...
1#!/usr/bin/env bash
2# This script is used to generate Elliptic Curve (EC) certificates.
3# The EC certificates are used for testing the Go driver with PyKMIP.
4# PyKMIP does not support Go's default TLS cipher suites with RSA.
5# See: GODRIVER-2239.
6set -euo pipefail
7CA_SERIAL=$RANDOM
8SERVER_SERIAL=$RANDOM
9CLIENT_SERIAL=$RANDOM
10DAYS=14600
11
12# Generate CA certificate ... begin
13# Generate an EC private key.
14openssl ecparam -name prime256v1 -genkey -out ca-ec.key -noout
15# Generate a certificate signing request.
16openssl req -new -key ca-ec.key -out ca-ec.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=DBX/CN=ca/" -config empty.cnf -sha256
17# Self-sign the request.
18openssl x509 -in ca-ec.csr -out ca-ec.pem -req -signkey ca-ec.key -days $DAYS -sha256 -set_serial $CA_SERIAL
19# Generate CA certificate ... end
20
21# Generate Server certificate ... begin
22# Generate an EC private key.
23openssl ecparam -name prime256v1 -genkey -out server-ec.key -noout
24# Generate a certificate signing request.
25openssl req -new -key server-ec.key -out server-ec.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=DBX/CN=server/" -config empty.cnf -sha256
26# Sign the request with the CA. Add server extensions.
27openssl x509 -in server-ec.csr -out server-ec.pem -req -CA ca-ec.pem -CAkey ca-ec.key -days $DAYS -sha256 -set_serial $SERVER_SERIAL -extfile server.ext
28# Append private key to .pem file.
29cat server-ec.key >> server-ec.pem
30# Generate Server certificate ... end
31
32# Generate Client certificate ... begin
33# Generate an EC private key.
34openssl ecparam -name prime256v1 -genkey -out client-ec.key -noout
35# Generate a certificate signing request.
36# Use the Common Name (CN) of "client". PyKMIP identifies the client by the CN. The test server expects the identity of "client".
37openssl req -new -key client-ec.key -out client-ec.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=DBX/CN=client/" -config empty.cnf -sha256
38# Sign the request with the CA. Add client extensions.
39openssl x509 -in client-ec.csr -out client-ec.pem -req -CA ca-ec.pem -CAkey ca-ec.key -days $DAYS -sha256 -set_serial $CLIENT_SERIAL -extfile client.ext
40# Append private key to .pem file.
41cat client-ec.key >> client-ec.pem
42# Generate Client certificate ... end
43
44# Clean-up.
45rm *.csr
46rm *.key
View as plain text