3 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file.
7 # This script generates certificates that can be used to test SSL client
8 # authentication. Outputs for automated tests are stored in
9 # net/data/ssl/certificates, but may be re-generated for manual testing.
11 # This script generates two chains of test client certificates:
13 # 1. A (end-entity) -> B -> C (self-signed root)
14 # 2. D (end-entity) -> E -> C (self-signed root)
16 # In which A, B, C, D, and E all have distinct keypairs. Both client
17 # certificates share the same root, but are issued by different
18 # intermediates. The names of these intermediates are hardcoded within
19 # unit tests, and thus should not be changed.
29 echo Create the serial number files and indices.
33 try echo $serial > out/$i-serial
34 serial=$(expr $serial + 1)
35 touch out/$i-index.txt
36 touch out/$i-index.txt.attr
39 echo Generate the keys.
42 try openssl genrsa -out out/$i.key 2048
45 echo Generate the C CSR
46 COMMON_NAME="C Root CA" \
53 -config client-certs.cnf
56 COMMON_NAME="C Root CA" \
66 echo Generate the intermediates
74 -config client-certs.cnf
84 -config client-certs.cnf
93 -config client-certs.cnf
100 -extensions ca_cert \
103 -config client-certs.cnf
105 echo Generate the leaf certs
108 COMMON_NAME="Client Cert $id" \
114 -config client-certs.cnf
123 -extensions user_cert \
126 -config client-certs.cnf
134 -extensions user_cert \
137 -config client-certs.cnf
139 echo Package the client certs and private keys into PKCS12 files
140 # This is done for easily importing all of the certs needed for clients.
141 cat out/A.pem out/A.key out/B.pem out/C.pem > out/A-chain.pem
142 cat out/D.pem out/D.key out/E.pem out/C.pem > out/D-chain.pem
145 -in out/A-chain.pem \
151 -in out/D-chain.pem \
156 echo Package the client certs for unit tests
157 cp out/A.pem client_1.pem
158 cp out/A.key client_1.key
159 cp out/B.pem client_1_ca.pem
161 cp out/D.pem client_2.pem
162 cp out/D.key client_2.key
163 cp out/E.pem client_2_ca.pem