Home Explore Help
Sign In
lechercheur123
/
RISE-V2G
mirror of https://github.com/V2GClarity/RISE-V2G
1
0
Fork 0
Files Issues 0 Wiki
Tree: 6b366610bc
Branches Tags
RISE-V2G
/
RISE-V2G-Certificates
/
generateCertificates.sh

generateCertificates.sh 23 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208 
  1. #*******************************************************************************
    2. 

  2. #  Copyright (c) 2016 Dr.-Ing. Marc Mültin.
    3. 

  3. #  All rights reserved. This program and the accompanying materials
    4. 

  4. #  are made available under the terms of the Eclipse Public License v1.0
    5. 

  5. #  which accompanies this distribution, and is available at
    6. 

  6. #  http://www.eclipse.org/legal/epl-v10.html
    7. 

  7. #
    8. 

  8. #  Contributors:
    9. 

  9. #    Dr.-Ing. Marc Mültin - initial API and implementation and initial documentation
    10. 

  10. #*******************************************************************************
    11. 

  11. # This shell script can be used to create all necessary certificates and keystores needed in order to
    12. 

  12. # - successfully perform a TLS handshake between the EVCC (TLSClient) and the SECC (TLSServer) and 
    13. 

  13. # - install/update a contract certificate in the EVCC.
    14. 

  14. # Previously created certificates should have been provided with the respective release of the RISE V2G project for testing purposes. However, certain certificates might not be valid any more in which case you need to create new certificates. 
    15. 

  15. # This file shall serve you with all information needed to create your own certificate chains.
    16. 

  16. #
    17. 

  17. # Helpful information about using openssl is provided by Ivan Ristic's book "Bulletproof SSL and TLS".
    18. 

  18. # Furthermore, you should have openssl 1.0.2 (or above) installed to comply with all security requirements imposed by ISO 15118. For example, openssl 0.9.8 does not come with SHA-2 for SHA-256 signature algorithms.
    19. 

  19. #
    20. 

  20. # Author: Marc Mültin (marc.mueltin@v2g-clarity.com) 
    21. 

  21. 

  22. 

  23. # Some variables to create different outcomes of the PKI for testing purposes. Change the validity periods (given in number of days) to test 
    24. 

  24. # - valid certificates (e.g. contract certificate or Sub-CA certificate)
    25. 

  25. # - expired certificates (e.g. contract certificate or Sub-CA certificates) -> you need to reset your system time to the past to create expired certificates
    26. 

  26. # - a to be updated contract certificate
    27. 

  27. validity_contract_cert=730
    28. 

  28. validity_mo_subca1_cert=1460
    29. 

  29. validity_mo_subca2_cert=1460
    30. 

  30. validity_oem_prov_cert=1460
    31. 

  31. validity_oem_subca1_cert=1460
    32. 

  32. validity_oem_subca2_cert=1460
    33. 

  33. validity_cps_leaf_cert=90
    34. 

  34. validity_cps_subca1_cert=1460
    35. 

  35. validity_cps_subca2_cert=730
    36. 

  36. validity_secc_cert=60
    37. 

  37. validity_cpo_subca1_cert=1460
    38. 

  38. validity_cpo_subca2_cert=365
    39. 

  39. validity_v2g_root_cert=3650
    40. 

  40. validity_oem_root_cert=3650
    41. 

  41. validity_mo_root_cert=3650
    42. 

  42. 

  43. 

  44. # 0) Create directories if not yet existing
    45. 

  45. mkdir -p certs
    46. 

  46. mkdir -p csrs
    47. 

  47. mkdir -p keystores
    48. 

  48. mkdir -p privateKeys
    49. 

  49. 

  50. # 1) Create a self-signed V2GRootCA certificate
    51. 

  51. # 1.1) Create a 
    52. 

  52. #	- private key -> -genkey
    53. 

  53. #	- with elliptic curve parameters -> ecparam
    54. 

  54. #	- for key of length 256 bit to be used for digital signatures -> -name secp256r1
    55. 

  55. #	- with symmetric encryption AES 128 bit -> -aes128
    56. 

  56. #   - and the passphrase for the private key provided in a file -> -passout file:passphrase.txt
    57. 

  57. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/v2gRootCA.key -aes128 -passout file:passphrase.txt
    58. 

