3 # Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 # Copyright (c) 2016 Viktor Dukhovni <openssl-users@dukhovni.org>.
7 # Licensed under the OpenSSL license (the "License"). You may not use
8 # this file except in compliance with the License. You can obtain a copy
9 # in the file LICENSE in the source distribution or at
10 # https://www.openssl.org/source/license.html
12 # This file is dual-licensed and is also available under other terms.
13 # Please contact the author.
15 # 100 years should be enough for now
16 if [ -z "$DAYS" ]; then
20 if [ -z "$OPENSSL_SIGALG" ]; then
24 if [ -z "$REQMASK" ]; then
30 err=$("$@" >&3 2>&1) || {
31 printf "%s\n" "$err" >&2
41 if [ -n "$OPENSSL_KEYALG" ]; then
46 if [ -n "$OPENSSL_KEYBITS" ]; then
50 if [ ! -f "${key}.pem" ]; then
51 args=(-algorithm "$alg")
53 rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
54 ec) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
55 args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
56 dsa) args=(-paramfile "$bits");;
59 *) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
62 openssl genpkey "${args[@]}" -out "${key}.pem"
66 # Usage: $0 req keyname dn1 dn2 ...
74 openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
75 -config <(printf "string_mask=%s\n[req]\n%s\n%s\n[dn]\n" \
76 "$REQMASK" "prompt = no" "distinguished_name = dn"
77 for dn in "$@"; do echo "$dn"; done)
85 openssl req -new -"${OPENSSL_SIGALG}" -subj / -key "${key}.pem" \
86 -config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \
87 "distinguished_name = dn")
95 openssl x509 -req -"${OPENSSL_SIGALG}" -out "${cert}.pem" \
96 -extfile <(printf "%s\n" "$exts") "$@"
103 local skid="subjectKeyIdentifier = hash"
104 local akid="authorityKeyIdentifier = keyid"
106 exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
109 exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
111 csr=$(req "$key" "CN = $cn") || return 1
113 cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days "${DAYS}"
123 p) purpose="$OPTARG";;
124 c) certpol="$OPTARG";;
125 *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2
130 shift $((OPTIND - 1))
134 local cakey=$1; shift
135 local cacert=$1; shift
136 local skid="subjectKeyIdentifier = hash"
137 local akid="authorityKeyIdentifier = keyid"
139 exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true")
140 if [ -n "$purpose" ]; then
141 exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$purpose")
143 if [ -n "$NC" ]; then
144 exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
146 if [ -n "$certpol" ]; then
147 exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol")
150 csr=$(req "$key" "CN = $cn") || return 1
152 cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
153 -set_serial 2 -days "${DAYS}" "$@"
160 local cakey=$1; shift
161 local cacert=$1; shift
162 local skid="subjectKeyIdentifier = hash"
163 local akid="authorityKeyIdentifier = keyid"
165 exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid")
166 exts=$(printf "%s\nkeyUsage = %s\n" "$exts" "keyCertSign, cRLSign")
169 exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku")
171 csr=$(req "$key" "CN = $cn") || return 1
173 cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
174 -set_serial 2 -days "${DAYS}"
177 # Usage: $0 genpc keyname certname eekeyname eecertname pcext1 pcext2 ...
179 # Note: takes csr on stdin, so must be used with $0 req like this:
181 # $0 req keyname dn | $0 genpc keyname certname eekeyname eecertname pcext ...
185 local cakey=$1; shift
188 exts=$(printf "%s\n%s\n%s\n%s\n" \
189 "subjectKeyIdentifier = hash" \
190 "authorityKeyIdentifier = keyid, issuer:always" \
191 "basicConstraints = CA:false" \
192 "proxyCertInfo = critical, @pcexts";
194 for x in "$@"; do echo $x; done)
195 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
196 -set_serial 2 -days "${DAYS}"
199 # Usage: $0 geneealt keyname certname eekeyname eecertname alt1 alt2 ...
201 # Note: takes csr on stdin, so must be used with $0 req like this:
203 # $0 req keyname dn | $0 geneealt keyname certname eekeyname eecertname alt ...
207 local cakey=$1; shift
210 exts=$(printf "%s\n%s\n%s\n%s\n" \
211 "subjectKeyIdentifier = hash" \
212 "authorityKeyIdentifier = keyid" \
213 "basicConstraints = CA:false" \
214 "subjectAltName = @alts";
216 for x in "$@"; do echo $x; done)
217 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
218 -set_serial 2 -days "${DAYS}"
223 local purpose=serverAuth
228 p) purpose="$OPTARG";;
229 *) echo "Usage: $0 genee [-p EKU] cn keyname certname cakeyname cacertname" >&2
234 shift $((OPTIND - 1))
238 local cakey=$1; shift
241 exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
242 "subjectKeyIdentifier = hash" \
243 "authorityKeyIdentifier = keyid, issuer" \
244 "basicConstraints = CA:false" \
245 "extendedKeyUsage = $purpose" \
246 "subjectAltName = @alts" "DNS=${cn}")
247 csr=$(req "$key" "CN = $cn") || return 1
249 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
250 -set_serial 2 -days "${DAYS}" "$@"
255 local purpose=serverAuth
260 p) purpose="$OPTARG";;
261 *) echo "Usage: $0 genee [-p EKU] cn certname cakeyname cacertname" >&2
266 shift $((OPTIND - 1))
269 local cakey=$1; shift
272 exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
273 "subjectKeyIdentifier = hash" \
274 "authorityKeyIdentifier = keyid, issuer" \
275 "basicConstraints = CA:false" \
276 "extendedKeyUsage = $purpose" \
277 "subjectAltName = @alts" "DNS=${cn}")
278 cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
279 -set_serial 2 -days "${DAYS}" "$@"
287 exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
288 "subjectKeyIdentifier = hash" \
289 "authorityKeyIdentifier = keyid, issuer" \
290 "basicConstraints = CA:false" \
291 "extendedKeyUsage = serverAuth" \
292 "subjectAltName = @alts" "DNS=${cn}")
293 csr=$(req "$key" "CN = $cn") || return 1
295 cert "$cert" "$exts" -signkey "${key}.pem" \
296 -set_serial 1 -days "${DAYS}" "$@"
303 csr=$(req_nocn "$key") || return 1
305 cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@"