Strona główna Odkrywaj Pomoc
Zaloguj się
lechercheur123
/
RISE-V2G
kopia lustrzana https://github.com/V2GClarity/RISE-V2G
1
0
Forkuj 0
Pliki Problemy 0 Wiki
Drzewo: d8c9fc7bcd
Gałęzie Tagi
RISE-V2G
/
RISE-V2G-Certificates
/
generateCertificates.bat

generateCertificates.bat 22 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223 
  1. @echo off
    2. 

  2. REM *******************************************************************************
    3. 

  3. REM The MIT License (MIT)
    4. 

  4. REM 
    5. 

  5. REM Copyright (c) 2015-207  V2G Clarity (Dr.-Ing. Marc Mültin) 
    6. 

  6. REM
    7. 

  7. REM Permission is hereby granted, free of charge, to any person obtaining a copy
    8. 

  8. REM of this software and associated documentation files (the "Software"), to deal
    9. 

  9. REM in the Software without restriction, including without limitation the rights
    10. 

  10. REM to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    11. 

  11. REM copies of the Software, and to permit persons to whom the Software is
    12. 

  12. REM furnished to do so, subject to the following conditions:
    13. 

  13. REM
    14. 

  14. REM The above copyright notice and this permission notice shall be included in
    15. 

  15. REM all copies or substantial portions of the Software.
    16. 

  16. REM
    17. 

  17. REM THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    18. 

  18. REM IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    19. 

  19. REM FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
    20. 

  20. REM AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    21. 

  21. REM LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    22. 

  22. REM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    23. 

  23. REM THE SOFTWARE.
    24. 

  24. REM *******************************************************************************
    25. 

  25. 

  26. REM This shell script can be used to create all necessary certificates and keystores needed in order to
    27. 

  27. REM - successfully perform a TLS handshake between the EVCC (TLSClient) and the SECC (TLSServer) and 
    28. 

  28. REM - install/update a contract certificate in the EVCC.
    29. 

  29. REM Previously created certificates should have been provided with the respective release of the RISE V2G project for testing purposes. However, certain certificates might not be valid any more in which case you need to create new certificates. 
    30. 

  30. REM This file shall serve you with all information needed to create your own certificate chains.
    31. 

  31. REM 
    32. 

  32. REM Helpful information about using openssl is provided by Ivan Ristic's book "Bulletproof SSL and TLS".
    33. 

  33. REM Furthermore, you should have openssl 1.0.2 (or above) installed to comply with all security requirements imposed by ISO 15118. For example, openssl 0.9.8 does not come with SHA-2 for SHA-256 signature algorithms. Some MacOS X installations unfortunately still use openssl < v1.0.2. You could use Homebrew to install openssl. Be aware that you probably then need to use an absolute path for your openssl commands, such as /usr/local/Cellar/openssl/1.0.2h_1/bin/openssl (for linux based systems).
    34. 

  34. REM 
    35. 

  35. REM Author: Marc Mültin (marc.mueltin@v2g-clarity.com) 
    36. 

  36. 

  37. 

  38. REM Some variables to create different outcomes of the PKI for testing purposes. Change the validity periods (given in number of days) to test 
    39. 

  39. REM - valid certificates (e.g. contract certificate or Sub-CA certificate)
    40. 

  40. REM - expired certificates (e.g. contract certificate or Sub-CA certificates) -> you need to reset your system time to the past to create expired certificates
    41. 

  41. REM - a to be updated contract certificate
    42. 

  42. SET validity_contract_cert=730
    43. 

  43. SET validity_mo_subca1_cert=1460
    44. 

  44. SET validity_mo_subca2_cert=1460
    45. 

  45. SET validity_oem_prov_cert=1460
    46. 

  46. SET validity_oem_subca1_cert=1460
    47. 

  47. SET validity_oem_subca2_cert=1460
    48. 

  48. SET validity_cps_leaf_cert=90
    49. 

  49. SET validity_cps_subca1_cert=1460
    50. 

  50. SET validity_cps_subca2_cert=730
    51. 

  51. SET validity_secc_cert=60
    52. 

  52. SET validity_cpo_subca1_cert=1460
    53. 

  53. SET validity_cpo_subca2_cert=365
    54. 

  54. SET validity_v2g_root_cert=3650
    55. 

  55. SET validity_oem_root_cert=3650
    56. 

  56. SET validity_mo_root_cert=3650
    57. 

  57. 

  58. 

  59. REM 0) Create directories if not yet existing
    60. 

  60. if not exist certs mkdir certs
    61. 

  61. if not exist csrs mkdir csrs
    62. 

  62. if not exist keystores mkdir keystores
    63. 

  63. if not exist privateKeys mkdir privateKeys
    64. 

  64. 

  65. REM 1) Create a self-signed V2GRootCA certificate
    66. 

  66. REM 1.1) Create a 
    67. 

  67. REM	- private key -> -genkey
    68. 

  68. REM	- with elliptic curve parameters -> ecparam
    69. 

  69. REM	- for key of length 256 bit to be used for digital signatures -> -name secp256r1
    70. 

  70. REM	- with symmetric encryption AES 128 bit -> -aes128
    71. 

  71. REM   - and the passphrase for the private key provided in a file -> -passout file:passphrase.txt
    72. 

  72. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\v2gRootCA.key -aes128 -passout file:passphrase.txt
    73. 

  73. REM 1.2) Create a 
    74. 

  74. REM	- new -> -new
    75. 

  75. REM 	- self-signed certificate -> -new -x509 (and -out v2gRootCA.pem)
    76. 

  76. REM	- valid for 40 years -> -days 14600
    77. 

  77. REM	- with signature algorithm sha256 -> -sha256
    78. 

  78. REM	- with previously created private key -> -key privateKeys\v2gRootCA.key
    79. 

  79. REM	- and configuration data provided -> -config configs\v2gRootCACert.cnf
    80. 

  80. REM	- with extensions specified in section [ext] -> -extensions ext
    81. 

  81. openssl req -new -x509 -days %validity_v2g_root_cert% -sha256 -key privateKeys\v2gRootCA.key -set_serial 01 -passin file:passphrase.txt -config configs\v2gRootCACert.cnf -extensions ext -out certs\v2gRootCA.pem
    82. 

  82. 

  83. 

  84. REM 2) Create an intermediate CPO sub-CA certificate which is directly signed by the V2GRootCA certificate
    85. 

  85. REM 2.1) Create a private key (same procedure as for V2GRootCA certificate)
    86. 

  86. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\cpoSubCA1.key -aes128 -passout file:passphrase.txt
    87. 

  87. REM 2.2) Create a 
    88. 

  88. REM 	- new Certificate Signing Request (CSR) -> -new (and -out cpoSubCA1.csr)
    89. 

  89. REM	- with previously created private key -> -key privateKeys\cpoSubCA1.key
    90. 

  90. REM	- and configuration data provided -> -config configs\cpoSubCA1Cert.cnf
    91. 

  91. REM	- with extensions specified in section [ext] -> -extensions ext
    92. 

  92. openssl req -new -key privateKeys\cpoSubCA1.key -passin file:passphrase.txt -config configs\cpoSubCA1Cert.cnf -extensions ext -out csrs\cpoSubCA1.csr
    93. 

  93. REM 2.3) Create a 
    94. 

  94. REM	- certificate for the CPOSubCA1 -> x509
    95. 

  95. REM	- with the previously created CSR -> -in csrs\cpoSubCA1.csr
    96. 

  96. REM	- signed by the V2GRootCA's private key -> -signkey privateKeys\v2gRootCA.key
    97. 

  97. REM	- with a validity of 4 years -> -days 1460
    98. 

  98. openssl x509 -req -in csrs\cpoSubCA1.csr -extfile configs\cpoSubCA1Cert.cnf -extensions ext -CA certs\v2gRootCA.pem -CAkey privateKeys\v2gRootCA.key -set_serial 02 -passin file:passphrase.txt -days %validity_cpo_subca1_cert% -out certs\cpoSubCA1.pem
    99. 

  99. 

  100. 

  101. REM 3) Create a second intermediate CPO sub-CA certificate  just the way the previous intermedia certificate was created which is directly signed by the CPOSubCA1
    102. 

  102. REM Differences to CPOSubCA1
    103. 

  103. REM - basicConstraints in config file sets pathlength to 0 (meaning that no further sub CA's certificate may be signed with this certificate, a leaf certificate must follow this certificate in a certificate chain)
    104. 

  104. REM - validity is set to 1 year (1 - 2 years are allowed according to ISO 15118)
    105. 

  105. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\cpoSubCA2.key -aes128 -passout file:passphrase.txt
    106. 

  106. openssl req -new -key privateKeys\cpoSubCA2.key -passin file:passphrase.txt -config configs\cpoSubCA2Cert.cnf -extensions ext -out csrs\cpoSubCA2.csr
    107. 

  107. openssl x509 -req -in csrs\cpoSubCA2.csr -extfile configs\cpoSubCA2Cert.cnf -extensions ext -CA certs\cpoSubCA1.pem -CAkey privateKeys\cpoSubCA1.key -set_serial 03 -passin file:passphrase.txt -days %validity_cpo_subca2_cert% -out certs\cpoSubCA2.pem
    108. 

  108. 

  109. REM 4) Create an SECCCert certificate which is the leaf certificate belonging to the charging station which authenticates itself to the EVCC during a TLS handshake, signed by CPOSubCA2 certificate
    110. 

  110. REM Differences to CPOSubCA1 and CPOSubCA2
    111. 

  111. REM - basicConstraints sets CA to false, no pathlen is therefore set
    112. 

  112. REM - keyusage is set to digitalSignature instead of keyCertSign and cRLSign
    113. 

  113. REM - validity is set to 60 days (2 - 3 months are allowed according to ISO 15118)
    114. 

  114. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\seccCert.key -aes128 -passout file:passphrase.txt
    115. 

  115. openssl req -new -key privateKeys\seccCert.key -passin file:passphrase.txt -config configs\seccCert.cnf -extensions ext -out csrs\seccCert.csr
    116. 

  116. openssl x509 -req -in csrs\seccCert.csr -extfile configs\seccCert.cnf -extensions ext -CA certs\cpoSubCA2.pem -CAkey privateKeys\cpoSubCA2.key -set_serial 04 -passin file:passphrase.txt -days %validity_secc_cert% -out certs\seccCert.pem
    117. 

  117. REM Concatenate the intermediate CAs into one file intermediateCAs.pem
    118. 

  118. REM IMPORTANT: Concatenate in such a way that the chain leads from the leaf certificate to the root (excluding), this means here: first parameter of the type command is the intermediate CA's certificate which signs the leaf certificate (in this case cpoSubCA2.pem). Otherwise the Java method getCertificateChain() which is called on the keystore will only return the leaf certificate!
    119. 

  119. type certs\cpoSubCA2.pem certs\cpoSubCA1.pem > certs\intermediateCPOCAs.pem
    120. 

  120. REM Put the seccCertificate, the private key of the seccCertificate as well as the intermediate CAs in a pkcs12 container. 
    121. 

  121. REM IMPORTANT: It is necessary to put all necessary intermediate CAs directly into the PKCS12 container (with the -certfile switch), instead of later on iporting the PKCS12 containter only holding the leaf certificate (seccCert) and its private key and additionally importing the intermediate CAs via the keytool command (TLS handshake will fail).
    122. 

  122. REM This is the reason why we need two password files (passphrase.txt and passphrase2.txt). Possibly the passphrase.txt file resource is locked before being accessed a second time within the same command? See also http://rt.openssl.org/Ticket/Display.html?id=3168&user=guest&pass=guest
    123. 

