Skip to content

Commit d059365

Browse files
vitorpamplonavitorpamplona
committed
Splitting Scripts to generate private/public key pairs and certificates
1 parent 302c7fb commit d059365

3 files changed

Lines changed: 28 additions & 14 deletions

File tree

package.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,8 @@
55
"scripts": {
66
"test": "mocha",
77
"webpack": "webpack --config webpack.config.js",
8-
"keys": "scripts/generate-cert-chain.sh"
8+
"keys": "scripts/generate-key-pair.sh",
9+
"certs": "scripts/generate-cert-chain.sh"
910
},
1011
"author": "Vitor Pamplona",
1112
"license": "GPL-3.0-only",

scripts/generate-cert-chain.sh

Lines changed: 6 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -11,29 +11,22 @@ tmpdir=certs
1111
srcdir=scripts
1212
mkdir -p $tmpdir
1313

14-
# Code to generate simple public keys
15-
16-
openssl ecparam -genkey -name prime256v1 -noout -out $tmpdir/ec256-key-pair.key
17-
18-
# add the issuer key to the JWK sets
19-
node $srcdir/keysToJWK.js --key $tmpdir/ec256-key-pair.key --private jwks.private.json --public jwks.json
20-
2114
# Code to generate Certificates
2215

2316
# generate self-signed root CA cert
24-
#openssl req -x509 -new -newkey ec:<(openssl ecparam -name secp521r1) -keyout $tmpdir/root_CA.key -out $tmpdir/root_CA.crt -nodes -subj "/CN=SMART Health Card Example Root CA" -days 3650 -config $srcdir/openssl_ca.cnf -extensions v3_ca -sha512
17+
openssl req -x509 -new -newkey ec:<(openssl ecparam -name secp521r1) -keyout $tmpdir/root_CA.key -out $tmpdir/root_CA.crt -nodes -subj "/CN=SMART Health Card Example Root CA" -days 3650 -config $srcdir/openssl_ca.cnf -extensions v3_ca -sha512
2518

2619
# generate intermediate CA cert request
27-
#openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -keyout $tmpdir/CA.key -out $tmpdir/CA.csr -nodes -subj "/CN=SMART Health Card Example CA" -config $srcdir/openssl_ca.cnf -extensions v3_ca -sha384
20+
openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -keyout $tmpdir/CA.key -out $tmpdir/CA.csr -nodes -subj "/CN=SMART Health Card Example CA" -config $srcdir/openssl_ca.cnf -extensions v3_ca -sha384
2821

2922
# root CA signs the CA cert request
30-
#openssl x509 -req -in $tmpdir/CA.csr -out $tmpdir/CA.crt -CA $tmpdir/root_CA.crt -CAkey $tmpdir/root_CA.key -CAcreateserial -days 1825 -extfile $srcdir/openssl_ca.cnf -extensions v3_ca -sha512
23+
openssl x509 -req -in $tmpdir/CA.csr -out $tmpdir/CA.crt -CA $tmpdir/root_CA.crt -CAkey $tmpdir/root_CA.key -CAcreateserial -days 1825 -extfile $srcdir/openssl_ca.cnf -extensions v3_ca -sha512
3124

3225
# generate issuer signing cert request
33-
#openssl req -new -newkey ec:<(openssl ecparam -name prime256v1) -keyout $tmpdir/issuer.key -out $tmpdir/issuer.csr -nodes -subj "/CN=SMART Health Card Example Issuer" -config $srcdir/openssl_ca.cnf -extensions v3_issuer -sha256
26+
openssl req -new -newkey ec:<(openssl ecparam -name prime256v1) -keyout $tmpdir/issuer.key -out $tmpdir/issuer.csr -nodes -subj "/CN=SMART Health Card Example Issuer" -config $srcdir/openssl_ca.cnf -extensions v3_issuer -sha256
3427

3528
# intermediate CA signs the issuer cert request
36-
#openssl x509 -req -in $tmpdir/issuer.csr -out $tmpdir/issuer.crt -CA $tmpdir/CA.crt -CAkey $tmpdir/CA.key -CAcreateserial -days 365 -extfile $srcdir/openssl_ca.cnf -extensions v3_issuer -sha384
29+
openssl x509 -req -in $tmpdir/issuer.csr -out $tmpdir/issuer.crt -CA $tmpdir/CA.crt -CAkey $tmpdir/CA.key -CAcreateserial -days 365 -extfile $srcdir/openssl_ca.cnf -extensions v3_issuer -sha384
3730

3831
# add the issuer key to the JWK sets
39-
#node $srcdir/keysToJWK.js --key $tmpdir/issuer.key --cert $tmpdir/issuer.crt --cert $tmpdir/CA.crt --cert $tmpdir/root_CA.crt --private jwks.private.json --public jwks.json
32+
node $srcdir/keysToJWK.js --key $tmpdir/issuer.key --cert $tmpdir/issuer.crt --cert $tmpdir/CA.crt --cert $tmpdir/root_CA.crt --private jwks.private.json --public jwks.json

scripts/generate-key-pair.sh

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
#!/bin/bash
2+
3+
# This script generates an EC key pair and 3-cert ECDSA chain (root -> CA -> issuer).
4+
# Leaf cert uses P-256 and is valid for 1 year (as per the SMART Health Card Framework),
5+
# CA and root CA use the increasingly stronger P-384 and P-521, and are valid for
6+
# 5 and 10 years, respectively.
7+
8+
# directory where intermediate files are kept
9+
10+
tmpdir=$1
11+
srcdir=scripts
12+
13+
mkdir -p $tmpdir
14+
15+
# Code to generate simple public keys
16+
17+
openssl ecparam -genkey -name prime256v1 -noout -out $tmpdir/ec256-key-pair.key
18+
19+
# add the issuer key to the JWK sets
20+
node $srcdir/keysToJWK.js --key $tmpdir/ec256-key-pair.key --private $tmpdir/jwks.private.json --public $tmpdir/jwks.json

0 commit comments

Comments
 (0)