Skip to content

Commit

Permalink
certs: Fixup the set-cert scripts
Browse files Browse the repository at this point in the history 
Signed-off-by: Alistair Francis <[email protected]>
  • Loading branch information
@alistair23 @twilfredo
alistair23 authored and twilfredo committed May 20, 2024
1 parent aa5ea6b commit ae9e372
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 6 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ openssl req -inform der -in ./csr_response.der -out csr_response.req
You can now sign the CSR

```shell
openssl x509 -req -in csr_response.req -out csr_response.cert -CA ./certs/slot0/inter.der -sha384 -days 3650 -set_serial 3 -extensions v3_inter -extfile ./certs/openssl-alias.cnf
openssl x509 -req -in csr_response.req -out csr_response.cert -CA ./certs/slot0/inter.der -sha384 -days 3650 -set_serial 3 -extensions alias_ca -extfile ./certs/openssl.cnf
```

Then convert the certificate back to DER
Expand Down
15 changes: 10 additions & 5 deletions certs/setup_certs.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,11 +53,16 @@ do
# "Test Device CA" but for other slots it might be the signed CSR
# from set certificate.

while openssl x509; do :; done < immutable.der | tail -14 > custom_device.cert
openssl x509 -req -in ../slot0/alias.req -out alias.cert -CA custom_device.cert -CAkey ../slot0/device.key -sha384 -days 3650 -set_serial 3 -extensions v3_inter -extfile ../openssl-alias.cnf

openssl x509 -req -in ../slot0/end_requester.req -out end_requester.cert -CA alias.cert -CAkey ../slot0/alias.key -sha384 -days 3650 -set_serial 4 -extensions v3_end -extfile ../openssl-alias.cnf
openssl x509 -req -in ../slot0/end_responder.req -out end_responder.cert -CA alias.cert -CAkey ../slot0/alias.key -sha384 -days 3650 -set_serial 5 -extensions v3_end -extfile ../openssl-alias.cnf
while openssl x509; do echo "%"; done < immutable.der | awk '
/-----BEGIN CERTIFICATE-----/ { f=1; rec="" }
f { rec = rec $0 ORS }
/-----END CERTIFICATE-----/ { f=0 }
END { if (f=="0") printf "%s", rec }
' > custom_device.cert
openssl x509 -req -in ../slot0/alias.req -out alias.cert -CA custom_device.cert -CAkey ../slot0/device.key -sha384 -days 3650 -set_serial 3 -extensions alias_ca -extfile ../openssl.cnf

openssl x509 -req -in ../slot0/end_requester.req -out end_requester.cert -CA alias.cert -CAkey ../slot0/alias.key -sha384 -days 3650 -set_serial 4 -extensions leaf -extfile ../openssl.cnf
openssl x509 -req -in ../slot0/end_responder.req -out end_responder.cert -CA alias.cert -CAkey ../slot0/alias.key -sha384 -days 3650 -set_serial 5 -extensions leaf -extfile ../openssl.cnf

# Generate der files
openssl asn1parse -in alias.cert -out alias.cert.der
Expand Down

0 comments on commit ae9e372

Please sign in to comment.