  58. # 1.2) Create a 
    59. 

  59. #	- new -> -new
    60. 

  60. # 	- self-signed certificate -> -new -x509 (and -out v2gRootCA.pem)
    61. 

  61. #	- valid for 40 years -> -days 14600
    62. 

  62. #	- with signature algorithm sha256 -> -sha256
    63. 

  63. #	- with previously created private key -> -key privateKeys/v2gRootCA.key
    64. 

  64. #	- and configuration data provided -> -config configs/v2gRootCACert.cnf
    65. 

  65. #	- with extensions specified in section [ext] -> -extensions ext
    66. 

  66. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -x509 -days $validity_v2g_root_cert -sha256 -key privateKeys/v2gRootCA.key -set_serial 01 -passin file:passphrase.txt -config configs/v2gRootCACert.cnf -extensions ext -out certs/v2gRootCA.pem
    67. 

  67. 

  68. 

  69. # 2) Create an intermediate CPO sub-CA certificate which is directly signed by the V2GRootCA certificate
    70. 

  70. # 2.1) Create a private key (same procedure as for V2GRootCA certificate)
    71. 

  71. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/cpoSubCA1.key -aes128 -passout file:passphrase.txt
    72. 

  72. # 2.2) Create a 
    73. 

  73. # 	- new Certificate Signing Request (CSR) -> -new (and -out cpoSubCA1.csr)
    74. 

  74. #	- with previously created private key -> -key privateKeys/cpoSubCA1.key
    75. 

  75. #	- and configuration data provided -> -config configs/cpoSubCA1Cert.cnf
    76. 

  76. #	- with extensions specified in section [ext] -> -extensions ext
    77. 

  77. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/cpoSubCA1.key -passin file:passphrase.txt -config configs/cpoSubCA1Cert.cnf -extensions ext -out csrs/cpoSubCA1.csr
    78. 

  78. # 2.3) Create a 
    79. 

  79. #	- certificate for the CPOSubCA1 -> x509
    80. 

  80. #	- with the previously created CSR -> -in csrs/cpoSubCA1.csr
    81. 

  81. #	- signed by the V2GRootCA's private key -> -signkey privateKeys/v2gRootCA.key
    82. 

  82. #	- with a validity of 4 years -> -days 1460
    83. 

  83. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/cpoSubCA1.csr -extfile configs/cpoSubCA1Cert.cnf -extensions ext -CA certs/v2gRootCA.pem -CAkey privateKeys/v2gRootCA.key -set_serial 02 -passin file:passphrase.txt -days $validity_cpo_subca1_cert -out certs/cpoSubCA1.pem
    84. 

  84. 

  85. 

  86. # 3) Create a second intermediate CPO sub-CA certificate  just the way the previous intermedia certificate was created which is directly signed by the CPOSubCA1
    87. 

  87. # Differences to CPOSubCA1
    88. 

  88. # - basicConstraints in config file sets pathlength to 0 (meaning that no further sub CA's certificate may be signed with this certificate, a leaf certificate must follow this certificate in a certificate chain)
    89. 

  89. # - validity is set to 1 year (1 - 2 years are allowed according to ISO 15118)
    90. 

  90. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/cpoSubCA2.key -aes128 -passout file:passphrase.txt
    91. 

  91. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/cpoSubCA2.key -passin file:passphrase.txt -config configs/cpoSubCA2Cert.cnf -extensions ext -out csrs/cpoSubCA2.csr
    92. 

  92. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/cpoSubCA2.csr -extfile configs/cpoSubCA2Cert.cnf -extensions ext -CA certs/cpoSubCA1.pem -CAkey privateKeys/cpoSubCA1.key -set_serial 03 -passin file:passphrase.txt -days $validity_cpo_subca2_cert -out certs/cpoSubCA2.pem
    93. 

  93. 

  94. # 4) Create an SECCCert certificate which is the leaf certificate belonging to the charging station which authenticates itself to the EVCC during a TLS handshake, signed by CPOSubCA2 certificate
    95. 

  95. # Differences to CPOSubCA1 and CPOSubCA2
    96. 

  96. # - basicConstraints sets CA to false, no pathlen is therefore set
    97. 

