xref: /aosp_15_r20/external/cronet/net/data/ssl/scripts/generate_2_client_certs_1_key.sh (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1#!/bin/sh
2
3# Copyright 2024 The Chromium Authors
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# This script generates a PKCS#12 (.p12) file that contains a key pair and
8# two client certificates for it.
9
10OUT_DIR=out
11CLIENT_KEY_NAME=key_for_p12
12CLIENT_CERT_NAME_1=cert_1_for_p12
13CLIENT_CERT_NAME_2=cert_2_for_p12
14P12_NAME=2_client_certs_1_key.p12
15
16try () {
17  echo "$@"
18  "$@" || exit 1
19}
20
21try rm -rf $OUT_DIR
22try mkdir $OUT_DIR
23
24# Generate a private key for the CA.
25try openssl genrsa -out $OUT_DIR/test_ca.key 2048
26# Generate a root certificate for the CA.
27try openssl req -x509 -new -nodes -key $OUT_DIR/test_ca.key -sha256 -days 9999 \
28    -out $OUT_DIR/test_ca.pem
29
30# Generate a private key for the client.
31openssl genrsa -out $OUT_DIR/$CLIENT_KEY_NAME.key 2048
32# Convert the key into the P8 format for the client to import.
33openssl pkcs8 -topk8 -inform PEM -outform DER \
34    -in $OUT_DIR/$CLIENT_KEY_NAME.key \
35    -out $OUT_DIR/$CLIENT_KEY_NAME.p8 -nocrypt
36
37# Generate CSR for the first certificate.
38openssl req -new -key $OUT_DIR/$CLIENT_KEY_NAME.key \
39    -out $OUT_DIR/csr_1.csr
40# Generate first certificate for the client.
41openssl x509 -req -in $OUT_DIR/csr_1.csr \
42    -CA $OUT_DIR/test_ca.pem -CAkey $OUT_DIR/test_ca.key \
43    -CAcreateserial -sha256 -days 9999 \
44    -out $OUT_DIR/$CLIENT_CERT_NAME_1.pem
45
46# Generate CSR for the second certificate.
47openssl req -new -key $OUT_DIR/$CLIENT_KEY_NAME.key \
48    -out $OUT_DIR/csr_2.csr
49# Generate second certificate for the client.
50openssl x509 -req -in $OUT_DIR/csr_2.csr \
51    -CA $OUT_DIR/test_ca.pem -CAkey $OUT_DIR/test_ca.key \
52    -CAcreateserial -sha256 -days 9999 \
53    -out $OUT_DIR/$CLIENT_CERT_NAME_2.pem
54
55# Generate a PKCS#12 file (.p12) from the two certs and the key.
56openssl pkcs12 -export \
57    -out $OUT_DIR/$P12_NAME \
58    -inkey $OUT_DIR/$CLIENT_KEY_NAME.key \
59    -in $OUT_DIR/$CLIENT_CERT_NAME_1.pem \
60    -certfile $OUT_DIR/$CLIENT_CERT_NAME_2.pem \
61    -passout pass:12345
62
63try cp $OUT_DIR/$P12_NAME ../certificates
64