1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
#!/usr/bin/env sh
set -e
set -x
COPT='-algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve'
MYDIR="$(dirname "${0}")"
readonly BASE="${1:-ddk}"
readonly REVI=1
readonly PRFX="${BASE}-"
readonly ROOT="${PRFX}ca"
readonly CODE="${PRFX}code"
cd "${MYDIR}"
# PKCS #8 private key, encrypted, PEM format.
# shellcheck disable=SC2086
openssl genpkey ${COPT} -aes-256-cbc -pass "pass:onlytemporary" -out "${ROOT}-private.pem" 2>/dev/null
openssl ec -in "${ROOT}-private.pem" -passin "pass:onlytemporary" -out "${ROOT}-private-nopass.pem" #2>/dev/null
mv "${ROOT}-private-nopass.pem" "${ROOT}-private.pem"
openssl asn1parse -i -in "${ROOT}-private.pem"
# -cert.pem is certificate (public key + subject + signature)
openssl req -batch -verbose -new -sha256 -x509 -days 1826 -key "${ROOT}-private.pem" -out "${ROOT}-cert.pem" -config - << EOF
[req]
encrypt_key = yes
prompt = no
utf8 = yes
string_mask = utf8only
distinguished_name = dn
x509_extensions = v3_ca
[v3_ca]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
[dn]
CN = ${BASE} Root CA ${REVI}
EOF
openssl x509 -in "${ROOT}-cert.pem" -text -noout -nameopt utf8 -sha256 -fingerprint > "${ROOT}-cert.pem.x509.txt"
openssl asn1parse -i -in "${ROOT}-cert.pem" > "${ROOT}-cert.pem.asn1.txt"
# subordinate #1: code signing
cat << EOF > "${CODE}-csr.config"
[req]
encrypt_key = yes
prompt = no
utf8 = yes
string_mask = utf8only
distinguished_name = dn
req_extensions = v3_req
[v3_req]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature
# msCodeInd = Microsoft Individual Code Signing
# msCodeCom = Microsoft Commercial Code Signing
extendedKeyUsage = critical, codeSigning, msCodeInd
[dn]
CN = ${base} Code Signing Authority
EOF
# PKCS #8 private key, encrypted, PEM format.
# shellcheck disable=SC2086
openssl genpkey ${COPT} -aes-256-cbc -pass "pass:onlytemporary" -out "${CODE}-private.pem" 2>/dev/null
openssl ec -in "${CODE}-private.pem" -passin "pass:onlytemporary" -out "${CODE}-private-nopass.pem" 2>/dev/null
mv "${CODE}-private-nopass.pem" "${CODE}-private.pem"
openssl asn1parse -i -in "${CODE}-private.pem"
openssl pkey -in "${CODE}-private.pem" -pubout > "${CODE}-public.pem"
# Play some with the public key
openssl pkey -pubin -in "${CODE}-public.pem" -text -noout > "${CODE}-public.pem.txt"
openssl asn1parse -i -in "${CODE}-public.pem" > "${CODE}-public.pem.asn1.txt"
# -csr.pem is certificate signing request
openssl req -batch -verbose -new -sha256 -key "${CODE}-private.pem" -out "${CODE}-csr.pem" -config "${CODE}-csr.config"
openssl req -batch -verbose -in "${CODE}-csr.pem" -text -noout -nameopt utf8 > "${CODE}-csr.pem.txt"
openssl asn1parse -i -in "${CODE}-csr.pem" > "${CODE}-csr.pem.asn1.txt"
# -cert.pem is certificate (public key + subject + signature)
openssl x509 -req -sha256 -days 1095 \
-extfile "${CODE}-csr.config" -extensions v3_req \
-in "${CODE}-csr.pem" \
-CA "${ROOT}-cert.pem" -CAkey "${ROOT}-private.pem" -CAcreateserial -out "${CODE}-cert.pem"
openssl x509 -in "${CODE}-cert.pem" -text -noout -nameopt utf8 -sha256 -fingerprint > "${CODE}-cert.pem.x509.txt"
openssl asn1parse -i -in "${CODE}-cert.pem" > "${CODE}-cert.pem.asn1.txt"
# PKCS #12 .p12 is private key and certificate(-chain), encrypted
openssl pkcs12 -export \
-keypbe aes-256-cbc -certpbe aes-256-cbc -macalg sha256 \
-inkey "${CODE}-private.pem" \
-in "${CODE}-cert.pem" \
-chain -CAfile "${ROOT}-cert.pem" \
-out "${CODE}.p12" \
-passout pass:""
openssl pkcs12 -in "${CODE}.p12" -info -nodes -nokeys -out "${CODE}.p12.txt" -passin pass:"" -passout pass:""
openssl asn1parse -i -inform DER -in "${CODE}.p12"
|