  97. # - keyusage is set to digitalSignature instead of keyCertSign and cRLSign
    98. 

  98. # - validity is set to 60 days (2 - 3 months are allowed according to ISO 15118)
    99. 

  99. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/seccCert.key -aes128 -passout file:passphrase.txt
    100. 

  100. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/seccCert.key -passin file:passphrase.txt -config configs/seccCert.cnf -extensions ext -out csrs/seccCert.csr
    101. 

  101. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/seccCert.csr -extfile configs/seccCert.cnf -extensions ext -CA certs/cpoSubCA2.pem -CAkey privateKeys/cpoSubCA2.key -set_serial 04 -passin file:passphrase.txt -days $validity_secc_cert -out certs/seccCert.pem
    102. 

  102. # Concatenate the intermediate CAs into one file intermediateCAs.pem
    103. 

  103. # IMPORTANT: Concatenate in such a way that the chain leads from the leaf certificate to the root (excluding), this means here: first parameter of the cat command is the intermediate CA's certificate which signs the leaf certificate (in this case cpoSubCA2.pem). Otherwise the Java method getCertificateChain() which is called on the keystore will only return the leaf certificate!
    104. 

  104. cat certs/cpoSubCA2.pem certs/cpoSubCA1.pem > certs/intermediateCPOCAs.pem
    105. 

  105. # Put the seccCertificate, the private key of the seccCertificate as well as the intermediate CAs in a pkcs12 container. 
    106. 

  106. # IMPORTANT: It is necessary to put all necessary intermediate CAs directly into the PKCS12 container (with the -certfile switch), instead of later on iporting the PKCS12 containter only holding the leaf certificate (seccCert) and its private key and additionally importing the intermediate CAs via the keytool command (TLS handshake will fail).
    107. 

  107. # This is the reason why we need two password files (passphrase.txt and passphrase2.txt). Possibly the passphrase.txt file resource is locked before being accessed a second time within the same command? See also http://rt./usr/local/Cellar/openssl/1.0.2h_1/bin/openssl.org/Ticket/Display.html?id=3168&user=guest&pass=guest
    108. 

  108. # The -name switch corresponds to the -alias switch in the keytool command later on
    109. 

  109. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl pkcs12 -export -inkey privateKeys/seccCert.key -in certs/seccCert.pem -certfile certs/intermediateCPOCAs.pem -aes128 -passin file:passphrase.txt -passout file:passphrase2.txt -name secc_cert -out certs/cpoCertChain.p12
    110. 

  110. 

  111. # 5) Create a self-signed OEMRootCA certificate (validity is up to the OEM, this example applies the same validity as the V2GRootCA)
    112. 

  112. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/oemRootCA.key -aes128 -passout file:passphrase.txt
    113. 

  113. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -x509 -days $validity_oem_root_cert -sha256 -key privateKeys/oemRootCA.key -set_serial 05 -passin file:passphrase.txt -config configs/oemRootCACert.cnf -extensions ext -out certs/oemRootCA.pem
    114. 

  114. 

  115. # 6) Create an intermediate OEM sub-CA certificate which is directly signed by the OEMRootCA certificate (validity is up to the OEM, this example applies the same validity as the CPOSubCA1)
    116. 

  116. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/oemSubCA1.key -aes128 -passout file:passphrase.txt
    117. 

  117. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/oemSubCA1.key -passin file:passphrase.txt -config configs/oemSubCA1Cert.cnf -extensions ext -out csrs/oemSubCA1.csr
    118. 

  118. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/oemSubCA1.csr -extfile configs/oemSubCA1Cert.cnf -extensions ext -CA certs/oemRootCA.pem -CAkey privateKeys/oemRootCA.key -set_serial 06 -passin file:passphrase.txt -days $validity_oem_subca1_cert -out certs/oemSubCA1.pem
    119. 

  119. 

  120. # 7) Create a second intermediate OEM sub-CA certificate which is directly signed by the OEMSubCA1 certificate (validity is up to the OEM, this example applies the same validity as the CPOSubCA2)
    121. 

  121. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/oemSubCA2.key -aes128 -passout file:passphrase.txt
    122. 

  122. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/oemSubCA2.key -passin file:passphrase.txt -config configs/oemSubCA2Cert.cnf -extensions ext -out csrs/oemSubCA2.csr
    123. 

