quicp2p/certs/certificates.sh

#!/bin/sh

# create CA keys and certificates
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' -days 365 \
  -addext "keyUsage = keyCertSign" \
  -keyout server-ca.key -out server-ca.crt 

openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' -days 365 \
  -addext "keyUsage = keyCertSign" \
  -keyout client-ca.key -out client-ca.crt 


# create keys and CSRs
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' \
  -addext "subjectAltName = DNS:localhost" \
  -addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" \
  -keyout server-cert.key -out server-cert.csr 

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' \
  -addext "subjectAltName = DNS:localhost" \
  -addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" \
  -keyout client-cert.key -out client-cert.csr 


# sign certificate
openssl x509 -req -extensions v3_req --extfile openssl-server.cnf -CAcreateserial \
  -days 1825 \
  -CA server-ca.crt -CAkey server-ca.key \
  -in server-cert.csr -out server-cert.crt

openssl x509 -req -extensions v3_req --extfile openssl-client.cnf -CAcreateserial \
  -days 1825 \
  -CA client-ca.crt -CAkey client-ca.key \
  -in client-cert.csr -out client-cert.crt

cat server-cert.crt > server-certchain.pem
cat server-ca.crt >> server-certchain.pem

cat client-cert.crt > client-certchain.pem
cat client-ca.crt >> client-certchain.pem

## converte to pkcs8
#openssl pkcs8 -topk8 -nocrypt -in client-cert.key -out client-cert.key.pkcs8
#openssl pkcs8 -topk8 -nocrypt -in server-cert.key -out server-cert.key.pkcs8


## read certificate contents
#openssl x509 -text -noout -in client-cert.crt
#openssl x509 -text -noout -in server-cert.crt
add certificate generation script + openssl configs 2020-11-07 11:12:32 +01:00			`#!/bin/sh`

			`# create CA keys and certificates`
			`openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' -days 365 \`
			`-addext "keyUsage = keyCertSign" \`
			`-keyout server-ca.key -out server-ca.crt`

			`openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' -days 365 \`
			`-addext "keyUsage = keyCertSign" \`
			`-keyout client-ca.key -out client-ca.crt`


			`# create keys and CSRs`
			`openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' \`
			`-addext "subjectAltName = DNS:localhost" \`
			`-addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" \`
			`-keyout server-cert.key -out server-cert.csr`

			`openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -subj '/CN=localhost' \`
			`-addext "subjectAltName = DNS:localhost" \`
			`-addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment" \`
			`-keyout client-cert.key -out client-cert.csr`


			`# sign certificate`
			`openssl x509 -req -extensions v3_req --extfile openssl-server.cnf -CAcreateserial \`
			`-days 1825 \`
			`-CA server-ca.crt -CAkey server-ca.key \`
			`-in server-cert.csr -out server-cert.crt`

			`openssl x509 -req -extensions v3_req --extfile openssl-client.cnf -CAcreateserial \`
			`-days 1825 \`
			`-CA client-ca.crt -CAkey client-ca.key \`
			`-in client-cert.csr -out client-cert.crt`

			`cat server-cert.crt > server-certchain.pem`
			`cat server-ca.crt >> server-certchain.pem`

			`cat client-cert.crt > client-certchain.pem`
			`cat client-ca.crt >> client-certchain.pem`

			`## converte to pkcs8`
			`#openssl pkcs8 -topk8 -nocrypt -in client-cert.key -out client-cert.key.pkcs8`
			`#openssl pkcs8 -topk8 -nocrypt -in server-cert.key -out server-cert.key.pkcs8`


			`## read certificate contents`
			`#openssl x509 -text -noout -in client-cert.crt`
			`#openssl x509 -text -noout -in server-cert.crt`