make-intermediate-ca.sh (7063B)
1 #!/bin/sh 2 3 DATE="$(date '+%Y-%m-%d')" 4 SERIAL=$(date '+%Y%m%d') 5 6 [ -d ca/intermediate/$DATE ] && \ 7 echo "Warning: Intermediate CA for serial $SERIAL already exists: ca/intermediate/$DATE" && exit 1 8 9 INTERMEDIATE_CA_ROOT=ca/intermediate/$DATE 10 11 set -ex 12 13 # initial directory structure 14 15 mkdir -p $INTERMEDIATE_CA_ROOT \ 16 $INTERMEDIATE_CA_ROOT/cert \ 17 $INTERMEDIATE_CA_ROOT/csr \ 18 $INTERMEDIATE_CA_ROOT/new \ 19 $INTERMEDIATE_CA_ROOT/priv \ 20 ca/intermediate/crl 21 22 chmod 700 $INTERMEDIATE_CA_ROOT/priv 23 24 touch $INTERMEDIATE_CA_ROOT/index.txt $INTERMEDIATE_CA_ROOT/serial 25 26 echo $SERIAL > $INTERMEDIATE_CA_ROOT/serial 27 echo 1000 > $INTERMEDIATE_CA_ROOT/crlnumber 28 29 # create openssl ca config 30 31 C=$(cat ca.country.txt) 32 ST=$(cat ca.state.txt) 33 O=$(cat ca.organization.txt) 34 35 [ "${C:-PLACEHOLDER}" = "PLACEHOLDER" ] && \ 36 echo "Please fill in ca.country.txt!" && exit 1 37 38 [ "${ST:-PLACEHOLDER}" = "PLACEHOLDER" ] && \ 39 echo "Please fill in ca.state.txt!" && exit 1 40 41 [ "${O:-PLACEHOLDER}" = "PLACEHOLDER" ] && \ 42 echo "Please fill in ca.organization.txt!" && exit 1 43 44 OCSP_URI="$(cat ocsp.uri.txt)" 45 46 [ "${OCSP_URI:-PLACEHOLDER}" = "PLACEHOLDER" ] && \ 47 echo "Please fill in ocsp.uri.txt!" && exit 1 48 49 cat >$INTERMEDIATE_CA_ROOT/openssl.cnf <<EOF 50 # intermediate ca configuration 51 52 [ ca ] 53 default_ca = CA_default 54 55 [ CA_default ] 56 dir = $(dirname $0)/ca/intermediate/$DATE 57 certs = \$dir/cert 58 crl_dir = \$dir/crl 59 new_certs_dir = \$dir/new 60 database = \$dir/index.txt 61 serial = \$dir/serial 62 RANDFILE = \$dir/priv/.rand 63 64 # certificate revocation list config 65 crlnumber = \$dir/crlnumber 66 crl = \$dir/crl/intermediate.crl.pem 67 crl_extensions = crl_ext 68 default_crl_days = 30 69 70 # use a strong digest 71 default_md = sha512 72 73 # misc config 74 name_opt = ca_default 75 cert_opt = ca_default 76 default_days = 365 77 preserve = no 78 policy = CA_policy_loose 79 80 # default fields when making certificate requests 81 [ req ] 82 default_bits = 4096 83 84 string_mask = utf8only 85 86 default_md = sha512 87 88 x509_extensions = v3_ca 89 90 EOF 91 92 cat >>$INTERMEDIATE_CA_ROOT/openssl.cnf < frag.cnf 93 94 cat >$INTERMEDIATE_CA_ROOT/openssl_usr.cnf <<EOF 95 # server and client certificate configuration 96 97 [ ca ] 98 default_ca = CA_default 99 100 [ CA_default ] 101 dir = $(dirname $0)/ca/intermediate/$DATE 102 certs = \$dir/cert 103 crl_dir = \$dir/crl 104 new_certs_dir = \$dir/new 105 database = \$dir/index.txt 106 serial = \$dir/serial 107 RANDFILE = \$dir/priv/.rand 108 109 # certificate revocation list config 110 crlnumber = \$dir/crlnumber 111 crl = \$dir/crl/intermediate.crl.pem 112 crl_extensions = crl_ext 113 default_crl_days = 30 114 115 # use a strong digest 116 default_md = sha512 117 118 # misc config 119 name_opt = ca_default 120 cert_opt = ca_default 121 default_days = 365 122 preserve = no 123 policy = CA_policy_loose 124 125 # default fields when making certificate requests 126 [ req ] 127 default_bits = 4096 128 129 string_mask = utf8only 130 131 default_md = sha512 132 133 x509_extensions = v3_ca 134 135 [ client_cert ] 136 authorityInfoAccess = OCSP;URI:http://${OCSP_URI} 137 138 [ server_cert ] 139 authorityInfoAccess = OCSP;URI:http://${OCSP_URI} 140 141 EOF 142 143 cat >>$INTERMEDIATE_CA_ROOT/openssl_usr.cnf < frag.cnf 144 145 # create the intermediate pair 146 147 # generate keys 148 openssl genrsa -aes256 \ 149 -out $INTERMEDIATE_CA_ROOT/priv/intermediate.rsa.key.pem 4096 150 151 openssl genpkey -aes256 -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \ 152 -out $INTERMEDIATE_CA_ROOT/priv/intermediate.ecc.key.pem 153 154 chmod 400 \ 155 $INTERMEDIATE_CA_ROOT/priv/intermediate.rsa.key.pem \ 156 $INTERMEDIATE_CA_ROOT/priv/intermediate.ecc.key.pem 157 158 # generate certificates 159 openssl req -config $INTERMEDIATE_CA_ROOT/openssl.cnf \ 160 -new -subj "/C=$C/ST=$ST/O=$O/CN=$O Intermediate CA (RSA)" \ 161 -key $INTERMEDIATE_CA_ROOT/priv/intermediate.rsa.key.pem \ 162 -out $INTERMEDIATE_CA_ROOT/csr/intermediate.rsa.csr.pem 163 164 openssl ca -config ca/openssl.cnf \ 165 -cert ca/cert/ca.rsa.crt.pem -keyfile ca/priv/ca.rsa.key.pem \ 166 -days 3650 -notext -extensions v3_intermediate_ca \ 167 -in $INTERMEDIATE_CA_ROOT/csr/intermediate.rsa.csr.pem \ 168 -out $INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem 169 170 openssl req -config $INTERMEDIATE_CA_ROOT/openssl.cnf \ 171 -new -subj "/C=$C/ST=$ST/O=$O/CN=$O Intermediate CA (ECC)" \ 172 -key $INTERMEDIATE_CA_ROOT/priv/intermediate.ecc.key.pem \ 173 -out $INTERMEDIATE_CA_ROOT/csr/intermediate.ecc.csr.pem 174 175 openssl ca -config ca/openssl.cnf \ 176 -cert ca/cert/ca.ecc.crt.pem -keyfile ca/priv/ca.ecc.key.pem \ 177 -days 3650 -notext -extensions v3_intermediate_ca \ 178 -in $INTERMEDIATE_CA_ROOT/csr/intermediate.ecc.csr.pem \ 179 -out $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem 180 181 chmod 444 \ 182 $INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem \ 183 $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem 184 185 # verify the certificate 186 openssl x509 -noout -text -in $INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem 187 openssl x509 -noout -text -in $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem 188 189 openssl verify -CAfile ca/cert/ca.rsa.crt.pem $INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem 190 openssl verify -CAfile ca/cert/ca.ecc.crt.pem $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem 191 192 # create the ocsp pair 193 194 openssl genpkey -aes256 -algorithm EC -pkeyopt ec_paramgen_curve:P-256 \ 195 -out $INTERMEDIATE_CA_ROOT/priv/$OCSP_URI.ocsp.ecc.key.pem 196 197 chmod 400 $INTERMEDIATE_CA_ROOT/priv/$OCSP_URI.ocsp.ecc.key.pem 198 199 openssl req -config $INTERMEDIATE_CA_ROOT/openssl.cnf \ 200 -new -subj="/C=$C/ST=$ST/O=$O/CN=$OCSP_URI" \ 201 -key "$INTERMEDIATE_CA_ROOT/priv/$OCSP_URI.ocsp.ecc.key.pem" \ 202 -out "$INTERMEDIATE_CA_ROOT/csr/$OCSP_URI.ocsp.ecc.csr.pem" 203 204 openssl ca -config $INTERMEDIATE_CA_ROOT/openssl.cnf \ 205 -cert $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem \ 206 -keyfile $INTERMEDIATE_CA_ROOT/priv/intermediate.ecc.key.pem \ 207 -days 3650 -notext -extensions ocsp \ 208 -in "$INTERMEDIATE_CA_ROOT/csr/$OCSP_URI.ocsp.ecc.csr.pem" \ 209 -out "$INTERMEDIATE_CA_ROOT/cert/$OCSP_URI.ocsp.ecc.crt.pem" 210 211 # cerify the ocsp pair 212 openssl x509 -noout -text -in "$INTERMEDIATE_CA_ROOT/cert/$OCSP_URI.ocsp.ecc.crt.pem" 213 214 # create root ca crl 215 216 $(dirname $0)/make-ca-crl.sh 217 218 # create chain of trust 219 220 cat ca/cert/ca.rsa.crt.pem $INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem \ 221 ca/cert/ca.ecc.crt.pem $INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem \ 222 > $INTERMEDIATE_CA_ROOT/cert/ca-chain.pem 223 224 # create symlink 225 ln -sf $DATE ca/intermediate/current 226 227 echo "NOTE: Generated CRL is found in '$INTERMEDIATE_CA_ROOT/crl/intermediate-$DATE.crl.pem'" 228 echo "NOTE: Please run 'make-ca-crl.sh' on a regular basis (once every 30 days) to update it" 229 echo "NOTE: Intermediate RSA key is found in '$INTERMEDIATE_CA_ROOT/priv/intermediate.rsa.key.pem'" 230 echo "NOTE: Intermediate RSA certificate is found in '$INTERMEDIATE_CA_ROOT/cert/intermediate.rsa.crt.pem'" 231 echo "NOTE: Intermediate ECC key is found in '$INTERMEDIATE_CA_ROOT/priv/intermediate.ecc.key.pem'" 232 echo "NOTE: Intermediate ECC certificate is found in '$INTERMEDIATE_CA_ROOT/cert/intermediate.ecc.crt.pem'" 233 echo "NOTE: OCSP key is found in '$INTERMEDIATE_CA_ROOT/priv/*.ocsp.ecc.key.pem'" 234 echo "NOTE: OCSP cert is found in '$INTERMEDIATE_CA_ROOT/cert/*.ocsp.ecc.crt.pem'" 235 echo "NOTE: Chain of Trust is found in '$INTERMEDIATE_CA_ROOT/cert/ca-chain.pem'"