  123. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/oemSubCA2.csr -extfile configs/oemSubCA2Cert.cnf -extensions ext -CA certs/oemSubCA1.pem -CAkey privateKeys/oemSubCA1.key -set_serial 07 -passin file:passphrase.txt -days $validity_oem_subca2_cert -out certs/oemSubCA2.pem
    124. 

  124. 

  125. # 8) Create an OEM provisioning certificate which is the leaf certificate belonging to the OEM certificate chain (used for contract certificate installation)
    126. 

  126. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/oemProvCert.key -aes128 -passout file:passphrase.txt
    127. 

  127. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/oemProvCert.key -passin file:passphrase.txt -config configs/oemProvCert.cnf -extensions ext -out csrs/oemProvCert.csr
    128. 

  128. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/oemProvCert.csr -extfile configs/oemProvCert.cnf -extensions ext -CA certs/oemSubCA2.pem -CAkey privateKeys/oemSubCA2.key -set_serial 08 -passin file:passphrase.txt -days $validity_oem_prov_cert -out certs/oemProvCert.pem
    129. 

  129. cat certs/oemSubCA2.pem certs/oemSubCA1.pem > certs/intermediateOEMCAs.pem
    130. 

  130. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl pkcs12 -export -inkey privateKeys/oemProvCert.key -in certs/oemProvCert.pem -certfile certs/intermediateOEMCAs.pem -aes128 -passin file:passphrase.txt -passout file:passphrase2.txt -name oem_prov_cert -out certs/oemCertChain.p12
    131. 

  131. 

  132. # 9) Create a self-signed MORootCA (mobility operator) certificate (validity is up to the MO, this example applies the same validity as the V2GRootCA)
    133. 

  133. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/moRootCA.key -aes128 -passout file:passphrase.txt
    134. 

  134. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -x509 -days $validity_mo_root_cert -sha256 -key privateKeys/moRootCA.key -set_serial 09 -passin file:passphrase.txt -config configs/moRootCACert.cnf -extensions ext -out certs/moRootCA.pem
    135. 

  135. 

  136. # 10) Create an intermediate MO sub-CA certificate which is directly signed by the MORootCA certificate (validity is up to the MO, this example applies the same validity as the CPOSubCA1)
    137. 

  137. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/moSubCA1.key -aes128 -passout file:passphrase.txt
    138. 

  138. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/moSubCA1.key -passin file:passphrase.txt -config configs/moSubCA1Cert.cnf -extensions ext -out csrs/moSubCA1.csr
    139. 

  139. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/moSubCA1.csr -extfile configs/moSubCA1Cert.cnf -extensions ext -CA certs/moRootCA.pem -CAkey privateKeys/moRootCA.key -set_serial 10 -passin file:passphrase.txt -days $validity_mo_subca1_cert -out certs/moSubCA1.pem
    140. 

  140. 

  141. 

  142. # 11) Create a second intermediate MO sub-CA certificate which is directly signed by the MOSubCA1 certificate (validity is up to the MO, this example applies the same validity as the CPOSubCA2)
    143. 

  143. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/moSubCA2.key -aes128 -passout file:passphrase.txt
    144. 

  144. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/moSubCA2.key -passin file:passphrase.txt -config configs/moSubCA2Cert.cnf -extensions ext -out csrs/moSubCA2.csr
    145. 

  145. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/moSubCA2.csr -extfile configs/moSubCA2Cert.cnf -extensions ext -CA certs/moSubCA1.pem -CAkey privateKeys/moSubCA1.key -set_serial 11 -passin file:passphrase.txt -days $validity_mo_subca2_cert -out certs/moSubCA2.pem
    146. 

  146. 

  147. 

  148. # 12) Create a contract certificate which is the leaf certificate belonging to the MO certificate chain (used for contract certificate installation)
    149. 

  149. # Validity can be between 4 weeks and 2 years (restricted by the contract lifetime), for testing purposes the validity will be set to 2 years
    150. 

  150. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/contractCert.key -aes128 -passout file:passphrase.txt
    151. 

  151. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/contractCert.key -passin file:passphrase.txt -config configs/contractCert.cnf -extensions ext -out csrs/contractCert.csr
    152. 

