3 # For a list of supported curves, use "apps/openssl ecparam -list_curves".
5 # Path to the openssl distribution
7 # Path to the openssl program
8 OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
9 # Option to find configuration file
10 OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
11 # Directory where certificates are stored
13 # Directory where private key files are stored
15 # Directory where combo files (containing a certificate and corresponding
16 # private key together) are stored
22 # The certificate will expire these many days after the issue date.
24 TEST_CA_CURVE=secp160r1
25 TEST_CA_FILE=secp160r1TestCA
26 TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"
28 TEST_SERVER_CURVE=secp160r2
29 TEST_SERVER_FILE=secp160r2TestServer
30 TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"
32 TEST_CLIENT_CURVE=secp160r2
33 TEST_CLIENT_FILE=secp160r2TestClient
34 TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"
36 # Generating an EC certificate involves the following main steps
37 # 1. Generating curve parameters (if needed)
38 # 2. Generating a certificate request
39 # 3. Signing the certificate request
40 # 4. [Optional] One can combine the cert and private key into a single
41 # file and also delete the certificate request
43 echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"
44 echo "==============================================================="
45 $OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem
47 # Generate a new certificate request in $TEST_CA_FILE.req.pem. A
48 # new ecdsa (actually ECC) key pair is generated on the parameters in
49 # $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem
50 # WARNING: By using the -nodes option, we force the private key to be
51 # stored in the clear (rather than encrypted with a password).
52 $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
53 -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
54 -newkey ecdsa:$TEST_CA_CURVE.pem -new \
55 -out $CERTS_DIR/$TEST_CA_FILE.req.pem
57 # Sign the certificate request in $TEST_CA_FILE.req.pem using the
58 # private key in $TEST_CA_FILE.key.pem and include the CA extension.
59 # Make the certificate valid for 1500 days from the time of signing.
60 # The certificate is written into $TEST_CA_FILE.cert.pem
61 $OPENSSL_CMD x509 -req -days $DAYS \
62 -in $CERTS_DIR/$TEST_CA_FILE.req.pem \
63 -extfile $OPENSSL_DIR/apps/openssl.cnf \
65 -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
66 -out $CERTS_DIR/$TEST_CA_FILE.cert.pem
68 # Display the certificate
69 $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
71 # Place the certificate and key in a common file
72 $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
73 > $COMBO_DIR/$TEST_CA_FILE.pem
74 $CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
76 # Remove the cert request file (no longer needed)
77 $RM $CERTS_DIR/$TEST_CA_FILE.req.pem
79 echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
80 echo "=========================================================================="
81 # Generate parameters for curve $TEST_SERVER_CURVE, if needed
82 $OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
84 # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A
85 # new ecdsa (actually ECC) key pair is generated on the parameters in
86 # $TEST_SERVER_CURVE.pem and the private key is saved in
87 # $TEST_SERVER_FILE.key.pem
88 # WARNING: By using the -nodes option, we force the private key to be
89 # stored in the clear (rather than encrypted with a password).
90 $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
91 -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
92 -newkey ecdsa:$TEST_SERVER_CURVE.pem -new \
93 -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
95 # Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
96 # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
97 # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
98 # file for this CA, create one. Make the certificate valid for $DAYS days
99 # from the time of signing. The certificate is written into
100 # $TEST_SERVER_FILE.cert.pem
101 $OPENSSL_CMD x509 -req -days $DAYS \
102 -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
103 -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
104 -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
105 -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
107 # Display the certificate
108 $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
110 # Place the certificate and key in a common file
111 $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
112 > $COMBO_DIR/$TEST_SERVER_FILE.pem
113 $CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
115 # Remove the cert request file (no longer needed)
116 $RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
118 echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
119 echo "=========================================================================="
120 # Generate parameters for curve $TEST_CLIENT_CURVE, if needed
121 $OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
123 # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A
124 # new ecdsa (actually ECC) key pair is generated on the parameters in
125 # $TEST_CLIENT_CURVE.pem and the private key is saved in
126 # $TEST_CLIENT_FILE.key.pem
127 # WARNING: By using the -nodes option, we force the private key to be
128 # stored in the clear (rather than encrypted with a password).
129 $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
130 -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
131 -newkey ecdsa:$TEST_CLIENT_CURVE.pem -new \
132 -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
134 # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
135 # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
136 # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
137 # file for this CA, create one. Make the certificate valid for $DAYS days
138 # from the time of signing. The certificate is written into
139 # $TEST_CLIENT_FILE.cert.pem
140 $OPENSSL_CMD x509 -req -days $DAYS \
141 -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
142 -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
143 -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
144 -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
146 # Display the certificate
147 $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
149 # Place the certificate and key in a common file
150 $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
151 > $COMBO_DIR/$TEST_CLIENT_FILE.pem
152 $CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
154 # Remove the cert request file (no longer needed)
155 $RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
157 ############################################################################
158 #OLD STUFF (ignore this)
160 #These are the commands I used, but you may wish to add -named_curve to the first command per our discussion about parameter encoding in certificates.
162 #apps/openssl ecdsaparam -out nist192.param.pem -NIST_192
164 #apps/openssl ecdsaparam -out nistB163.param.pem -named_curve -NIST_B163
165 # the nodes option causes output key to be stored unencrypted
166 #apps/openssl req -nodes -keyout nistB163.priv.pem -newkey ecdsa:nistB163.param.pem -new -out nistB163.req.pem
167 #apps/openssl x509 -req -in nistB163.req.pem -extfile apps/cert.cnf -extensions v3_ca -signkey nistB163.priv.pem -out nistB163.cert.pem
169 #crypto/x509/x509_ext.c has X509_EXTENSION *X509_get_ext(X509 *x, int loc)
170 #crypto/asn1/t_x509.c has code to print certificates
171 #crypto/x509v3/v3_prn.c has code to print extensions X509V3_extensions_print