Note that SHA1 and MD5 x509 signatures are also forbidden at security level 1
[openssl.git] / demos / certs / apps / mkacerts.sh
1 #!/bin/sh
2
3 # Recreate the demo certificates in the apps directory.
4
5 OPENSSL=openssl
6
7 # Root CA: create certificate directly
8 CN="OpenSSL Test Root CA" $OPENSSL req -config apps.cnf -x509 -nodes \
9         -keyout root.pem -out root.pem -key rootkey.pem -new -days 3650
10 # Intermediate CA: request first
11 CN="OpenSSL Test Intermediate CA" $OPENSSL req -config apps.cnf -nodes \
12         -key intkey.pem -out intreq.pem -new
13 # Sign request: CA extensions
14 $OPENSSL x509 -req -in intreq.pem -CA root.pem -CAkey rootkey.pem -days 3630 \
15         -extfile apps.cnf -extensions v3_ca -CAcreateserial -out intca.pem
16 # Client certificate: request first
17 CN="Test Client Cert" $OPENSSL req -config apps.cnf -nodes \
18         -key ckey.pem -out creq.pem -new
19 # Sign using intermediate CA
20 $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
21         -extfile apps.cnf -extensions usr_cert -CAcreateserial | \
22         $OPENSSL x509 -nameopt oneline -subject -issuer >client.pem
23 # Server certificate: request first
24 CN="Test Server Cert" $OPENSSL req -config apps.cnf -nodes \
25         -key skey.pem -out sreq.pem -new
26 # Sign using intermediate CA
27 $OPENSSL x509 -req -in sreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
28         -extfile apps.cnf -extensions usr_cert -CAcreateserial | \
29         $OPENSSL x509 -nameopt oneline -subject -issuer >server.pem
30 # Server certificate #2: request first
31 CN="Test Server Cert #2" $OPENSSL req -config apps.cnf -nodes \
32         -key skey2.pem -out sreq2.pem -new
33 # Sign using intermediate CA
34 $OPENSSL x509 -req -in sreq2.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
35         -extfile apps.cnf -extensions usr_cert -CAcreateserial | \
36         $OPENSSL x509 -nameopt oneline -subject -issuer >server2.pem
37
38 # Append keys to file.
39
40 cat skey.pem >>server.pem
41 cat skey2.pem >>server2.pem
42 cat ckey.pem >>client.pem
43
44 $OPENSSL verify -CAfile root.pem -untrusted intca.pem \
45                                 server2.pem server.pem client.pem