  152. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/contractCert.csr -extfile configs/contractCert.cnf -extensions ext -CA certs/moSubCA2.pem -CAkey privateKeys/moSubCA2.key -set_serial 12 -passin file:passphrase.txt -days $validity_contract_cert -out certs/contractCert.pem
    153. 

  153. cat certs/moSubCA2.pem certs/moSubCA1.pem > certs/intermediateMOCAs.pem
    154. 

  154. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl pkcs12 -export -inkey privateKeys/contractCert.key -in certs/contractCert.pem -certfile certs/intermediateMOCAs.pem -aes128 -passin file:passphrase.txt -passout file:passphrase2.txt -name contract_cert -out certs/moCertChain.p12
    155. 

  155. 

  156. # 13) Create an intermediate provisioning service sub-CA certificate which is directly signed by the V2GRootCA certificate 
    157. 

  157. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/cpsSubCA1.key -aes128 -passout file:passphrase.txt
    158. 

  158. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/cpsSubCA1.key -passin file:passphrase.txt -config configs/cpsSubCA1Cert.cnf -extensions ext -out csrs/cpsSubCA1.csr
    159. 

  159. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/cpsSubCA1.csr -extfile configs/cpsSubCA1Cert.cnf -extensions ext -CA certs/v2gRootCA.pem -CAkey privateKeys/v2gRootCA.key -set_serial 13 -passin file:passphrase.txt -days $validity_cps_subca1_cert -out certs/cpsSubCA1.pem
    160. 

  160. 

  161. # 14) Create a second intermediate provisioning sub-CA certificate which is directly signed by the CPSSubCA1 certificate (validity 1 - 2 years, we make it 2 years)
    162. 

  162. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/cpsSubCA2.key -aes128 -passout file:passphrase.txt
    163. 

  163. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/cpsSubCA2.key -passin file:passphrase.txt -config configs/cpsSubCA2Cert.cnf -extensions ext -out csrs/cpsSubCA2.csr
    164. 

  164. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/cpsSubCA2.csr -extfile configs/cpsSubCA2Cert.cnf -extensions ext -CA certs/cpsSubCA1.pem -CAkey privateKeys/cpsSubCA1.key -set_serial 14 -passin file:passphrase.txt -days $validity_cps_subca2_cert -out certs/cpsSubCA2.pem
    165. 

  165. 

  166. # 15) Create a provisioning service certificate which is the leaf certificate belonging to the provisioning certificate chain (used for contract certificate installation)
    167. 

  167. # Validity can be between 2 - 3 months, we make it 3 months
    168. 

  168. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ecparam -genkey -name secp256r1 | /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl ec -out privateKeys/cpsLeafCert.key -aes128 -passout file:passphrase.txt
    169. 

  169. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl req -new -key privateKeys/cpsLeafCert.key -passin file:passphrase.txt -config configs/cpsLeafCert.cnf -extensions ext -out csrs/cpsLeafCert.csr
    170. 

  170. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -req -in csrs/cpsLeafCert.csr -extfile configs/cpsLeafCert.cnf -extensions ext -CA certs/cpsSubCA2.pem -CAkey privateKeys/cpsSubCA2.key -set_serial 15 -passin file:passphrase.txt -days $validity_cps_leaf_cert -out certs/cpsLeafCert.pem
    171. 

  171. cat certs/cpsSubCA2.pem certs/cpsSubCA1.pem > certs/intermediateCPSCAs.pem
    172. 

  172. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl pkcs12 -export -inkey privateKeys/cpsLeafCert.key -in certs/cpsLeafCert.pem -certfile certs/intermediateCPSCAs.pem -aes128 -passin file:passphrase.txt -passout file:passphrase2.txt -name cps_leaf_cert -out certs/cpsCertChain.p12
    173. 

  173. 

  174. # 16) Finally we need to convert the certificates from PEM format to DER format (PEM is the default format, but ISO 15118 only allows DER format)
    175. 

  175. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/v2gRootCA.pem       -outform DER -out certs/v2gRootCA.der
    176. 

  176. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/cpsSubCA1.pem      -outform DER -out certs/cpsSubCA1.der
    177. 

  177. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/cpsSubCA2.pem      -outform DER -out certs/cpsSubCA2.der
    178. 

  178. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/cpsLeafCert.pem -outform DER -out certs/cpsLeafCert.der
    179. 

  179. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/cpoSubCA1.pem       -outform DER -out certs/cpoSubCA1.der
    180. 

  180. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/cpoSubCA2.pem       -outform DER -out certs/cpoSubCA2.der
    181. 

  181. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/seccCert.pem        -outform DER -out certs/seccCert.der
    182. 

  182. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/oemRootCA.pem       -outform DER -out certs/oemRootCA.der
    183. 

  183. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/oemSubCA1.pem       -outform DER -out certs/oemSubCA1.der
    184. 

  184. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/oemSubCA2.pem       -outform DER -out certs/oemSubCA2.der
    185. 

  185. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/oemProvCert.pem     -outform DER -out certs/oemProvCert.der
    186. 

  186. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/moRootCA.pem        -outform DER -out certs/moRootCA.der
    187. 

  187. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/moSubCA1.pem        -outform DER -out certs/moSubCA1.der
    188. 

  188. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/moSubCA2.pem        -outform DER -out certs/moSubCA2.der
    189. 

  189. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl x509 -inform PEM -in certs/contractCert.pem    -outform DER -out certs/contractCert.der
    190. 

  190. # Since the intermediate certificates need to be in PEM format when putting them in a PKCS12 container and the resulting PKCS12 file is a binary format, it might be sufficient. Otherwise, I have currently no idea how to covert the intermediate certificates in DER without running into problems when creating the PKCS12 container.
    191. 

  191. 

  192. # 17) In case you want the private keys in PKCS#8 file format and DER encoded, use this command. Especially necessary for the private key of MOSubCA2 in RISE V2G
    193. 

  193. /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl pkcs8 -topk8 -in privateKeys/moSubCA2.key -inform PEM -passin file:passphrase.txt -passout file:passphrase2.txt -outform DER -out privateKeys/moSubCA2.pkcs8.der
    194. 

  194. 

  195. 

  196. # XX) Create the initial Java truststores and keystores
    197. 

  197. # XX.1) truststore for the EVCC which needs to hold the V2GRootCA certificate (the EVCC does not verify the received contract certificate chain, therefore no MORootCA needs to be imported in evccTruststore.jks )
    198. 

  198. keytool -import -keystore keystores/evccTruststore.jks -alias v2g_root_ca -file certs/v2gRootCA.der -storepass:file passphrase.txt -noprompt
    199. 

  199. # XX.2) truststore for the SECC which needs to hold the V2GRootCA certificate and the MORootCA which signed the MOSubCA1 (needed for verifying the  contract certificate signature chain which will be sent from the EVCC to the SECC with PaymentDetailsReq message). According to ISO 15118-2, MORootCA is not necessarily needed as the MOSubCA1 could instead be signed by a V2GRootCA.
    200. 

  200. keytool -import -keystore keystores/seccTruststore.jks -alias v2g_root_ca -file certs/v2gRootCA.der -storepass:file passphrase.txt -noprompt
    201. 

  201. keytool -import -keystore keystores/seccTruststore.jks -alias mo_root_ca -file certs/moRootCA.der -storepass:file passphrase.txt -noprompt
    202. 

  202. # XX.3) keystore for the SECC which needs to hold the CPOSubCA1, CPOSubCA2, and SECCCert certificates
    203. 

  203. keytool -importkeystore -srckeystore certs/cpoCertChain.p12 -srcstoretype pkcs12 -srcstorepass:file passphrase.txt -srcalias secc_cert -destalias secc_cert -destkeystore keystores/seccKeystore.jks -storepass:file passphrase.txt -noprompt
    204. 

  204. # XX.4) keystore for the EVCC which needs to hold the OEMSubCA1, OEMSubCA2, and OEMProvCert certificates
    205. 

  205. keytool -importkeystore -srckeystore certs/oemCertChain.p12 -srcstoretype pkcs12 -srcstorepass:file passphrase.txt -srcalias oem_prov_cert -destalias oem_prov_cert -destkeystore keystores/evccKeystore.jks -storepass:file passphrase.txt -noprompt
    206. 

  206. 

  207. 

  208. # Side notes for OCSP stapling in Java: see http://openjdk.java.net/jeps/8046321
    209.