3 # Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 # Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>.
7 # Licensed under the Apache License 2.0 (the "License"). You may not use
8 # this file except in compliance with the License. You can obtain a copy
9 # in the file LICENSE in the source distribution or at
10 # https://www.openssl.org/source/license.html
12 # This file is dual-licensed and is also available under other terms.
13 # Please contact the author.
15 # 100 years should be enough for now
16 if [ -z "$DAYS" ]; then
20 if [ -z "$OPENSSL_SIGALG" ]; then
24 if [ -z "$REQMASK" ]; then
30 err=$("$@" >&3 2>&1) || {
31 printf "%s\n" "$err" >&2
41 if [ -n "$OPENSSL_KEYALG" ]; then
46 if [ -n "$OPENSSL_KEYBITS" ]; then
50 if [ ! -f "${key}.pem" ]; then
51 args=(-algorithm "$alg")
53 rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
54 ec) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
55 args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
56 dsa) args=(-paramfile "$bits");;
59 *) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
62 openssl genpkey "${args[@]}" -out "${key}.pem"
66 # Usage: $0 req keyname dn1 dn2 ...
74 openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
75 -config <(printf "string_mask=%s\n[req]\n%s\n%s\n[dn]\n" \
76 "$REQMASK" "prompt = no" "distinguished_name = dn"
77 for dn in "$@"; do echo "$dn"; done)
85 openssl req -new -"${OPENSSL_SIGALG}" -subj / -key "${key}.pem" \
86 -config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \
87 "distinguished_name = dn")
95 openssl x509 -req -"${OPENSSL_SIGALG}" -out "${cert}.pem" \
96 -extfile <(printf "%s\n" "$exts") "$@"
103 local bcon="basicConstraints = critical,CA:true"
104 local ku="keyUsage = keyCertSign,cRLSign"
105 local skid="subjectKeyIdentifier = hash"
106 local akid="authorityKeyIdentifier = keyid"
108 exts=$(printf "%s\n%s\n%s\n" "$bcon" "$ku" "$skid" "$akid")
111 exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
113 csr=$(req "$key" "CN = $cn") || return 1
115 cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
125 p) purpose="$OPTARG";;
126 *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2
131 shift $((OPTIND - 1))
135 local cakey=$1; shift
136 local cacert=$1; shift
137 local bcon="basicConstraints = critical,CA:true"
138 local ku="keyUsage = keyCertSign,cRLSign"
139 local skid="subjectKeyIdentifier = hash"
140 local akid="authorityKeyIdentifier = keyid"
142 exts=$(printf "%s\n%s\n%s\n" "$bcon" "$ku" "$skid" "$akid")
143 if [ -n "$purpose" ]; then
144 exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$purpose")
146 if [ -n "$NC" ]; then
147 exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
149 csr=$(req "$key" "CN = $cn") || return 1
151 cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
152 -set_serial 2 -days "${DAYS}" "$@"
159 local cakey=$1; shift
160 local cacert=$1; shift
161 local skid="subjectKeyIdentifier = hash"
162 local akid="authorityKeyIdentifier = keyid"
164 exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid")
165 exts=$(printf "%s\nkeyUsage = %s\n" "$exts" "keyCertSign, cRLSign")
168 exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
170 csr=$(req "$key" "CN = $cn") || return 1
172 cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
173 -set_serial 2 -days "${DAYS}"
176 # Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ...
178 # Note: takes csr on stdin, so must be used with $0 req like this:
180 # $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ...
184 local cakey=$1; shift
187 exts=$(printf "%s\n%s\n%s\n%s\n" \
188 "subjectKeyIdentifier = hash" \
189 "authorityKeyIdentifier = keyid, issuer:always" \
190 "basicConstraints = CA:false" \
191 "proxyCertInfo = critical, @pcexts";
193 for x in "$@"; do echo $x; done)
194 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
195 -set_serial 2 -days "${DAYS}"
198 # Usage: $0 geneealt keyname certname eekeyname eecertname alt1 alt2 ...
200 # Note: takes csr on stdin, so must be used with $0 req like this:
202 # $0 req keyname dn | $0 geneealt keyname certname eekeyname eecertname alt ...
