diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2012-01-25 16:33:39 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2012-01-25 16:33:39 +0000 |
| commit | ccd395cbcc5176fc2a8137b0d297aef04077c059 (patch) | |
| tree | ac5fc3d0ab7a03b04a668371ca058c74711e11d8 /demos | |
| parent | 0d609395158f3dfc0e30c1d687294f75263c532c (diff) | |
add example for DH certificate generation
Diffstat (limited to 'demos')
| -rw-r--r-- | demos/certs/ca.cnf | 12 | ||||
| -rw-r--r-- | demos/certs/mkcerts.sh | 33 |
2 files changed, 44 insertions, 1 deletions
diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf index 195b236528..a1b6bd799e 100644 --- a/demos/certs/ca.cnf +++ b/demos/certs/ca.cnf @@ -42,6 +42,18 @@ nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid +[ dh_cert ] + +# These extensions are added when 'ca' signs a request for an end entity +# DH certificate + +basicConstraints=critical, CA:FALSE +keyUsage=critical, keyAgreement + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid + [ v3_ca ] diff --git a/demos/certs/mkcerts.sh b/demos/certs/mkcerts.sh index 81e7dc5de7..0d55e8f846 100644 --- a/demos/certs/mkcerts.sh +++ b/demos/certs/mkcerts.sh @@ -1,6 +1,8 @@ #!/bin/sh -OPENSSL=openssl +OPENSSL=../../apps/openssl +OPENSSL_CONF=../../apps/openssl.cnf +export OPENSSL_CONF # Root CA: create certificate directly CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \ @@ -23,3 +25,32 @@ CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ # Sign using intermediate CA $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem + +# Example creating a PKCS#3 DH certificate. + +# First DH parameters + +[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem + +# Now a DH private key +$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem +# Create DH public key file +$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem +# Certificate request, key just reuses old one as it is ignored when the +# request is signed. +CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \ + -key skey.pem -out dhsreq.pem +# Sign request: end entity DH extensions +$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \ + -force_pubkey dhspub.pem \ + -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem + +# DH client certificate + +$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem +$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem +CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \ + -key skey.pem -out dhcreq.pem +$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \ + -force_pubkey dhcpub.pem \ + -extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem |