1all: \ 2 ca1-cert.pem \ 3 ca2-cert.pem \ 4 ca2-crl.pem \ 5 ca3-cert.pem \ 6 ca4-cert.pem \ 7 ca5-cert.pem \ 8 ca6-cert.pem \ 9 agent1-cert.pem \ 10 agent1.pfx \ 11 agent2-cert.pem \ 12 agent3-cert.pem \ 13 agent4-cert.pem \ 14 agent5-cert.pem \ 15 agent6-cert.pem \ 16 agent6.pfx \ 17 agent7-cert.pem \ 18 agent8-cert.pem \ 19 agent9-cert.pem \ 20 agent10-cert.pem \ 21 agent10.pfx \ 22 ec10-cert.pem \ 23 ec10.pfx \ 24 dh512.pem \ 25 dh1024.pem \ 26 dh2048.pem \ 27 dherror.pem \ 28 dsa_params.pem \ 29 dsa_private.pem \ 30 dsa_private_encrypted.pem \ 31 dsa_private_pkcs8.pem \ 32 dsa_public.pem \ 33 dsa1025.pem \ 34 dsa_private_1025.pem \ 35 dsa_private_encrypted_1025.pem \ 36 dsa_public_1025.pem \ 37 ec-cert.pem \ 38 ec.pfx \ 39 fake-cnnic-root-cert.pem \ 40 rsa_private.pem \ 41 rsa_private_encrypted.pem \ 42 rsa_private_pkcs8.pem \ 43 rsa_private_pkcs8_bad.pem \ 44 rsa_public.pem \ 45 rsa_ca.crt \ 46 rsa_cert.crt \ 47 rsa_cert.pfx \ 48 rsa_public_sha1_signature_signedby_rsa_private.sha1 \ 49 rsa_public_sha1_signature_signedby_rsa_private_pkcs8.sha1 \ 50 rsa_private_b.pem \ 51 I_AM_THE_WALRUS_sha256_signature_signedby_rsa_private_b.sha256 \ 52 rsa_public_b.pem \ 53 rsa_cert_foafssl_b.crt \ 54 rsa_cert_foafssl_b.modulus \ 55 rsa_cert_foafssl_b.exponent \ 56 rsa_spkac.spkac \ 57 rsa_spkac_invalid.spkac \ 58 rsa_private_1024.pem \ 59 rsa_private_2048.pem \ 60 rsa_private_4096.pem \ 61 rsa_public_1024.pem \ 62 rsa_public_2048.pem \ 63 rsa_public_4096.pem \ 64 rsa_pss_private_2048.pem \ 65 rsa_pss_private_2048_sha256_sha256_16.pem \ 66 rsa_pss_private_2048_sha512_sha256_20.pem \ 67 rsa_pss_public_2048.pem \ 68 rsa_pss_public_2048_sha256_sha256_16.pem \ 69 rsa_pss_public_2048_sha512_sha256_20.pem \ 70 ed25519_private.pem \ 71 ed25519_public.pem \ 72 x25519_private.pem \ 73 x25519_public.pem \ 74 ed448_private.pem \ 75 ed448_public.pem \ 76 x448_private.pem \ 77 x448_public.pem \ 78 incorrect_san_correct_subject-cert.pem \ 79 incorrect_san_correct_subject-key.pem \ 80 irrelevant_san_correct_subject-cert.pem \ 81 irrelevant_san_correct_subject-key.pem \ 82 83# 84# Create Certificate Authority: ca1 85# ('password' is used for the CA password.) 86# 87ca1-cert.pem: ca1.cnf 88 openssl req -new -x509 -days 99999 -config ca1.cnf -keyout ca1-key.pem -out ca1-cert.pem 89 90# 91# Create Certificate Authority: ca2 92# ('password' is used for the CA password.) 93# 94ca2-cert.pem: ca2.cnf 95 openssl req -new -x509 -days 99999 -config ca2.cnf -keyout ca2-key.pem -out ca2-cert.pem 96 echo '01' > ca2-serial 97 touch ca2-database.txt 98 99# 100# Create Subordinate Certificate Authority: ca3 issued by ca1 101# ('password' is used for the CA password.) 