의 미러
https://github.com/henrydcase/optee_eng.git
synced 2024-11-22 07:15:32 +00:00
84 lines
2.0 KiB
Bash
84 lines
2.0 KiB
Bash
|
#!/bin/sh
|
||
|
|
||
|
# Re-creates certificates for server and client VPN
|
||
|
OPENSSL_BIN=openssl
|
||
|
OPENSSL_REHASH_BIN=c_rehash
|
||
|
TMP_DIR=certs
|
||
|
set -x
|
||
|
|
||
|
create_openvpn_pki()
|
||
|
{
|
||
|
# Create CA key and certificate
|
||
|
${OPENSSL_BIN} ecparam \
|
||
|
-name secp256r1 \
|
||
|
-genkey \
|
||
|
-out ${TMP_DIR}/ca.key || exit;
|
||
|
${OPENSSL_BIN} req \
|
||
|
-new \
|
||
|
-config openssl.cnf \
|
||
|
-x509 \
|
||
|
-extensions v3_ca \
|
||
|
-key ${TMP_DIR}/ca.key \
|
||
|
-out ${TMP_DIR}/ca.cert \
|
||
|
-days 9999 \
|
||
|
-subj "/O=Among Bytes, vpn.testlab.com/CN=Root Cert G1" \
|
||
|
-batch || exit;
|
||
|
|
||
|
# Create server certificate
|
||
|
${OPENSSL_BIN} ecparam \
|
||
|
-name secp256r1 \
|
||
|
-genkey \
|
||
|
-out ${TMP_DIR}/server.key || exit;
|
||
|
${OPENSSL_BIN} req \
|
||
|
-new \
|
||
|
-config openssl.cnf \
|
||
|
-key ${TMP_DIR}/server.key \
|
||
|
-out ${TMP_DIR}/server.csr \
|
||
|
-subj "/O=Cert Testing ORG/CN=vpn.testlab.com" \
|
||
|
-batch || exit;
|
||
|
${OPENSSL_BIN} x509 \
|
||
|
-extfile openssl.cnf \
|
||
|
-extensions server_cert \
|
||
|
-req \
|
||
|
-CA ${TMP_DIR}/ca.cert \
|
||
|
-CAkey ${TMP_DIR}/ca.key \
|
||
|
-CAcreateserial \
|
||
|
-in ${TMP_DIR}/server.csr \
|
||
|
-out ${TMP_DIR}/server.cert \
|
||
|
-days 9999 || exit;
|
||
|
OPENSSL=${OPENSSL_BIN} ${OPENSSL_REHASH_BIN} ${TMP_DIR}
|
||
|
${OPENSSL_BIN} verify \
|
||
|
-CApath ${TMP_DIR} \
|
||
|
${TMP_DIR}/server.cert || exit;
|
||
|
|
||
|
# Create client certificate
|
||
|
${OPENSSL_BIN} ecparam \
|
||
|
-name secp256r1 \
|
||
|
-genkey \
|
||
|
-out ${TMP_DIR}/client.key || exit;
|
||
|
${OPENSSL_BIN} req \
|
||
|
-new \
|
||
|
-config openssl.cnf \
|
||
|
-key ${TMP_DIR}/client.key \
|
||
|
-out ${TMP_DIR}/client.csr \
|
||
|
-subj "/O=Cert Testing ORG/CN=Client Cert" \
|
||
|
-batch || exit;
|
||
|
${OPENSSL_BIN} x509 \
|
||
|
-extfile openssl.cnf \
|
||
|
-extensions client_cert \
|
||
|
-req \
|
||
|
-CA ${TMP_DIR}/ca.cert \
|
||
|
-CAkey ${TMP_DIR}/ca.key \
|
||
|
-CAcreateserial \
|
||
|
-in ${TMP_DIR}/client.csr \
|
||
|
-out ${TMP_DIR}/client.cert \
|
||
|
-days 9999 || exit;
|
||
|
${OPENSSL_BIN} verify \
|
||
|
-CApath ${TMP_DIR}/ \
|
||
|
${TMP_DIR}/client.cert || exit;
|
||
|
}
|
||
|
|
||
|
rm -rf ${TMP_DIR}
|
||
|
mkdir -p ${TMP_DIR}
|
||
|
create_openvpn_pki
|