#!/usr/bin/env sh set -e set -x COPT='-algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve' MYDIR="$(dirname "${0}")" readonly BASE="${1:-ddk}" readonly REVI=1 readonly PRFX="${BASE}-" readonly ROOT="${PRFX}ca" readonly CODE="${PRFX}code" cd "${MYDIR}" # PKCS #8 private key, encrypted, PEM format. # shellcheck disable=SC2086 openssl genpkey ${COPT} -aes-256-cbc -pass "pass:onlytemporary" -out "${ROOT}-private.pem" 2>/dev/null openssl ec -in "${ROOT}-private.pem" -passin "pass:onlytemporary" -out "${ROOT}-private-nopass.pem" #2>/dev/null mv "${ROOT}-private-nopass.pem" "${ROOT}-private.pem" openssl asn1parse -i -in "${ROOT}-private.pem" # -cert.pem is certificate (public key + subject + signature) openssl req -batch -verbose -new -sha256 -x509 -days 1826 -key "${ROOT}-private.pem" -out "${ROOT}-cert.pem" -config - << EOF [req] encrypt_key = yes prompt = no utf8 = yes string_mask = utf8only distinguished_name = dn x509_extensions = v3_ca [v3_ca] subjectKeyIdentifier = hash basicConstraints = critical, CA:TRUE, pathlen:0 keyUsage = critical, keyCertSign, cRLSign [dn] CN = ${BASE} Root CA ${REVI} EOF openssl x509 -in "${ROOT}-cert.pem" -text -noout -nameopt utf8 -sha256 -fingerprint > "${ROOT}-cert.pem.x509.txt" openssl asn1parse -i -in "${ROOT}-cert.pem" > "${ROOT}-cert.pem.asn1.txt" # subordinate #1: code signing cat << EOF > "${CODE}-csr.config" [req] encrypt_key = yes prompt = no utf8 = yes string_mask = utf8only distinguished_name = dn req_extensions = v3_req [v3_req] subjectKeyIdentifier = hash keyUsage = critical, digitalSignature # msCodeInd = Microsoft Individual Code Signing # msCodeCom = Microsoft Commercial Code Signing extendedKeyUsage = critical, codeSigning, msCodeInd [dn] CN = ${base} Code Signing Authority EOF # PKCS #8 private key, encrypted, PEM format. # shellcheck disable=SC2086 openssl genpkey ${COPT} -aes-256-cbc -pass "pass:onlytemporary" -out "${CODE}-private.pem" 2>/dev/null openssl ec -in "${CODE}-private.pem" -passin "pass:onlytemporary" -out "${CODE}-private-nopass.pem" 2>/dev/null mv "${CODE}-private-nopass.pem" "${CODE}-private.pem" openssl asn1parse -i -in "${CODE}-private.pem" openssl pkey -in "${CODE}-private.pem" -pubout > "${CODE}-public.pem" # Play some with the public key openssl pkey -pubin -in "${CODE}-public.pem" -text -noout > "${CODE}-public.pem.txt" openssl asn1parse -i -in "${CODE}-public.pem" > "${CODE}-public.pem.asn1.txt" # -csr.pem is certificate signing request openssl req -batch -verbose -new -sha256 -key "${CODE}-private.pem" -out "${CODE}-csr.pem" -config "${CODE}-csr.config" openssl req -batch -verbose -in "${CODE}-csr.pem" -text -noout -nameopt utf8 > "${CODE}-csr.pem.txt" openssl asn1parse -i -in "${CODE}-csr.pem" > "${CODE}-csr.pem.asn1.txt" # -cert.pem is certificate (public key + subject + signature) openssl x509 -req -sha256 -days 1095 \ -extfile "${CODE}-csr.config" -extensions v3_req \ -in "${CODE}-csr.pem" \ -CA "${ROOT}-cert.pem" -CAkey "${ROOT}-private.pem" -CAcreateserial -out "${CODE}-cert.pem" openssl x509 -in "${CODE}-cert.pem" -text -noout -nameopt utf8 -sha256 -fingerprint > "${CODE}-cert.pem.x509.txt" openssl asn1parse -i -in "${CODE}-cert.pem" > "${CODE}-cert.pem.asn1.txt" # PKCS #12 .p12 is private key and certificate(-chain), encrypted openssl pkcs12 -export \ -keypbe aes-256-cbc -certpbe aes-256-cbc -macalg sha256 \ -inkey "${CODE}-private.pem" \ -in "${CODE}-cert.pem" \ -chain -CAfile "${ROOT}-cert.pem" \ -out "${CODE}.p12" \ -passout pass:"" openssl pkcs12 -in "${CODE}.p12" -info -nodes -nokeys -out "${CODE}.p12.txt" -passin pass:"" -passout pass:"" openssl asn1parse -i -inform DER -in "${CODE}.p12"