makecerts

ICE-3.2 一个开源的中间件

#!/bin/sh
# **********************************************************************
#
# Copyright (c) 2003-2007 ZeroC, Inc. All rights reserved.
#
# This copy of Ice is licensed to you under the terms described in the
# ICE_LICENSE file included in this distribution.
#
# **********************************************************************

TMP=tmp

#
# Generate RSA certificates and keys.
#
if ! [ -f cakey1.pem ]; then

    if [ -d $TMP ]; then
	rm -rf $TMP
    fi
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt

    #
    # Generate CA certificates. Also make copies of the certificates using their
    # hash values as filenames, which allows OpenSSL to find them at run time.
    #
    openssl req -config test_ca1.cnf -x509 -days 3650 -newkey rsa -keyout cakey1.pem -out cacert1.pem \
	-outform PEM -nodes
    openssl req -config test_ca2.cnf -x509 -days 3650 -newkey rsa -keyout cakey2.pem -out cacert2.pem \
	-outform PEM -nodes
    cp cacert1.pem `openssl x509 -hash -noout -in cacert1.pem`.0
    cp cacert2.pem `openssl x509 -hash -noout -in cacert2.pem`.1

    #
    # Create a server certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config server.cnf -newkey rsa -nodes -keyout s_rsa_nopass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server.cnf -batch -in $TMP/req.pem -out s_rsa_nopass_ca1_pub.pem \
	-cert cacert1.pem -keyfile cakey1.pem

    #
    # Create a server certificate and key (with password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config server.cnf -newkey rsa -passout pass:server -keyout s_rsa_pass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server.cnf -batch -in $TMP/req.pem -out s_rsa_pass_ca1_pub.pem \
	-cert cacert1.pem -keyfile cakey1.pem -key server

    #
    # Create an expired server certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config server.cnf -newkey rsa -nodes -keyout s_rsa_nopass_ca1_exp_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server.cnf -batch -in $TMP/req.pem -out s_rsa_nopass_ca1_exp_pub.pem \
	-cert cacert1.pem -keyfile cakey1.pem -enddate 051231000000Z

    #
    # Create a client certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config client.cnf -newkey rsa -nodes -keyout c_rsa_nopass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config client.cnf -batch -in $TMP/req.pem -out c_rsa_nopass_ca1_pub.pem \
	-cert cacert1.pem -keyfile cakey1.pem

    #
    # Create a client certificate and key (with password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config client.cnf -newkey rsa -passout pass:client -keyout c_rsa_pass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config client.cnf -batch -in $TMP/req.pem -out c_rsa_pass_ca1_pub.pem \
	-cert cacert1.pem -keyfile cakey1.pem -key server

    #
    # Create an expired client certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config client.cnf -newkey rsa -nodes -keyout c_rsa_nopass_ca1_exp_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config client.cnf -batch -in $TMP/req.pem -out c_rsa_nopass_ca1_exp_pub.pem \
	-cert cacert1.pem -keyfile cakey1.pem -enddate 051231000000Z

    #
    # Create a server certificate and key (no password) using a different CA.
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config server.cnf -newkey rsa -nodes -keyout s_rsa_nopass_ca2_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server.cnf -batch -in $TMP/req.pem -out s_rsa_nopass_ca2_pub.pem \
	-cert cacert2.pem -keyfile cakey2.pem

    #
    # Create a client certificate and key (no password) using a different CA.
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config client.cnf -newkey rsa -nodes -keyout c_rsa_nopass_ca2_priv.pem \
	-keyform PEM -out $TMP/req.pem
    openssl ca -config client.cnf -batch -in $TMP/req.pem -out c_rsa_nopass_ca2_pub.pem \
	-cert cacert2.pem -keyfile cakey2.pem

    rm -f dsaparam1024.pem
fi

#
# Generate DSA parameters and keys.
#
if ! [ -f dsaparam1024.pem ]; then

    if [ -d $TMP ]; then
	rm -rf $TMP
    fi
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt

    openssl dsaparam -out dsaparam1024.pem -outform PEM 1024

    #
    # Create a server certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config server.cnf -newkey dsa:dsaparam1024.pem -nodes -keyout s_dsa_nopass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config server.cnf -batch -in $TMP/req.pem -out s_dsa_nopass_ca1_pub.pem \
	-cert cacert1.pem -keyfile cakey1.pem

    #
    # Create a client certificate and key (no password).
    #
    rm -rf $TMP
    mkdir $TMP
    echo '01' > $TMP/serial
    touch $TMP/index.txt
    openssl req -config client.cnf -newkey dsa:dsaparam1024.pem -nodes -keyout c_dsa_nopass_ca1_priv.pem \
        -keyform PEM -out $TMP/req.pem
    openssl ca -config client.cnf -batch -in $TMP/req.pem -out c_dsa_nopass_ca1_pub.pem \
	-cert cacert1.pem -keyfile cakey1.pem
fi