From 849e1eb10dcb8b5bb0fbdcb7b636026799e44c47 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 8 Mar 2018 15:31:28 -0700 Subject: [PATCH] updating renewcerts script --- certs/renewcerts.sh | 63 ++++++++++++++++++++++++++++++++++-- certs/renewcerts/wolfssl.cnf | 7 ++++ 2 files changed, 67 insertions(+), 3 deletions(-) diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index edc7ac164..70dfe2838 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -8,6 +8,10 @@ # client-ecc-cert.der # ca-cert.pem # ca-cert.der +# ca-ecc-cert.pem +# ca-ecc-cert.der +# ca-ecc384-cert.pem +# ca-ecc384-cert.der # server-cert.pem # server-cert.der # server-ecc-rsa.pem @@ -17,6 +21,7 @@ # server-ecc-comp.pem # client-ca.pem # test/digsigku.pem +# ecc-privOnlyCert.pem # updates the following crls: # crl/cliCrl.pem # crl/crl.pem @@ -100,12 +105,38 @@ function run_renewcerts(){ openssl x509 -in ca-cert.pem -text > tmp.pem mv tmp.pem ca-cert.pem ############################################################ + ########## update the self-signed ca-ecc-cert.pem ########## + ############################################################ + echo "Updating ca-ecc-cert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc-key.pem -nodes -out ca-ecc-cert.csr + + openssl x509 -req -in ca-ecc-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc-key.pem -out ca-ecc-cert.pem + rm ca-ecc-cert.csr + + openssl x509 -in ca-ecc-cert.pem -text > tmp.pem + mv tmp.pem ca-ecc-cert.pem + ############################################################ + ########## update the self-signed ca-ecc384-cert.pem ####### + ############################################################ + echo "Updating ca-ecc384-cert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nWashington\nSeattle\nwolfSSL\nDevelopment\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ca-ecc384-key.pem -nodes -sha384 -out ca-ecc384-cert.csr + + openssl x509 -req -in ca-ecc384-cert.csr -days 1000 -extfile wolfssl.cnf -extensions ca_ecc_cert -signkey ca-ecc384-key.pem -sha384 -out ca-ecc384-cert.pem + rm ca-ecc384-cert.csr + + openssl x509 -in ca-ecc384-cert.pem -text > tmp.pem + mv tmp.pem ca-ecc384-cert.pem + ############################################################ ##### update the self-signed (1024-bit) ca-cert.pem ######## ############################################################ echo "Updating 1024-bit ca-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -out \1024/ca-cert.csr + echo -e "US\nMontana\nBozeman\nSawtooth\nConsulting_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/ca-key.pem -nodes -sha1 -out \1024/ca-cert.csr openssl x509 -req -in \1024/ca-cert.csr -days 1000 -extfile wolfssl.cnf -extensions wolfssl_opts -signkey \1024/ca-key.pem -out \1024/ca-cert.pem rm \1024/ca-cert.csr @@ -169,7 +200,7 @@ function run_renewcerts(){ echo "Updating 1024-bit server-cert.pem" echo "" #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes > \1024/server-req.pem + echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport_1024\nwww.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key \1024/server-key.pem -nodes -sha1 > \1024/server-req.pem openssl x509 -req -in \1024/server-req.pem -extfile wolfssl.cnf -extensions wolfssl_opts -days 1000 -CA \1024/ca-cert.pem -CAkey \1024/ca-key.pem -set_serial 01 > \1024/server-cert.pem @@ -244,6 +275,18 @@ function run_renewcerts(){ echo "" cat client-cert.pem client-ecc-cert.pem > client-ca.pem + ############################################################ + ###### update the self-signed ecc-privOnlyCert.pem ######### + ############################################################ + echo "Updating ecc-privOnlyCert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e ".\n.\n.\nWR\n.\nDE\n.\n.\n.\n" | openssl req -new -key ecc-privOnlyKey.pem -nodes -out ecc-privOnly.csr + + + openssl x509 -req -in ecc-privOnly.csr -days 1000 -signkey ecc-privOnlyKey.pem -out ecc-privOnlyCert.pem + rm ecc-privOnly.csr + ############################################################ ###### update the self-signed test/digsigku.pem ########## ############################################################ @@ -263,10 +306,15 @@ function run_renewcerts(){ ############################################################ ########## make .der files from .pem files ################# ############################################################ - openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der echo "Creating der formatted certs..." echo "" + openssl x509 -inform PEM -in \1024/client-cert.pem -outform DER -out \1024/client-cert.der + openssl x509 -inform PEM -in \1024/server-cert.pem -outform DER -out \1024/server-cert.der + openssl x509 -inform PEM -in \1024/ca-cert.pem -outform DER -out \1024/ca-cert.der + openssl x509 -inform PEM -in ca-cert.pem -outform DER -out ca-cert.der + openssl x509 -inform PEM -in ca-ecc-cert.pem -outform DER -out ca-ecc-cert.der + openssl x509 -inform PEM -in ca-ecc384-cert.pem -outform DER -out ca-ecc384-cert.der openssl x509 -inform PEM -in client-cert.pem -outform DER -out client-cert.der openssl x509 -inform PEM -in server-cert.pem -outform DER -out server-cert.der openssl x509 -inform PEM -in client-ecc-cert.pem -outform DER -out client-ecc-cert.der @@ -281,6 +329,15 @@ function run_renewcerts(){ echo "" echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin + ############################################################ + ###### calling gen-ext-certs.sh ################## + ############################################################ + echo "Calling gen-ext-certs.sh" + echo "" + cd .. + ./certs/test/gen-ext-certs.sh + cd ./certs + ############################################################ ########## store DER files as buffers ###################### ############################################################ diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 079ec5ec8..ecebae9ae 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -170,6 +170,13 @@ authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=critical, CA:TRUE keyUsage=critical, nonRepudiation, keyEncipherment +# ca-ecc-cert extensions +[ ca_ecc_cert ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints=critical, CA:TRUE +keyUsage=critical, digitalSignature, keyCertSign, cRLSign + #tsa default [ tsa ] default_tsa = tsa_config1