#!/bin/sh # # Creates the CA, server and client certs to be used by tls_test.go # http://www.rabbitmq.com/ssl.html # # Copy stdout into the const section of tls_test.go or use for RabbitMQ # root=$PWD/certs if [ -f $root/ca/serial ]; then echo >&2 "Previous installation found" echo >&2 "Remove $root/ca and rerun to overwrite" exit 1 fi mkdir -p $root/ca/private mkdir -p $root/ca/certs mkdir -p $root/server mkdir -p $root/client cd $root/ca chmod 700 private touch index.txt echo 'unique_subject = no' > index.txt.attr echo '01' > serial echo >openssl.cnf ' [ ca ] default_ca = testca [ testca ] dir = . certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 3650 default_md = sha1 policy = testca_policy x509_extensions = certificate_extensions [ testca_policy ] commonName = supplied stateOrProvinceName = optional countryName = optional emailAddress = optional organizationName = optional organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false [ req ] default_bits = 2048 default_keyfile = ./private/cakey.pem default_md = sha1 prompt = yes distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = hostname [ root_ca_extensions ] basicConstraints = CA:true keyUsage = keyCertSign, cRLSign [ client_ca_extensions ] basicConstraints = CA:false keyUsage = digitalSignature extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ server_ca_extensions ] basicConstraints = CA:false keyUsage = keyEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.1 subjectAltName = @alt_names [ alt_names ] IP.1 = 127.0.0.1 ' openssl req \ -x509 \ -nodes \ -config openssl.cnf \ -newkey rsa:2048 \ -days 3650 \ -subj "/CN=MyTestCA/" \ -out cacert.pem \ -outform PEM openssl x509 \ -in cacert.pem \ -out cacert.cer \ -outform DER openssl genrsa -out $root/server/key.pem 2048 openssl genrsa -out $root/client/key.pem 2048 openssl req \ -new \ -nodes \ -config openssl.cnf \ -subj "/CN=127.0.0.1/O=server/" \ -key $root/server/key.pem \ -out $root/server/req.pem \ -outform PEM openssl req \ -new \ -nodes \ -config openssl.cnf \ -subj "/CN=127.0.0.1/O=client/" \ -key $root/client/key.pem \ -out $root/client/req.pem \ -outform PEM openssl ca \ -config openssl.cnf \ -in $root/server/req.pem \ -out $root/server/cert.pem \ -notext \ -batch \ -extensions server_ca_extensions openssl ca \ -config openssl.cnf \ -in $root/client/req.pem \ -out $root/client/cert.pem \ -notext \ -batch \ -extensions client_ca_extensions cat <<-END const caCert = \` `cat $root/ca/cacert.pem` \` const serverCert = \` `cat $root/server/cert.pem` \` const serverKey = \` `cat $root/server/key.pem` \` const clientCert = \` `cat $root/client/cert.pem` \` const clientKey = \` `cat $root/client/key.pem` \` END