4 LD_LIBRARY_PATH=../.. ../../apps/openssl $@
7 OPENSSL_CONF=../../apps/openssl.cnf
12 # Root CA: create certificate directly
13 CN="Test Root CA" opensslcmd req -config ca.cnf -x509 -nodes \
14 -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
15 # Intermediate CA: request first
16 CN="Test Intermediate CA" opensslcmd req -config ca.cnf -nodes \
17 -keyout intkey.pem -out intreq.pem -newkey rsa:2048
18 # Sign request: CA extensions
19 opensslcmd x509 -req -in intreq.pem -CA root.pem -days 3600 \
20 -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
22 # Server certificate: create request first
23 CN="Test Server Cert" opensslcmd req -config ca.cnf -nodes \
24 -keyout skey.pem -out req.pem -newkey rsa:1024
25 # Sign request: end entity extensions
26 opensslcmd x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
27 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
29 # Client certificate: request first
30 CN="Test Client Cert" opensslcmd req -config ca.cnf -nodes \
31 -keyout ckey.pem -out creq.pem -newkey rsa:1024
32 # Sign using intermediate CA
33 opensslcmd x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
34 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
36 # Revoked certificate: request first
37 CN="Test Revoked Cert" opensslcmd req -config ca.cnf -nodes \
38 -keyout revkey.pem -out rreq.pem -newkey rsa:1024
39 # Sign using intermediate CA
40 opensslcmd x509 -req -in rreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
41 -extfile ca.cnf -extensions usr_cert -CAcreateserial -out rev.pem
43 # OCSP responder certificate: request first
44 CN="Test OCSP Responder Cert" opensslcmd req -config ca.cnf -nodes \
45 -keyout respkey.pem -out respreq.pem -newkey rsa:1024
46 # Sign using intermediate CA and responder extensions
47 opensslcmd x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
48 -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem
50 # Example creating a PKCS#3 DH certificate.
54 [ -f dhp.pem ] || opensslcmd genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
56 # Now a DH private key
57 opensslcmd genpkey -paramfile dhp.pem -out dhskey.pem
58 # Create DH public key file
59 opensslcmd pkey -in dhskey.pem -pubout -out dhspub.pem
60 # Certificate request, key just reuses old one as it is ignored when the
62 CN="Test Server DH Cert" opensslcmd req -config ca.cnf -new \
63 -key skey.pem -out dhsreq.pem
64 # Sign request: end entity DH extensions
65 opensslcmd x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
66 -force_pubkey dhspub.pem \
67 -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
69 # DH client certificate
71 opensslcmd genpkey -paramfile dhp.pem -out dhckey.pem
72 opensslcmd pkey -in dhckey.pem -pubout -out dhcpub.pem
73 CN="Test Client DH Cert" opensslcmd req -config ca.cnf -new \
74 -key skey.pem -out dhcreq.pem
75 opensslcmd x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
76 -force_pubkey dhcpub.pem \
77 -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem
79 # Examples of CRL generation without the need to use 'ca' to issue
81 # Create zero length index file
83 # Create initial crl number file
85 # Add entries for server and client certs
86 opensslcmd ca -valid server.pem -keyfile root.pem -cert root.pem \
87 -config ca.cnf -md sha1
88 opensslcmd ca -valid client.pem -keyfile root.pem -cert root.pem \
89 -config ca.cnf -md sha1
90 opensslcmd ca -valid rev.pem -keyfile root.pem -cert root.pem \
91 -config ca.cnf -md sha1
93 opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
94 -md sha1 -crldays 1 -out crl1.pem
95 # Revoke a certificate
96 openssl ca -revoke rev.pem -crl_reason superseded \
97 -keyfile root.pem -cert root.pem -config ca.cnf -md sha1
98 # Generate another CRL
99 opensslcmd ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \
100 -md sha1 -crldays 1 -out crl2.pem