From 8f57041831ddc7e08da90c4a7698a60cf250ead1 Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Wed, 25 Oct 2023 12:16:06 +0200 Subject: [PATCH 1/7] feat: generate DSC Genrates a DSC for an SCA in the given subdirectory --- scripts/certgen/DSC.conf | 22 +++++++++++++++++++++- scripts/certgen/gen_dsc.sh | 16 ++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100755 scripts/certgen/gen_dsc.sh diff --git a/scripts/certgen/DSC.conf b/scripts/certgen/DSC.conf index c2d6e74..d7becb2 100644 --- a/scripts/certgen/DSC.conf +++ b/scripts/certgen/DSC.conf @@ -1,6 +1,26 @@ +OSSL_COUNTRY_NAME = XA +OSSL_STATE_NAME = Test Country XA +OSSL_LOCALITY_NAME = Locality in country XA +OSSL_ORGANIZATION_NAME = Health Ministry of XA +OSSL_ORGANIZATIONAL_UNIT_NAME = FDA +OSSL_COMMON_NAME = Health Administration of XA + +[req] +prompt = no +default_md = sha256 +distinguished_name = dn + +[dn] +C = $ENV::OSSL_COUNTRY_NAME +ST = $ENV::OSSL_STATE_NAME +L = $ENV::OSSL_LOCALITY_NAME +O = $ENV::OSSL_ORGANIZATION_NAME +OU = $ENV::OSSL_ORGANIZATIONAL_UNIT_NAME +CN = $ENV::OSSL_COMMON_NAME + [ext] keyUsage = critical, digitalSignature subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always crlDistributionPoints = URI:http://crl.exampledomain.example/CRL/SCA.crl -extendedKeyUsage = 1.3.6.1.4.1.1847.2021.1.1,1.3.6.1.4.1.1847.2021.1.2,1.3.6.1.4.1.1847.2021.1.3 \ No newline at end of file +extendedKeyUsage = 1.3.6.1.4.1.1847.2021.1.1,1.3.6.1.4.1.1847.2021.1.2,1.3.6.1.4.1.1847.2021.1.3 diff --git a/scripts/certgen/gen_dsc.sh b/scripts/certgen/gen_dsc.sh new file mode 100755 index 0000000..f7581dc --- /dev/null +++ b/scripts/certgen/gen_dsc.sh @@ -0,0 +1,16 @@ +#!/bin/zsh + +if [ $# -ne 1 ]; then + echo "Usage: $0 (which must exist)" + exit 1 +fi +subdir=$1 + +DAYS_DSC=730 + +openssl req -newkey ec:<(openssl ecparam -name prime256v1) -keyout ${subdir}/DSC.key -nodes -out ${subdir}/DSC_csr.pem -config dsc.conf +openssl x509 -req -in ${subdir}/DSC_csr.pem -CA ${subdir}/SCA.pem -CAkey ${subdir}/SCA.key -CAcreateserial -days ${DAYS_DSC} -extensions ext -extfile dsc.conf -out ${subdir}/DSC.pem +# cleanup +rm ${subdir}/DSC_csr.pem + + From 76ae2ae963944d0ef5defe680825ef655819e5fa Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Wed, 25 Oct 2023 12:32:27 +0200 Subject: [PATCH 2/7] feat: generate DSC Genrates a DSC for an SCA in the given subdirectory --- scripts/certgen/gen_dsc.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/certgen/gen_dsc.sh b/scripts/certgen/gen_dsc.sh index f7581dc..e7a158b 100755 --- a/scripts/certgen/gen_dsc.sh +++ b/scripts/certgen/gen_dsc.sh @@ -8,8 +8,9 @@ subdir=$1 DAYS_DSC=730 -openssl req -newkey ec:<(openssl ecparam -name prime256v1) -keyout ${subdir}/DSC.key -nodes -out ${subdir}/DSC_csr.pem -config dsc.conf -openssl x509 -req -in ${subdir}/DSC_csr.pem -CA ${subdir}/SCA.pem -CAkey ${subdir}/SCA.key -CAcreateserial -days ${DAYS_DSC} -extensions ext -extfile dsc.conf -out ${subdir}/DSC.pem +#openssl req -newkey ec:<(openssl ecparam -name prime256v1) -keyout ${subdir}/DSC.key -nodes -out ${subdir}/DSC_csr.pem -config DSC.conf # this does only work on Linux/MacOS +openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -keyout ${subdir}/DSC.key -nodes -out ${subdir}/DSC_csr.pem -config DSC.conf +openssl x509 -req -in ${subdir}/DSC_csr.pem -CA ${subdir}/SCA.pem -CAkey ${subdir}/SCA.key -CAcreateserial -days ${DAYS_DSC} -extensions ext -extfile DSC.conf -out ${subdir}/DSC.pem # cleanup rm ${subdir}/DSC_csr.pem From 6f202ea8efd8350ce90db1875f6f16d033279e92 Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Thu, 26 Oct 2023 17:02:37 +0200 Subject: [PATCH 3/7] feat: DN template, README update --- scripts/certgen/README.md | 28 +++++++++++++--------------- scripts/certgen/gen_all_certs.sh | 17 ++++++++++------- scripts/certgen/gen_dsc.sh | 6 +++--- scripts/certgen/template.cnf | 8 ++++++++ 4 files changed, 34 insertions(+), 25 deletions(-) create mode 100644 scripts/certgen/template.cnf diff --git a/scripts/certgen/README.md b/scripts/certgen/README.md index 26d5d2a..531fa3d 100644 --- a/scripts/certgen/README.md +++ b/scripts/certgen/README.md @@ -4,28 +4,18 @@ Following [Certificate Preperation](https://worldhealthorganization.github.io/sm Disclaimer: The script generates self-signed certificates not intended to be used on production environments. -You must adapt the following default certificate parameter in [gen_all_certs.sh](gen_all_certs.sh) to your needs: - -``` -export OSSL_COUNTRY_NAME="XA" -export OSSL_STATE_NAME="Test State" -export OSSL_LOCALITY_NAME="Geneva" -export OSSL_ORGANIZATION_NAME="WHO" -export OSSL_ORGANIZATIONAL_UNIT_NAME="R&D" -``` +You must adapt the configuration file [template.cnf](template.cnf) to your needs: Then execute the script. It will generate all certificates and keys in a subfolder named by current datetime. ``` cd scripts/certgen -./gen_all_certs.sh +./gen_all_certs.sh template.cnf ``` -Note: keep your private keys safe and secure. Do not share them with anyone. +**Note: keep your private keys safe and secure. Do not share them with anyone.** -Copy the generated certificates to the respective folders and change the file names to match the naming convention. -For the case of self-signed TLS certificates, the CA.pem is just a copy of the TLS.pem (check to have keyCertSign in the keyUsage). -The CA.pem should exist, since it is used to verify the TLS client certificate when connecting to the TNG application. +Copy the generated certificates to the respective folders. # Tagging for taking into use @@ -34,6 +24,14 @@ Finally commit push changes and make a signed tag for the version you want to ta ``` git add . git commit -m "feat(cert): update certificates for onboarding" -GIT_TRACE=1 git tag -s v0.0.1 -m 'onboardingRequest' +git tag -s -m 'onboardingRequest' git push --tags ``` + +# Generate DSCs +After onboarding you probably want to upload your DSCs. +DSC Genration can be performed with the [gen_dsc.sh](gen_dsc.sh) script. +For execution replace \ with the path where your SCA.key and SCA.pem reside. +``` +gen_dsc.sh template.cnf +``` diff --git a/scripts/certgen/gen_all_certs.sh b/scripts/certgen/gen_all_certs.sh index 207f1e0..3016bbd 100755 --- a/scripts/certgen/gen_all_certs.sh +++ b/scripts/certgen/gen_all_certs.sh @@ -5,21 +5,24 @@ DAYS_CA=1461 DAYS_TLS=365 # valid for 1 year DAYS_UPLOAD=365 - +if [ $# -ne 1 ]; then + echo "Usage: $0 DN configuration" + exit 1 +fi +source $1 # configure the DN -export OSSL_COUNTRY_NAME="XA" -export OSSL_STATE_NAME="Test State" -export OSSL_LOCALITY_NAME="Geneva" -export OSSL_ORGANIZATION_NAME="WHO" -export OSSL_ORGANIZATIONAL_UNIT_NAME="R&D" + #export OSSL_COMMON_NAME="WHO International" # default entry of the corresponding config file will be used # generate a new directory for each run subdir=$(date +%Y%m%d%H%M%S) mkdir -p ${subdir} # generate the certificates and keys for the SCA, TLS, and upload -openssl req -x509 -new -days ${DAYS_CA} -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout ${subdir}/SCA.key -nodes -out ${subdir}/SCA.pem -config sca.conf +#openssl req -x509 -new -days ${DAYS_CA} -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout ${subdir}/SCA.key -nodes -out ${subdir}/SCA.pem -config sca.conf +openssl req -x509 -new -days ${DAYS_CA} -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -extensions ext -keyout ${subdir}/SCA.key -nodes -out ${subdir}/SCA.pem -config sca.conf openssl req -x509 -new -days ${DAYS_TLS} -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout ${subdir}/TLS.key -nodes -out ${subdir}/TLS.pem -config TLSClient.conf openssl req -x509 -new -days ${DAYS_UPLOAD} -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout ${subdir}/UP.key -nodes -out ${subdir}/UP.pem -config uploadCert.conf #special case to only place CA.pem file for self-signed TLS cert as a copy cat ${subdir}/TLS.pem > ${subdir}/CA.pem + + diff --git a/scripts/certgen/gen_dsc.sh b/scripts/certgen/gen_dsc.sh index e7a158b..e5811bf 100755 --- a/scripts/certgen/gen_dsc.sh +++ b/scripts/certgen/gen_dsc.sh @@ -1,11 +1,11 @@ #!/bin/zsh if [ $# -ne 1 ]; then - echo "Usage: $0 (which must exist)" + echo "Usage: $0 (where must contain SCA.pem and SCA.key)" exit 1 fi -subdir=$1 - +subdir=$2 +source $1 DAYS_DSC=730 #openssl req -newkey ec:<(openssl ecparam -name prime256v1) -keyout ${subdir}/DSC.key -nodes -out ${subdir}/DSC_csr.pem -config DSC.conf # this does only work on Linux/MacOS diff --git a/scripts/certgen/template.cnf b/scripts/certgen/template.cnf new file mode 100644 index 0000000..7a7a784 --- /dev/null +++ b/scripts/certgen/template.cnf @@ -0,0 +1,8 @@ +# Configuration Template for Certificate Generation +# Modify for your own needs + +export OSSL_COUNTRY_NAME="XA" +export OSSL_STATE_NAME="Test State" +export OSSL_LOCALITY_NAME="Geneva" +export OSSL_ORGANIZATION_NAME="WHO" +export OSSL_ORGANIZATIONAL_UNIT_NAME="R&D" From 32931fd9f3e5fb7a9ac892b8cbba58d1e95b94aa Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Fri, 27 Oct 2023 00:36:02 +0200 Subject: [PATCH 4/7] feat: upload a DSC, DSC Enhancement - DSC can now have extended usage for test, vaccination, recoverxy --- scripts/certgen/DSC.conf | 23 +++++++++++++++++++- scripts/certgen/README.md | 10 +++++++-- scripts/certgen/gen_all_certs.sh | 16 +++++++------- scripts/certgen/gen_dsc.sh | 29 +++++++++++++++++++------ scripts/certgen/upload_dsc.sh | 36 ++++++++++++++++++++++++++++++++ 5 files changed, 98 insertions(+), 16 deletions(-) create mode 100755 scripts/certgen/upload_dsc.sh diff --git a/scripts/certgen/DSC.conf b/scripts/certgen/DSC.conf index d7becb2..49e15d0 100644 --- a/scripts/certgen/DSC.conf +++ b/scripts/certgen/DSC.conf @@ -18,9 +18,30 @@ O = $ENV::OSSL_ORGANIZATION_NAME OU = $ENV::OSSL_ORGANIZATIONAL_UNIT_NAME CN = $ENV::OSSL_COMMON_NAME -[ext] +[all] keyUsage = critical, digitalSignature subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always crlDistributionPoints = URI:http://crl.exampledomain.example/CRL/SCA.crl extendedKeyUsage = 1.3.6.1.4.1.1847.2021.1.1,1.3.6.1.4.1.1847.2021.1.2,1.3.6.1.4.1.1847.2021.1.3 + +[test] +keyUsage = critical,digitalSignature +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +crlDistributionPoints = URI:http://crl.exampledomain.example/CRL/SCA.crl +extendedKeyUsage = 1.3.6.1.4.1.1847.2021.1.1 + +[vax] +keyUsage = critical,digitalSignature +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +crlDistributionPoints = URI:http://crl.exampledomain.example/CRL/SCA.crl +extendedKeyUsage = 1.3.6.1.4.1.1847.2021.1.2 + +[rec] +keyUsage = critical,digitalSignature +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +crlDistributionPoints = URI:http://crl.npkd.nl/CRLs/NLD-Health.crl +extendedKeyUsage = 1.3.6.1.4.1.1847.2021.1.3 diff --git a/scripts/certgen/README.md b/scripts/certgen/README.md index 531fa3d..197aa9d 100644 --- a/scripts/certgen/README.md +++ b/scripts/certgen/README.md @@ -29,9 +29,15 @@ git push --tags ``` # Generate DSCs -After onboarding you probably want to upload your DSCs. +After onboarding you probably want to generate and upload your DSCs. DSC Genration can be performed with the [gen_dsc.sh](gen_dsc.sh) script. For execution replace \ with the path where your SCA.key and SCA.pem reside. +Optionally the purpose of the DSC can be provided with the third parameter. When this is omitted, +then the DSCs will be suitable for test, vaccination and recovery. ``` -gen_dsc.sh template.cnf +gen_dsc.sh template.cnf [test|vax|rec] ``` +# Upload DSCs +For uploading DSCs they must be packend into an CMS and be signed with the Upload Certificate of their issuer. +The resulting output must be base64 encoded and put in the payload of a POST request to the TNG. +A script [upload_dsc.sh](upload_dsc.sh) performs these tasks and may be tailored to your needs. diff --git a/scripts/certgen/gen_all_certs.sh b/scripts/certgen/gen_all_certs.sh index 3016bbd..51b5645 100755 --- a/scripts/certgen/gen_all_certs.sh +++ b/scripts/certgen/gen_all_certs.sh @@ -1,21 +1,23 @@ #!/bin/zsh -# valid for 4 years +# this script generates all certificates and keys for the SCA, TLS, and upload +# all certificates are self-signed +# the DN is taken from the configuration file passed as argument +# ----------------------------------------------------------------- +# SCA is valid for 4 years DAYS_CA=1461 -# valid for 1 year +# TLS is valid for 1 year DAYS_TLS=365 -# valid for 1 year +# Upload Cert is valid for 1 year DAYS_UPLOAD=365 + if [ $# -ne 1 ]; then echo "Usage: $0 DN configuration" exit 1 fi source $1 -# configure the DN - -#export OSSL_COMMON_NAME="WHO International" # default entry of the corresponding config file will be used # generate a new directory for each run -subdir=$(date +%Y%m%d%H%M%S) +subdir=${OSSL_COUNTRY_NAME}_$(date +%Y%m%d%H%M%S) mkdir -p ${subdir} # generate the certificates and keys for the SCA, TLS, and upload #openssl req -x509 -new -days ${DAYS_CA} -newkey ec:<(openssl ecparam -name prime256v1) -extensions ext -keyout ${subdir}/SCA.key -nodes -out ${subdir}/SCA.pem -config sca.conf diff --git a/scripts/certgen/gen_dsc.sh b/scripts/certgen/gen_dsc.sh index e5811bf..51b4637 100755 --- a/scripts/certgen/gen_dsc.sh +++ b/scripts/certgen/gen_dsc.sh @@ -1,17 +1,34 @@ #!/bin/zsh +# this script generates digital signing certificates (DSC) +# the DN is taken from the configuration file passed as argument +# the DSC is generated beneath the directory passed as argument, a new on on each run +# as third parameter, the purpose of the DSC can be passed, e.g. test, vax, rec +# for test, vaccination, and recovery. Omitting the third parameter will result in +# a DSC that can be used for all purposes +# ----------------------------------------------------------------- -if [ $# -ne 1 ]; then - echo "Usage: $0 (where must contain SCA.pem and SCA.key)" +# DSC is valid for 2 years +DAYS_DSC=730 + +if [ $# -lt 2 ]; then + echo "Usage: $0 (where must contain SCA.pem and SCA.key) [test|vax|rec]" exit 1 fi +if [ -z $3 ]; then + ext=all +else + ext=$3 +fi + subdir=$2 +dsc_dir=${subdir}/DSC_$(date +%Y%m%d%H%M%S) +mkdir -p ${dsc_dir} source $1 -DAYS_DSC=730 #openssl req -newkey ec:<(openssl ecparam -name prime256v1) -keyout ${subdir}/DSC.key -nodes -out ${subdir}/DSC_csr.pem -config DSC.conf # this does only work on Linux/MacOS -openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -keyout ${subdir}/DSC.key -nodes -out ${subdir}/DSC_csr.pem -config DSC.conf -openssl x509 -req -in ${subdir}/DSC_csr.pem -CA ${subdir}/SCA.pem -CAkey ${subdir}/SCA.key -CAcreateserial -days ${DAYS_DSC} -extensions ext -extfile DSC.conf -out ${subdir}/DSC.pem +openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -keyout ${dsc_dir}/DSC.key -nodes -out ${dsc_dir}/DSC_csr.pem -config DSC.conf +openssl x509 -req -in ${dsc_dir}/DSC_csr.pem -CA ${subdir}/SCA.pem -CAkey ${subdir}/SCA.key -CAcreateserial -days ${DAYS_DSC} -extensions $ext -extfile DSC.conf -out ${dsc_dir}/DSC.pem # cleanup -rm ${subdir}/DSC_csr.pem +rm ${dsc_dir}/DSC_csr.pem diff --git a/scripts/certgen/upload_dsc.sh b/scripts/certgen/upload_dsc.sh new file mode 100755 index 0000000..f54b3ca --- /dev/null +++ b/scripts/certgen/upload_dsc.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# this script uploads the DSC to the TNG DEV +# a given subdir containing the DSC.pem and DSC.key is expected +# optionally, a domain can be passed as second parameter +# ----------------------------------------------------------------- + +if [ $# -lt 2 ]; then + echo "Usage: $0 (where must contain UP.pem and UP.key) [Domain]" + exit 1 +fi +if ! [ -d "$2" ]; then + echo "No DSC DIR specified, second parameter must be a directory" + exit 1 +fi +if [ -z $3 ]; then + echo "No domain specified: using DDCC" + domain=DCC +else + domain=$3 +fi + +subdir=$1 +dsc_dir=$2 + +openssl x509 -outform der -in ${dsc_dir}/DSC.pem -out ${dsc_dir}/DSC.der +openssl cms -sign -nodetach -in ${dsc_dir}/DSC.der -signer ${subdir}/UP.pem -inkey ${subdir}/UP.key -out ${dsc_dir}/DSC_cms.der -outform DER -binary +openssl enc -base64 -in ${dsc_dir}/DSC_cms.der -e -a -A > ${dsc_dir}/DSC_cms.b64 +#openssl x509 -in ${subdir}/DSC.pem -noout -fingerprint -sha256 | sed 's/://g' +payload=$(cat ${dsc_dir}/DSC_cms.b64) + +curl --location 'https://tng-dev.who.int/trustedCertificate' \ +--header 'Content-Type: application/json' \ +--header 'Accept: application/json' \ +--data '{"cms": "'"${payload}"'", "properties": {}, "domain": "'"${domain}"'"}' \ +--key ${subdir}/TLS.key \ +--cert ${subdir}/TLS.pem \ From 771e772e85db8b4a74c8c137dc6d9c6fe51394fe Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Fri, 27 Oct 2023 00:41:22 +0200 Subject: [PATCH 5/7] fix: cleanup DSC path after uploading --- scripts/certgen/upload_dsc.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/certgen/upload_dsc.sh b/scripts/certgen/upload_dsc.sh index f54b3ca..78e25d0 100755 --- a/scripts/certgen/upload_dsc.sh +++ b/scripts/certgen/upload_dsc.sh @@ -34,3 +34,9 @@ curl --location 'https://tng-dev.who.int/trustedCertificate' \ --data '{"cms": "'"${payload}"'", "properties": {}, "domain": "'"${domain}"'"}' \ --key ${subdir}/TLS.key \ --cert ${subdir}/TLS.pem \ + +#cleanup +rm ${dsc_dir}/DSC.der +rm ${dsc_dir}/DSC_cms.der +rm ${dsc_dir}/DSC_cms.b64 + From 3638419ec092b214b46db069744f6a78a076976d Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Wed, 1 Nov 2023 23:28:40 +0100 Subject: [PATCH 6/7] fix(upload_dsc): remove unneeded sign parameters --- scripts/certgen/upload_dsc.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/certgen/upload_dsc.sh b/scripts/certgen/upload_dsc.sh index 78e25d0..ab6c795 100755 --- a/scripts/certgen/upload_dsc.sh +++ b/scripts/certgen/upload_dsc.sh @@ -13,7 +13,7 @@ if ! [ -d "$2" ]; then exit 1 fi if [ -z $3 ]; then - echo "No domain specified: using DDCC" + echo "No domain specified: using DCC" #TODO: change to DDCC when accepted by TNG domain=DCC else domain=$3 @@ -24,7 +24,7 @@ dsc_dir=$2 openssl x509 -outform der -in ${dsc_dir}/DSC.pem -out ${dsc_dir}/DSC.der openssl cms -sign -nodetach -in ${dsc_dir}/DSC.der -signer ${subdir}/UP.pem -inkey ${subdir}/UP.key -out ${dsc_dir}/DSC_cms.der -outform DER -binary -openssl enc -base64 -in ${dsc_dir}/DSC_cms.der -e -a -A > ${dsc_dir}/DSC_cms.b64 +openssl enc -base64 -in ${dsc_dir}/DSC_cms.der -e -A > ${dsc_dir}/DSC_cms.b64 #openssl x509 -in ${subdir}/DSC.pem -noout -fingerprint -sha256 | sed 's/://g' payload=$(cat ${dsc_dir}/DSC_cms.b64) From 3e1f2b0095be88dc8be16efd5d107a3fa912318c Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Thu, 7 Mar 2024 13:48:48 +0100 Subject: [PATCH 7/7] feat: update to dsc script description --- .../certgen/{template.cnf => DN_template.cnf} | 0 scripts/certgen/gen_dsc.sh | 17 +++++++++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) rename scripts/certgen/{template.cnf => DN_template.cnf} (100%) diff --git a/scripts/certgen/template.cnf b/scripts/certgen/DN_template.cnf similarity index 100% rename from scripts/certgen/template.cnf rename to scripts/certgen/DN_template.cnf diff --git a/scripts/certgen/gen_dsc.sh b/scripts/certgen/gen_dsc.sh index 51b4637..e3ebb44 100755 --- a/scripts/certgen/gen_dsc.sh +++ b/scripts/certgen/gen_dsc.sh @@ -8,10 +8,10 @@ # ----------------------------------------------------------------- # DSC is valid for 2 years -DAYS_DSC=730 +VAL_DAYS_DSC=730 if [ $# -lt 2 ]; then - echo "Usage: $0 (where must contain SCA.pem and SCA.key) [test|vax|rec]" + echo "Usage: $0 (where must contain SCA.pem and SCA.key) [test|vax|rec]" exit 1 fi if [ -z $3 ]; then @@ -23,12 +23,21 @@ fi subdir=$2 dsc_dir=${subdir}/DSC_$(date +%Y%m%d%H%M%S) mkdir -p ${dsc_dir} + +# source the DN from the given configuration file (DN_template.cnf is an example) source $1 +# First create a new private key and a CSR. Note that the keyoptions are hardcoded to prime256v1 curve. +# Use 'openssl ecparam -list_curves' to get a full list of EC curves. +# To use RSA, replace '-newkey ec' with '-newkey rsa' and substitute the 'ec_paramgen_curve' option with 'rsa_keygen_bits:' + #openssl req -newkey ec:<(openssl ecparam -name prime256v1) -keyout ${subdir}/DSC.key -nodes -out ${subdir}/DSC_csr.pem -config DSC.conf # this does only work on Linux/MacOS openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -keyout ${dsc_dir}/DSC.key -nodes -out ${dsc_dir}/DSC_csr.pem -config DSC.conf -openssl x509 -req -in ${dsc_dir}/DSC_csr.pem -CA ${subdir}/SCA.pem -CAkey ${subdir}/SCA.key -CAcreateserial -days ${DAYS_DSC} -extensions $ext -extfile DSC.conf -out ${dsc_dir}/DSC.pem -# cleanup + +# ...then sign the CSR with the SCA resulting in a DSC +openssl x509 -req -in ${dsc_dir}/DSC_csr.pem -CA ${subdir}/SCA.pem -CAkey ${subdir}/SCA.key -CAcreateserial -days ${VAL_DAYS_DSC} -extensions $ext -extfile DSC.conf -out ${dsc_dir}/DSC.pem + +# cleanup the intermediate CSR file rm ${dsc_dir}/DSC_csr.pem