  123. REM The -name switch corresponds to the -alias switch in the keytool command later on
    124. 

  124. openssl pkcs12 -export -inkey privateKeys\seccCert.key -in certs\seccCert.pem -certfile certs\intermediateCPOCAs.pem -aes128 -passin file:passphrase.txt -passout file:passphrase2.txt -name secc_cert -out certs\cpoCertChain.p12
    125. 

  125. 

  126. REM 5) Create a self-signed OEMRootCA certificate (validity is up to the OEM, this example applies the same validity as the V2GRootCA)
    127. 

  127. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\oemRootCA.key -aes128 -passout file:passphrase.txt
    128. 

  128. openssl req -new -x509 -days %validity_oem_root_cert% -sha256 -key privateKeys\oemRootCA.key -set_serial 05 -passin file:passphrase.txt -config configs\oemRootCACert.cnf -extensions ext -out certs\oemRootCA.pem
    129. 

  129. 

  130. REM 6) Create an intermediate OEM sub-CA certificate which is directly signed by the OEMRootCA certificate (validity is up to the OEM, this example applies the same validity as the CPOSubCA1)
    131. 

  131. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\oemSubCA1.key -aes128 -passout file:passphrase.txt
    132. 

  132. openssl req -new -key privateKeys\oemSubCA1.key -passin file:passphrase.txt -config configs\oemSubCA1Cert.cnf -extensions ext -out csrs\oemSubCA1.csr
    133. 

  133. openssl x509 -req -in csrs\oemSubCA1.csr -extfile configs\oemSubCA1Cert.cnf -extensions ext -CA certs\oemRootCA.pem -CAkey privateKeys\oemRootCA.key -set_serial 06 -passin file:passphrase.txt -days %validity_oem_subca1_cert% -out certs\oemSubCA1.pem
    134. 

  134. 

  135. REM 7) Create a second intermediate OEM sub-CA certificate which is directly signed by the OEMSubCA1 certificate (validity is up to the OEM, this example applies the same validity as the CPOSubCA2)
    136. 

  136. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\oemSubCA2.key -aes128 -passout file:passphrase.txt
    137. 

  137. openssl req -new -key privateKeys\oemSubCA2.key -passin file:passphrase.txt -config configs\oemSubCA2Cert.cnf -extensions ext -out csrs\oemSubCA2.csr
    138. 

  138. openssl x509 -req -in csrs\oemSubCA2.csr -extfile configs\oemSubCA2Cert.cnf -extensions ext -CA certs\oemSubCA1.pem -CAkey privateKeys\oemSubCA1.key -set_serial 07 -passin file:passphrase.txt -days %validity_oem_subca2_cert% -out certs\oemSubCA2.pem
    139. 

  139. 

  140. REM 8) Create an OEM provisioning certificate which is the leaf certificate belonging to the OEM certificate chain (used for contract certificate installation)
    141. 

  141. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\oemProvCert.key -aes128 -passout file:passphrase.txt
    142. 

  142. openssl req -new -key privateKeys\oemProvCert.key -passin file:passphrase.txt -config configs\oemProvCert.cnf -extensions ext -out csrs\oemProvCert.csr
    143. 

  143. openssl x509 -req -in csrs\oemProvCert.csr -extfile configs\oemProvCert.cnf -extensions ext -CA certs\oemSubCA2.pem -CAkey privateKeys\oemSubCA2.key -set_serial 08 -passin file:passphrase.txt -days %validity_oem_prov_cert% -out certs\oemProvCert.pem
    144. 

  144. type certs\oemSubCA2.pem certs\oemSubCA1.pem > certs\intermediateOEMCAs.pem
    145. 

  145. openssl pkcs12 -export -inkey privateKeys\oemProvCert.key -in certs\oemProvCert.pem -certfile certs\intermediateOEMCAs.pem -aes128 -passin file:passphrase.txt -passout file:passphrase2.txt -name oem_prov_cert -out certs\oemCertChain.p12
    146. 

  146. 

  147. REM 9) Create a self-signed MORootCA (mobility operator) certificate (validity is up to the MO, this example applies the same validity as the V2GRootCA)
    148. 

  148. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\moRootCA.key -aes128 -passout file:passphrase.txt
    149. 

  149. openssl req -new -x509 -days %validity_mo_root_cert% -sha256 -key privateKeys\moRootCA.key -set_serial 09 -passin file:passphrase.txt -config configs\moRootCACert.cnf -extensions ext -out certs\moRootCA.pem
    150. 

  150. 

  151. REM 10) Create an intermediate MO sub-CA certificate which is directly signed by the MORootCA certificate (validity is up to the MO, this example applies the same validity as the CPOSubCA1)
    152. 

  152. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\moSubCA1.key -aes128 -passout file:passphrase.txt
    153. 

  153. openssl req -new -key privateKeys\moSubCA1.key -passin file:passphrase.txt -config configs\moSubCA1Cert.cnf -extensions ext -out csrs\moSubCA1.csr
    154. 

  154. openssl x509 -req -in csrs\moSubCA1.csr -extfile configs\moSubCA1Cert.cnf -extensions ext -CA certs\moRootCA.pem -CAkey privateKeys\moRootCA.key -set_serial 10 -passin file:passphrase.txt -days %validity_mo_subca1_cert% -out certs\moSubCA1.pem
    155. 

  155. 

  156. 

  157. REM 11) Create a second intermediate MO sub-CA certificate which is directly signed by the MOSubCA1 certificate (validity is up to the MO, this example applies the same validity as the CPOSubCA2)
    158. 

  158. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\moSubCA2.key -aes128 -passout file:passphrase.txt
    159. 

  159. openssl req -new -key privateKeys\moSubCA2.key -passin file:passphrase.txt -config configs\moSubCA2Cert.cnf -extensions ext -out csrs\moSubCA2.csr
    160. 

  160. openssl x509 -req -in csrs\moSubCA2.csr -extfile configs\moSubCA2Cert.cnf -extensions ext -CA certs\moSubCA1.pem -CAkey privateKeys\moSubCA1.key -set_serial 11 -passin file:passphrase.txt -days %validity_mo_subca2_cert% -out certs\moSubCA2.pem
    161. 

  161. 

  162. 

  163. REM 12) Create a contract certificate which is the leaf certificate belonging to the MO certificate chain (used for contract certificate installation)
    164. 

  164. REM Validity can be between 4 weeks and 2 years (restricted by the contract lifetime), for testing purposes the validity will be set to 2 years
    165. 

  165. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\contractCert.key -aes128 -passout file:passphrase.txt
    166. 

  166. openssl req -new -key privateKeys\contractCert.key -passin file:passphrase.txt -config configs\contractCert.cnf -extensions ext -out csrs\contractCert.csr
    167. 

  167. openssl x509 -req -in csrs\contractCert.csr -extfile configs\contractCert.cnf -extensions ext -CA certs\moSubCA2.pem -CAkey privateKeys\moSubCA2.key -set_serial 12 -passin file:passphrase.txt -days %validity_contract_cert% -out certs\contractCert.pem
    168. 

  168. type certs\moSubCA2.pem certs\moSubCA1.pem > certs\intermediateMOCAs.pem
    169. 

  169. openssl pkcs12 -export -inkey privateKeys\contractCert.key -in certs\contractCert.pem -certfile certs\intermediateMOCAs.pem -aes128 -passin file:passphrase.txt -passout file:passphrase2.txt -name contract_cert -out certs\moCertChain.p12
    170. 

  170. 

  171. REM 13) Create an intermediate provisioning service sub-CA certificate which is directly signed by the V2GRootCA certificate 
    172. 

  172. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\cpsSubCA1.key -aes128 -passout file:passphrase.txt
    173. 

  173. openssl req -new -key privateKeys\cpsSubCA1.key -passin file:passphrase.txt -config configs\cpsSubCA1Cert.cnf -extensions ext -out csrs\cpsSubCA1.csr
    174. 

  174. openssl x509 -req -in csrs\cpsSubCA1.csr -extfile configs\cpsSubCA1Cert.cnf -extensions ext -CA certs\v2gRootCA.pem -CAkey privateKeys\v2gRootCA.key -set_serial 13 -passin file:passphrase.txt -days %validity_cps_subca1_cert% -out certs\cpsSubCA1.pem
    175. 

  175. 

  176. REM 14) Create a second intermediate provisioning sub-CA certificate which is directly signed by the CPSSubCA1 certificate (validity 1 - 2 years, we make it 2 years)
    177. 

  177. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\cpsSubCA2.key -aes128 -passout file:passphrase.txt
    178. 

  178. openssl req -new -key privateKeys\cpsSubCA2.key -passin file:passphrase.txt -config configs\cpsSubCA2Cert.cnf -extensions ext -out csrs\cpsSubCA2.csr
    179. 

  179. openssl x509 -req -in csrs\cpsSubCA2.csr -extfile configs\cpsSubCA2Cert.cnf -extensions ext -CA certs\cpsSubCA1.pem -CAkey privateKeys\cpsSubCA1.key -set_serial 14 -passin file:passphrase.txt -days %validity_cps_subca2_cert% -out certs\cpsSubCA2.pem
    180. 

  180. 

  181. REM 15) Create a provisioning service certificate which is the leaf certificate belonging to the provisioning certificate chain (used for contract certificate installation)
    182. 

  182. REM Validity can be between 2 - 3 months, we make it 3 months
    183. 

  183. openssl ecparam -genkey -name secp256r1 | openssl ec -out privateKeys\cpsLeafCert.key -aes128 -passout file:passphrase.txt
    184. 

  184. openssl req -new -key privateKeys\cpsLeafCert.key -passin file:passphrase.txt -config configs\cpsLeafCert.cnf -extensions ext -out csrs\cpsLeafCert.csr
    185. 

  185. openssl x509 -req -in csrs\cpsLeafCert.csr -extfile configs\cpsLeafCert.cnf -extensions ext -CA certs\cpsSubCA2.pem -CAkey privateKeys\cpsSubCA2.key -set_serial 15 -passin file:passphrase.txt -days %validity_cps_leaf_cert% -out certs\cpsLeafCert.pem
    186. 

  186. type certs\cpsSubCA2.pem certs\cpsSubCA1.pem > certs\intermediateCPSCAs.pem
    187. 

  187. openssl pkcs12 -export -inkey privateKeys\cpsLeafCert.key -in certs\cpsLeafCert.pem -certfile certs\intermediateCPSCAs.pem -aes128 -passin file:passphrase.txt -passout file:passphrase2.txt -name cps_leaf_cert -out certs\cpsCertChain.p12
    188. 

  188. 

  189. REM 16) Finally we need to convert the certificates from PEM format to DER format (PEM is the default format, but ISO 15118 only allows DER format)
    190. 

  190. openssl x509 -inform PEM -in certs\v2gRootCA.pem       -outform DER -out certs\v2gRootCA.der
    191. 

  191. openssl x509 -inform PEM -in certs\cpsSubCA1.pem      -outform DER -out certs\cpsSubCA1.der
    192. 

  192. openssl x509 -inform PEM -in certs\cpsSubCA2.pem      -outform DER -out certs\cpsSubCA2.der
    193. 

  193. openssl x509 -inform PEM -in certs\cpsLeafCert.pem -outform DER -out certs\cpsLeafCert.der
    194. 

  194. openssl x509 -inform PEM -in certs\cpoSubCA1.pem       -outform DER -out certs\cpoSubCA1.der
    195. 

  195. openssl x509 -inform PEM -in certs\cpoSubCA2.pem       -outform DER -out certs\cpoSubCA2.der
    196. 

  196. openssl x509 -inform PEM -in certs\seccCert.pem        -outform DER -out certs\seccCert.der
    197. 

  197. openssl x509 -inform PEM -in certs\oemRootCA.pem       -outform DER -out certs\oemRootCA.der
    198. 