206 local cakey=$1; shift
209 exts=$(printf "%s\n%s\n%s\n%s\n" \
210 "subjectKeyIdentifier = hash" \
211 "authorityKeyIdentifier = keyid" \
212 "basicConstraints = CA:false" \
213 "subjectAltName = @alts";
215 for x in "$@"; do echo $x; done)
216 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
217 -set_serial 2 -days "${DAYS}"
222 local purpose=serverAuth
227 p) purpose="$OPTARG";;
228 *) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2
233 shift $((OPTIND - 1))
237 local cakey=$1; shift
240 exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
241 "subjectKeyIdentifier = hash" \
242 "authorityKeyIdentifier = keyid, issuer" \
243 "basicConstraints = CA:false" \
244 "extendedKeyUsage = $purpose" \
245 "subjectAltName = @alts" "DNS=${cn}")
246 csr=$(req "$key" "CN = $cn") || return 1
248 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
249 -set_serial 2 -days "${DAYS}" "$@"
254 local purpose=serverAuth
259 p) purpose="$OPTARG";;
260 *) echo "Usage: $0 geneeextra [-p EKU] cn keyname certname cakeyname cacertname extraext" >&2
265 shift $((OPTIND - 1))
269 local cakey=$1; shift
271 local extraext=$1; shift
273 exts=$(printf "%s\n%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
274 "subjectKeyIdentifier = hash" \
275 "authorityKeyIdentifier = keyid, issuer" \
276 "basicConstraints = CA:false" \
277 "extendedKeyUsage = $purpose" \
278 "subjectAltName = @alts"\
279 "$extraext" "DNS=${cn}")
280 csr=$(req "$key" "CN = $cn") || return 1
282 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
283 -set_serial 2 -days "${DAYS}" "$@"
288 local purpose=serverAuth
293 p) purpose="$OPTARG";;
294 *) echo "Usage: $0 geneenocsr [-p EKU] cn certname cakeyname cacertname" >&2
299 shift $((OPTIND - 1))
302 local cakey=$1; shift
305 exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
306 "subjectKeyIdentifier = hash" \
307 "authorityKeyIdentifier = keyid, issuer" \
308 "basicConstraints = CA:false" \
309 "extendedKeyUsage = $purpose" \
310 "subjectAltName = @alts" "DNS=${cn}")
311 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
312 -set_serial 2 -days "${DAYS}" "$@"
320 exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
321 "subjectKeyIdentifier = hash" \
322 "authorityKeyIdentifier = keyid, issuer" \
323 "basicConstraints = CA:false" \
324 "extendedKeyUsage = serverAuth" \
325 "subjectAltName = @alts" "DNS=${cn}")
326 csr=$(req "$key" "CN = $cn") || return 1
328 cert "$cert" "$exts" -signkey "${key}.pem" \
329 -set_serial 1 -days "${DAYS}" "$@"
336 csr=$(req_nocn "$key") || return 1
338 cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@"
343 local purpose=serverAuth
348 p) purpose="$OPTARG";;
349 *) echo "Usage: $0 genct [-p EKU] cn keyname certname cakeyname cacertname ctlogkey" >&2
354 shift $((OPTIND - 1))
358 local cakey=$1; shift
360 local logkey=$1; shift
362 exts=$(printf "%s\n%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
363 "subjectKeyIdentifier = hash" \
364 "authorityKeyIdentifier = keyid, issuer" \
365 "basicConstraints = CA:false" \
366 "extendedKeyUsage = $purpose" \
367 "1.3.6.1.4.1.11129.2.4.3 = critical,ASN1:NULL"\
368 "subjectAltName = @alts" "DNS=${cn}")
369 csr=$(req "$key" "CN = $cn") || return 1
371 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
372 -set_serial 2 -days "${DAYS}" "$@"
373 cat ${cert}.pem ${ca}.pem > ${cert}-chain.pem
374 go run github.com/google/certificate-transparency-go/ctutil/sctgen \
375 --log_private_key ${logkey}.pem \
376 --timestamp="2020-01-01T00:00:00Z" \
377 --cert_chain ${cert}-chain.pem \
378 --tls_out ${cert}.tlssct
380 filesize=$(wc -c <${cert}.tlssct)
381 exts=$(printf "%s\n%s\n%s\n%s\n%s%04X%04X%s\n%s\n[alts]\n%s\n" \
382 "subjectKeyIdentifier = hash" \
383 "authorityKeyIdentifier = keyid, issuer" \
384 "basicConstraints = CA:false" \
385 "extendedKeyUsage = $purpose" \
386 "1.3.6.1.4.1.11129.2.4.2 = ASN1:FORMAT:HEX,OCT:" $((filesize+2)) $filesize `xxd -p ${cert}.tlssct | tr -d '\n'` \
387 "subjectAltName = @alts" "DNS=${cn}")
389 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
390 -set_serial 2 -days "${DAYS}" "$@"