4 # This is a NON-INTERACTIVE script to help generate certificates for
5 # use with the EAP-TLS module.
10 # This environment variable should point to the SSL installation
12 [ "$SSL" = "" ] && SSL=/usr/local/ssl
16 # Edit the following variables for your organization.
21 ORGANIZATION="Organization"
25 COMMON_NAME_CLIENT="Client certificate"
26 EMAIL_CLIENT="client@example.com"
27 PASSWORD_CLIENT=$PASSWORD
29 COMMON_NAME_SERVER="Server certificate"
30 EMAIL_SERVER="server@example.com"
31 PASSWORD_SERVER=$PASSWORD
33 COMMON_NAME_ROOT="Root certificate"
34 EMAIL_ROOT="root@example.com"
35 PASSWORD_ROOT=$PASSWORD
38 # lifetime, in days, of the certs
42 ######################################################################
44 # Don't change anything below this line...
46 ######################################################################
49 # Prefer the SSL configured above, over any previous installation.
51 PATH=${SSL}/bin/:${SSL}/misc:${PATH}
52 LD_LIBRARY_PATH=${SSL}/lib
53 export PATH LD_LIBRARY_PATH
55 rm -rf demoCA roo* cert* *.pem *.der
58 echo -e "\t\t##################"
59 echo -e "\t\tcreate private key"
60 echo -e "\t\tname : name-root"
61 echo -e "\t\tCA.pl -newcert"
62 echo -e "\t\t##################\n"
69 echo $COMMON_NAME_CLIENT
71 ) | openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days $LIFETIME -passin pass:$PASSWORD_CLIENT -passout pass:$PASSWORD_CLIENT
74 echo "Failed to create client certificate"
79 echo -e "\t\t##################"
80 echo -e "\t\tcreate CA"
81 echo -e "\t\tuse just created 'newreq.pem' private key as filename"
82 echo -e "\t\tCA.pl -newca"
83 echo -e "\t\t##################\n"
85 echo "newreq.pem" | CA.pl -newca || exit 2
87 #ls -lg demoCA/private/cakey.pem
90 echo -e "\t\t##################"
91 echo -e "\t\texporting ROOT CA"
92 echo -e "\t\tCA.pl -newreq"
93 echo -e "\t\tCA.pl -signreq"
94 echo -e "\t\topenssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.pem"
95 echo -e "\t\topenssl pkcs12 -in root.cer -out root.pem"
96 echo -e "\t\t##################\n"
98 openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT
99 openssl pkcs12 -in root.p12 -out root.pem -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT
100 openssl x509 -inform PEM -outform DER -in root.pem -out root.der
103 echo -e "\t\t##################"
104 echo -e "\t\tcreating client certificate"
105 echo -e "\t\tname : name-clt"
106 echo -e "\t\tclient certificate stored as cert-clt.pem"
107 echo -e "\t\tCA.pl -newreq"
108 echo -e "\t\tCA.pl -signreq"
109 echo -e "\t\t##################\n"
116 echo $COMMON_NAME_SERVER
118 echo $PASSWORD_SERVER
120 ) | openssl req -new -keyout newreq.pem -out newreq.pem -days $LIFETIME -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER
123 echo "Failed to create server certificate"
128 echo y) | openssl ca -policy policy_anything -out newcert.pem -passin pass:$PASSWORD_SEREVER -key $PASSWORD_SERVER -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem
131 echo "Failed to do sign certificate"
135 openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-clt.p12 -clcerts -passin pass:$PASSWORD_CLIENT -passout pass:$PASSWORD_CLIENT || exit 8
136 openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:$PASSWORD_CLIENT -passout pass:$PASSWORD_CLIENT || exit 9
137 openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der || exit 10
140 echo -e "\t\t##################"
141 echo -e "\t\tcreating server certificate"
142 echo -e "\t\tname : name-srv"
143 echo -e "\t\tserver certificate stored as cert-srv.pem"
144 echo -e "\t\tCA.pl -newreq"
145 echo -e "\t\tCA.pl -signreq"
146 echo -e "\t\t##################\n"
153 echo $COMMON_NAME_ROOT
157 ) | openssl req -new -keyout newreq.pem -out newreq.pem -days $LIFETIME -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT
160 echo "Failed to create root certificate"
165 echo y) | openssl ca -policy policy_anything -out newcert.pem -passin pass:$PASSWORD_ROOT -key $PASSWORD_ROOT -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem
168 echo "Failed to sign root certificate"
172 openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out cert-srv.p12 -clcerts -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER || exit 5
173 openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER || exit 6
174 openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der || exit 7
176 echo -e "\n\t\t#################################"
177 echo -e "\t\tDONE. Thank you for your patience."
178 echo -e "\t\t###################################\n"