [ "${O:-PLACEHOLDER}" = "PLACEHOLDER" ] && \
     36 	echo "Please fill in ca.organization.txt!" && exit 1
     37 
     38 CRL_URI="$(cat crl.uri.txt)"
     39 
     40 [ "${CRL_URI:-PLACEHOLDER}" = "PLACEHOLDER" ] && \
     41 	echo "Please fill in crl.uri.txt!" && exit 1
     42 
     43 cat >ca/openssl.cnf <<EOF
     44 # root ca configuration
     45 
     46 [ ca ]
     47 default_ca = CA_default
     48 
     49 [ CA_default ]
     50 dir			= $(dirname $0)/ca
     51 certs			= \$dir/cert
     52 crl_dir			= \$dir/crl
     53 new_certs_dir		= \$dir/new
     54 database		= \$dir/index.txt
     55 serial			= \$dir/serial
     56 RANDFILE		= \$dir/priv/.rand
     57 
     58 # certificate revocation list config
     59 crlnumber		= \$dir/crlnumber
     60 crl			= \$dir/crl/ca.crl.pem
     61 crl_extensions		= crl_ext
     62 default_crl_days	= 31
     63 
     64 # use a strong digest
     65 default_md		= sha512
     66 
     67 # misc config
     68 name_opt		= ca_default
     69 cert_opt		= ca_default
     70 default_days		= 365
     71 preserve		= no
     72 policy			= CA_policy_strict
     73 
     74 # default fields when making certificate requests
     75 [ req ]
     76 default_bits		= 4096
     77 
     78 string_mask		= utf8only
     79 
     80 default_md		= sha512
     81 
     82 x509_extensions		= v3_ca
     83 
     84 [ v3_intermediate_ca ]
     85 crlDistributionPoints	= URI:http://${CRL_URI}
     86 
     87 EOF
     88 
     89 cat >>ca/openssl.cnf < frag.cnf
     90 
     91 # create the root certificate
     92 
     93 # generate keys
     94 openssl genrsa -aes256 \
     95 	-out ca/priv/ca.rsa.key.pem 4096
     96 
     97 openssl genpkey -aes256 -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \
     98 	-out ca/priv/ca.ecc.key.pem
     99 
    100 chmod 400 ca/priv/ca.rsa.key.pem ca/priv/ca.ecc.key.pem
    101 
    102 # generate certificates
    103 openssl req -config ca/openssl.cnf \
    104 	-new -x509 -days 36500 -extensions v3_ca \
    105 	-subj "/C=$C/ST=$ST/O=$O/CN=$O Root CA (RSA)" \
    106 	-key ca/priv/ca.rsa.key.pem \
    107 	-out ca/cert/ca.rsa.crt.pem
    108 
    109 openssl req -config ca/openssl.cnf \
    110 	-new -x509 -days 36500 -extensions v3_ca \
    111 	-subj "/C=$C/ST=$ST/O=$O/CN=$O Root CA (ECC)" \
    112 	-key ca/priv/ca.ecc.key.pem \
    113 	-out ca/cert/ca.ecc.crt.pem
    114 
    115 chmod 444 ca/cert/ca.rsa.crt.pem ca/cert/ca.ecc.crt.pem
    116 
    117 # verify the certificate
    118 openssl x509 -noout -text -in ca/cert/ca.rsa.crt.pem
    119 openssl x509 -noout -text -in ca/cert/ca.ecc.crt.pem
    120 
    121 echo "NOTE: Install the root certificate on all devices"
    122 echo "NOTE: Root RSA key is found in 'ca/priv/ca.rsa.key.pem'"
    123 echo "NOTE: Root RSA certificate is found in 'ca/cert/ca.rsa.crt.pem'"
    124 echo "NOTE: Root ECC key is found in 'ca/priv/ca.ecc.key.pem'"
    125 echo "NOTE: Root ECC certificate is found in 'ca/cert/ca.ecc.crt.pem'"
    126 echo "NOTE: Please run 'make-intermediate-ca.sh' at least once"