Text file src/go.mongodb.org/mongo-driver/etc/gen-ec-certs/gen-ec-certs.sh

Documentation: go.mongodb.org/mongo-driver/etc/gen-ec-certs

     1#!/usr/bin/env bash
     2# This script is used to generate Elliptic Curve (EC) certificates.
     3# The EC certificates are used for testing the Go driver with PyKMIP.
     4# PyKMIP does not support Go's default TLS cipher suites with RSA.
     5# See: GODRIVER-2239.
     6set -euo pipefail
     7CA_SERIAL=$RANDOM
     8SERVER_SERIAL=$RANDOM
     9CLIENT_SERIAL=$RANDOM
    10DAYS=14600
    11
    12# Generate CA certificate ... begin
    13# Generate an EC private key.
    14openssl ecparam -name prime256v1 -genkey -out ca-ec.key -noout
    15# Generate a certificate signing request.
    16openssl req -new -key ca-ec.key -out ca-ec.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=DBX/CN=ca/" -config empty.cnf -sha256
    17# Self-sign the request.
    18openssl x509 -in ca-ec.csr -out ca-ec.pem -req -signkey ca-ec.key -days $DAYS -sha256 -set_serial $CA_SERIAL
    19# Generate CA certificate ... end
    20
    21# Generate Server certificate ... begin
    22# Generate an EC private key.
    23openssl ecparam -name prime256v1 -genkey -out server-ec.key -noout
    24# Generate a certificate signing request.
    25openssl req -new -key server-ec.key -out server-ec.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=DBX/CN=server/" -config empty.cnf -sha256
    26# Sign the request with the CA. Add server extensions.
    27openssl x509 -in server-ec.csr -out server-ec.pem -req -CA ca-ec.pem -CAkey ca-ec.key -days $DAYS -sha256 -set_serial $SERVER_SERIAL -extfile server.ext
    28# Append private key to .pem file.
    29cat server-ec.key >> server-ec.pem
    30# Generate Server certificate ... end
    31
    32# Generate Client certificate ... begin
    33# Generate an EC private key.
    34openssl ecparam -name prime256v1 -genkey -out client-ec.key -noout
    35# Generate a certificate signing request.
    36# Use the Common Name (CN) of "client". PyKMIP identifies the client by the CN. The test server expects the identity of "client".
    37openssl req -new -key client-ec.key -out client-ec.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=DBX/CN=client/" -config empty.cnf -sha256
    38# Sign the request with the CA. Add client extensions.
    39openssl x509 -in client-ec.csr -out client-ec.pem -req -CA ca-ec.pem -CAkey ca-ec.key -days $DAYS -sha256 -set_serial $CLIENT_SERIAL -extfile client.ext
    40# Append private key to .pem file.
    41cat client-ec.key >> client-ec.pem
    42# Generate Client certificate ... end
    43
    44# Clean-up.
    45rm *.csr
    46rm *.key

View as plain text