CreateCerts.sh   [plain text]

#!/bin/sh

#  CreateCerts.sh
#  Security
#
#  Created by Fabrice Gautier on 6/7/11.
#  Copyright 2011 Apple, Inc. All rights reserved.

echo "Create Certs"


#Overrride which openssl to use:
# System openssl
#OPENSSL=/usr/bin/openssl
# Macport  openssl
#OPENSSL=/opt/local/bin/openssl
# your own openssl
OPENSSL=/usr/local/ssl/bin/openssl

#Override which gnutls-certtool to use:
# Macport  gnutls
#GNUTLS_CERTTOOL=/opt/local/gnutls-certtool
# your own gnutls
GNUTLS_CERTTOOL=/usr/local/bin/certtool


DIR=test-certs

mkdir -p $DIR
cd $DIR

#generate EC params
${OPENSSL} ecparam -name secp256k1 -out ecparam.pem

echo "**** Generating CA keys and certs..."
# generate CA certs
${OPENSSL} req -x509 -nodes -days 365 -subj '/CN=SecurityTest CA Cert (RSA)'  -newkey rsa:1024 -keyout CAKey.rsa.pem -out CACert.rsa.pem
${OPENSSL} req -x509 -nodes -days 365 -subj '/CN=SecurityTest CA Cert (ECC)'  -newkey ec:ecparam.pem -keyout CAKey.ecc.pem -out CACert.ecc.pem

echo "**** Generating Server keys and csr..."
# generate Server EC key
${GNUTLS_CERTTOOL} -p  --ecc --sec-param high --outfile ServerKey.ecc.pem

# generate Server certs
${OPENSSL} req -new -nodes -days 365 -subj '/CN=SecurityTests Server Cert (RSA)'  -newkey rsa:1024 -keyout ServerKey.rsa.pem -out ServerReq.rsa.pem
${OPENSSL} req -new -nodes -days 365 -subj '/CN=SecurityTests Server Cert (ECC)'  -key ServerKey.ecc.pem -out ServerReq.ecc.pem

echo "**** Generating Client keys and csr..."
# generate Client EC key
${GNUTLS_CERTTOOL} -p  --ecc --sec-param high --outfile ClientKey.ecc.pem

# generate client certs
${OPENSSL} req -new -nodes -days 365 -subj '/CN=SecurityTests Client Cert (RSA)'  -newkey rsa:1024 -keyout ClientKey.rsa.pem -out ClientReq.rsa.pem
${OPENSSL} req -new -nodes -days 365 -subj '/CN=SecurityTests Client Cert (ECC)'  -key ClientKey.ecc.pem -out ClientReq.ecc.pem

echo "**** Signing Servers certs..."
# sign certs
${OPENSSL} x509 -req -in ServerReq.rsa.pem -CA CACert.rsa.pem -CAkey CAKey.rsa.pem -set_serial 1 -out ServerCert.rsa.rsa.pem
${OPENSSL} x509 -req -in ServerReq.rsa.pem -CA CACert.ecc.pem -CAkey CAKey.ecc.pem -set_serial 2 -out ServerCert.rsa.ecc.pem
${OPENSSL} x509 -req -in ServerReq.ecc.pem -CA CACert.rsa.pem -CAkey CAKey.rsa.pem -set_serial 3 -out ServerCert.ecc.rsa.pem
${OPENSSL} x509 -req -in ServerReq.ecc.pem -CA CACert.ecc.pem -CAkey CAKey.ecc.pem -set_serial 4 -out ServerCert.ecc.ecc.pem

echo "**** Signing Clients certs..."
${OPENSSL} x509 -req -in ClientReq.rsa.pem -CA CACert.rsa.pem -CAkey CAKey.rsa.pem -set_serial 1001 -out ClientCert.rsa.rsa.pem
${OPENSSL} x509 -req -in ClientReq.rsa.pem -CA CACert.ecc.pem -CAkey CAKey.ecc.pem -set_serial 1002 -out ClientCert.rsa.ecc.pem
${OPENSSL} x509 -req -in ClientReq.ecc.pem -CA CACert.rsa.pem -CAkey CAKey.rsa.pem -set_serial 1003 -out ClientCert.ecc.rsa.pem
${OPENSSL} x509 -req -in ClientReq.ecc.pem -CA CACert.ecc.pem -CAkey CAKey.ecc.pem -set_serial 1004 -out ClientCert.ecc.ecc.pem


#export client keys and cert into .h

${OPENSSL} ec -outform DER -in ClientKey.ecc.pem -out ClientKey.ecc.der
${OPENSSL} rsa -outform DER -in ClientKey.rsa.pem -out ClientKey.rsa.der

xxd -i ClientKey.ecc.der > ClientKey_ecc.h
xxd -i ClientKey.rsa.der > ClientKey_rsa.h

${OPENSSL} x509 -outform DER -in ClientCert.rsa.rsa.pem -out ClientCert.rsa.rsa.der
${OPENSSL} x509 -outform DER -in ClientCert.rsa.ecc.pem -out ClientCert.rsa.ecc.der
${OPENSSL} x509 -outform DER -in ClientCert.ecc.rsa.pem -out ClientCert.ecc.rsa.der
${OPENSSL} x509 -outform DER -in ClientCert.ecc.ecc.pem -out ClientCert.ecc.ecc.der

xxd -i ClientCert.rsa.rsa.der > ClientCert_rsa_rsa.h
xxd -i ClientCert.rsa.ecc.der > ClientCert_rsa_ecc.h
xxd -i ClientCert.ecc.rsa.der > ClientCert_ecc_rsa.h
xxd -i ClientCert.ecc.ecc.der > ClientCert_ecc_ecc.h