Simple automated certificate creation demo.

3 files changed, 91 insertions, 0 deletions

diff --git a/demos/certs/README b/demos/certs/README
new file mode 100644
index 0000000000..d022d0afc0
--- /dev/null
+++ b/demos/certs/README
@@ -0,0 +1,9 @@
+There is often a need to generate test certificates automatically using
+a script. This is often a cause for confusion which can result in incorrect
+CA certificates, obsolete V1 certificates or duplicate serial numbers.
+The range of command line options can be daunting for a beginner.
+
+This is a simple example of how to generate certificates automatically
+using scripts. Example creates a root CA, a server certificate signed by
+the root, an intermediate CA signed by the root and finally a client 
+certificate signed by the intermediate CA.
diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf
new file mode 100644
index 0000000000..195b236528
--- /dev/null
+++ b/demos/certs/ca.cnf
@@ -0,0 +1,57 @@
+#
+# OpenSSL example configuration file for automated certificate creation.
+#
+
+# This definition stops the following lines choking if HOME or CN
+# is undefined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+CN			= "Not Defined"
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+# Don't prompt for fields: use those in section directly
+prompt			= no
+distinguished_name	= req_distinguished_name
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= UK
+
+organizationName		= OpenSSL Group
+# Take CN from environment so it can come from a script.
+commonName			= $ENV::CN
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = critical,CA:true
+keyUsage = critical, cRLSign, keyCertSign
+
+
diff --git a/demos/certs/mkcerts.sh b/demos/certs/mkcerts.sh
new file mode 100644
index 0000000000..81e7dc5de7
--- /dev/null
+++ b/demos/certs/mkcerts.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+OPENSSL=openssl
+
+# Root CA: create certificate directly
+CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \
+	-keyout root.pem -out root.pem -newkey rsa:2048 -days 3650
+# Server certificate: create request first
+CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \
+	-keyout skey.pem -out req.pem -newkey rsa:1024
+# Sign request: end entity extensions
+$OPENSSL x509 -req -in req.pem -CA root.pem -days 3600 \
+	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem
+# Intermediate CA: request first
+CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \
+	-keyout intkey.pem -out intreq.pem -newkey rsa:2048
+# Sign request: CA extensions
+$OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \
+	-extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
+# Client certificate: request first
+CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \
+	-keyout ckey.pem -out creq.pem -newkey rsa:1024
+# Sign using intermediate CA
+$OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
+	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem