blob: 4671c2c71cdba935f346e136c61e3e7a68b3ee72 [file] [log] [blame]
#!/bin/sh
# Copyright 2024 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# This script generates a PKCS#12 (.p12) file that contains a key pair and
# two client certificates for it.
OUT_DIR=out
CLIENT_KEY_NAME=key_for_p12
CLIENT_CERT_NAME_1=cert_1_for_p12
CLIENT_CERT_NAME_2=cert_2_for_p12
P12_NAME=2_client_certs_1_key.p12
try () {
echo "$@"
"$@" || exit 1
}
try rm -rf $OUT_DIR
try mkdir $OUT_DIR
# Generate a private key for the CA.
try openssl genrsa -out $OUT_DIR/test_ca.key 2048
# Generate a root certificate for the CA.
try openssl req -x509 -new -nodes -key $OUT_DIR/test_ca.key -sha256 -days 9999 \
-out $OUT_DIR/test_ca.pem
# Generate a private key for the client.
openssl genrsa -out $OUT_DIR/$CLIENT_KEY_NAME.key 2048
# Convert the key into the P8 format for the client to import.
openssl pkcs8 -topk8 -inform PEM -outform DER \
-in $OUT_DIR/$CLIENT_KEY_NAME.key \
-out $OUT_DIR/$CLIENT_KEY_NAME.p8 -nocrypt
# Generate CSR for the first certificate.
openssl req -new -key $OUT_DIR/$CLIENT_KEY_NAME.key \
-out $OUT_DIR/csr_1.csr
# Generate first certificate for the client.
openssl x509 -req -in $OUT_DIR/csr_1.csr \
-CA $OUT_DIR/test_ca.pem -CAkey $OUT_DIR/test_ca.key \
-CAcreateserial -sha256 -days 9999 \
-out $OUT_DIR/$CLIENT_CERT_NAME_1.pem
# Generate CSR for the second certificate.
openssl req -new -key $OUT_DIR/$CLIENT_KEY_NAME.key \
-out $OUT_DIR/csr_2.csr
# Generate second certificate for the client.
openssl x509 -req -in $OUT_DIR/csr_2.csr \
-CA $OUT_DIR/test_ca.pem -CAkey $OUT_DIR/test_ca.key \
-CAcreateserial -sha256 -days 9999 \
-out $OUT_DIR/$CLIENT_CERT_NAME_2.pem
# Generate a PKCS#12 file (.p12) from the two certs and the key.
openssl pkcs12 -export \
-out $OUT_DIR/$P12_NAME \
-inkey $OUT_DIR/$CLIENT_KEY_NAME.key \
-in $OUT_DIR/$CLIENT_CERT_NAME_1.pem \
-certfile $OUT_DIR/$CLIENT_CERT_NAME_2.pem \
-passout pass:12345
try cp $OUT_DIR/$P12_NAME ../certificates