  198. openssl x509 -inform PEM -in certs\oemSubCA1.pem       -outform DER -out certs\oemSubCA1.der
    199. 

  199. openssl x509 -inform PEM -in certs\oemSubCA2.pem       -outform DER -out certs\oemSubCA2.der
    200. 

  200. openssl x509 -inform PEM -in certs\oemProvCert.pem     -outform DER -out certs\oemProvCert.der
    201. 

  201. openssl x509 -inform PEM -in certs\moRootCA.pem        -outform DER -out certs\moRootCA.der
    202. 

  202. openssl x509 -inform PEM -in certs\moSubCA1.pem        -outform DER -out certs\moSubCA1.der
    203. 

  203. openssl x509 -inform PEM -in certs\moSubCA2.pem        -outform DER -out certs\moSubCA2.der
    204. 

  204. openssl x509 -inform PEM -in certs\contractCert.pem    -outform DER -out certs\contractCert.der
    205. 

  205. REM Since the intermediate certificates need to be in PEM format when putting them in a PKCS12 container and the resulting PKCS12 file is a binary format, it might be sufficient. Otherwise, I have currently no idea how to covert the intermediate certificates in DER without running into problems when creating the PKCS12 container.
    206. 

  206. 

  207. REM 17) In case you want the private keys in PKCS#8 file format and DER encoded, use this command. Especially necessary for the private key of MOSubCA2 in RISE V2G
    208. 

  208. openssl pkcs8 -topk8 -in privateKeys\moSubCA2.key -inform PEM -passin file:passphrase.txt -passout file:passphrase2.txt -outform DER -out privateKeys\moSubCA2.pkcs8.der
    209. 

  209. 

  210. 

  211. REM XX) Create the initial Java truststores and keystores
    212. 

  212. REM XX.1) truststore for the EVCC which needs to hold the V2GRootCA certificate (the EVCC does not verify the received contract certificate chain, therefore no MORootCA needs to be imported in evccTruststore.jks )
    213. 

  213. keytool -import -keystore keystores\evccTruststore.jks -alias v2g_root_ca -file certs\v2gRootCA.der -storepass:file passphrase.txt -noprompt
    214. 

  214. REM XX.2) truststore for the SECC which needs to hold the V2GRootCA certificate and the MORootCA which signed the MOSubCA1 (needed for verifying the  contract certificate signature chain which will be sent from the EVCC to the SECC with PaymentDetailsReq message). According to ISO 15118-2, MORootCA is not necessarily needed as the MOSubCA1 could instead be signed by a V2GRootCA.
    215. 

  215. keytool -import -keystore keystores\seccTruststore.jks -alias v2g_root_ca -file certs\v2gRootCA.der -storepass:file passphrase.txt -noprompt
    216. 

  216. keytool -import -keystore keystores\seccTruststore.jks -alias mo_root_ca -file certs\moRootCA.der -storepass:file passphrase.txt -noprompt
    217. 

  217. REM XX.3) keystore for the SECC which needs to hold the CPOSubCA1, CPOSubCA2, and SECCCert certificates
    218. 

  218. keytool -importkeystore -srckeystore certs\cpoCertChain.p12 -srcstoretype pkcs12 -srcstorepass:file passphrase.txt -srcalias secc_cert -destalias secc_cert -destkeystore keystores\seccKeystore.jks -storepass:file passphrase.txt -noprompt
    219. 

  219. REM XX.4) keystore for the EVCC which needs to hold the OEMSubCA1, OEMSubCA2, and OEMProvCert certificates
    220. 

  220. keytool -importkeystore -srckeystore certs\oemCertChain.p12 -srcstoretype pkcs12 -srcstorepass:file passphrase.txt -srcalias oem_prov_cert -destalias oem_prov_cert -destkeystore keystores\evccKeystore.jks -storepass:file passphrase.txt -noprompt
    221. 

  221. 

  222. 

  223. REM Side notes for OCSP stapling in Java: see http://openjdk.java.net/jeps/8046321
    224.