aboutsummaryrefslogtreecommitdiffstats
path: root/tools/generate_certificate.sh
blob: 18061f701d327205b65901ec2293839809af3aaa (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

#!/usr/bin/env bash
# generate_certificate.sh — Create a self-signed X.509 certificate for
# open62541 OPC UA applications.  Outputs DER-encoded certificate and
# private-key files suitable for the demo programs in this project.
#
# Arguments:
#   $1  certs_dir  — output directory for generated files (created if missing)
#   $2  name       — identity name (e.g. "ServerLDS", "Client")
#   $3  uri        — (optional) application URI; defaults to urn:localhost:bobink:<name>
#
# Produces:
#   <certs_dir>/<name>_cert.der   — DER-encoded X.509 certificate
#   <certs_dir>/<name>_cert.pem   — PEM-encoded X.509 certificate
#   <certs_dir>/<name>_key.der    — DER-encoded RSA private key
#   <certs_dir>/<name>_key.pem    — PEM-encoded RSA private key
#   <certs_dir>/<name>.cnf        — OpenSSL config (intermediate, kept for reference)

set -euo pipefail # Fail fast; no unset vars; catch pipe failures.

if [ $# -lt 2 ] || [ $# -gt 3 ]; then
  echo "Usage: generate_certificate.sh <certs_dir> <name> [uri]" >&2
  exit 1
fi

certs_dir="$1"
name="$2"
cn="${name}@localhost"
uri="${3:-urn:localhost:bobink:${name}}"

mkdir -p "$certs_dir"

cnf="$certs_dir/${name}.cnf"
cat >"$cnf" <<EOF
[req]
distinguished_name = req_dn
x509_extensions = v3_ext
prompt = no

[req_dn]
C  = FR
O  = Bobink
CN = ${cn}

# OPC UA Part 6 §6.2.2: application-instance certificates must carry these
# key usages, both server and client auth, and a URI SAN matching the
# application URI.
[v3_ext]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, nonRepudiation, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:localhost, URI:${uri}
EOF

openssl req -x509 -newkey rsa:2048 -nodes -sha256 \
  -days 365 \
  -config "$cnf" \
  -keyout "$certs_dir/${name}_key.pem" \
  -out "$certs_dir/${name}_cert.pem" \
  2>/dev/null

openssl x509 -in "$certs_dir/${name}_cert.pem" -outform der \
  -out "$certs_dir/${name}_cert.der"
openssl rsa -in "$certs_dir/${name}_key.pem" -outform der \
  -out "$certs_dir/${name}_key.der" 2>/dev/null

echo "Generated certificate '$name' (CN=$cn, URI=$uri):"
echo "  $certs_dir/${name}_cert.der"
echo "  $certs_dir/${name}_cert.pem"
echo "  $certs_dir/${name}_key.der"
echo "  $certs_dir/${name}_key.pem"
generated by cgit v1.2.3 (git 2.46.0) at 2026-02-20 10:33:57 +0000