102# 103ca3-key.pem: 104 openssl genrsa -out ca3-key.pem 1024 105 106ca3-csr.pem: ca3.cnf ca3-key.pem 107 openssl req -new \ 108 -extensions v3_ca \ 109 -config ca3.cnf \ 110 -key ca3-key.pem \ 111 -out ca3-csr.pem 112 113ca3-cert.pem: ca3-csr.pem ca3-key.pem ca3.cnf ca1-cert.pem ca1-key.pem 114 openssl x509 -req \ 115 -extfile ca3.cnf \ 116 -extensions v3_ca \ 117 -days 99999 \ 118 -passin "pass:password" \ 119 -in ca3-csr.pem \ 120 -CA ca1-cert.pem \ 121 -CAkey ca1-key.pem \ 122 -CAcreateserial \ 123 -out ca3-cert.pem 124 125# 126# Create Subordinate Certificate Authority: ca4 issued by ca2 127# ('password' is used for the CA password.) 128# 129ca4-key.pem: 130 openssl genrsa -out ca4-key.pem 1024 131 132ca4-csr.pem: ca4.cnf ca4-key.pem 133 openssl req -new \ 134 -extensions v3_ca \ 135 -config ca4.cnf \ 136 -key ca4-key.pem \ 137 -out ca4-csr.pem 138 139ca4-cert.pem: ca4-csr.pem ca4-key.pem ca4.cnf ca2-cert.pem ca2-key.pem 140 openssl x509 -req \ 141 -extfile ca4.cnf \ 142 -extensions v3_ca \ 143 -days 99999 \ 144 -passin "pass:password" \ 145 -in ca4-csr.pem \ 146 -CA ca2-cert.pem \ 147 -CAkey ca2-key.pem \ 148 -CAcreateserial \ 149 -out ca4-cert.pem 150 151# 152# Create Certificate Authority: ca5 with ECC 153# ('password' is used for the CA password.) 154# 155ca5-key.pem: 156 openssl ecparam -genkey -out ca5-key.pem -name prime256v1 157 158ca5-csr.pem: ca5.cnf ca5-key.pem 159 openssl req -new \ 160 -config ca5.cnf \ 161 -key ca5-key.pem \ 162 -out ca5-csr.pem 163 164ca5-cert.pem: ca5.cnf ca5-key.pem ca5-csr.pem 165 openssl x509 -req \ 166 -extfile ca5.cnf \ 167 -extensions v3_ca \ 168 -days 99999 \ 169 -passin "pass:password" \ 170 -in ca5-csr.pem \ 171 -signkey ca5-key.pem \ 172 -out ca5-cert.pem 173 174# 175# Create Subordinate Certificate Authority: ca6 issued by ca5 with ECC 176# ('password' is used for the CA password.) 177# 178ca6-key.pem: 179 openssl ecparam -genkey -out ca6-key.pem -name prime256v1 180 181ca6-csr.pem: ca6.cnf ca6-key.pem 182 openssl req -new \ 183 -extensions v3_ca \ 184 -config ca6.cnf \ 185 -key ca6-key.pem \ 186 -out ca6-csr.pem 187 188ca6-cert.pem: ca6-csr.pem ca6-key.pem ca6.cnf ca5-cert.pem ca5-key.pem 189 openssl x509 -req \ 190 -extfile ca6.cnf \ 191 -extensions v3_ca \ 192 -days 99999 \ 193 -passin "pass:password" \ 194 -in ca6-csr.pem \ 195 -CA ca5-cert.pem \ 196 -CAkey ca5-key.pem \ 197 -CAcreateserial \ 198 -out ca6-cert.pem 199 200# 201# Create Fake CNNIC Root Certificate Authority: fake-cnnic-root 202# 203 204fake-cnnic-root-key.pem: 205 openssl genrsa -out fake-cnnic-root-key.pem 2048 206 207fake-cnnic-root-cert.pem: fake-cnnic-root.cnf fake-cnnic-root-key.pem 208 openssl req -x509 -new \ 209 -key fake-cnnic-root-key.pem \ 210 -days 99999 \ 211 -out fake-cnnic-root-cert.pem \ 212 -config fake-cnnic-root.cnf 213 214# 215# Create Fake StartCom Root Certificate Authority: fake-startcom-root 216# 217fake-startcom-root-key.pem: 218 openssl genrsa -out fake-startcom-root-key.pem 2048 219 220fake-startcom-root-cert.pem: fake-startcom-root.cnf \ 221 fake-startcom-root-key.pem 222 openssl req -new -x509 -days 99999 -config \ 223 fake-startcom-root.cnf -key fake-startcom-root-key.pem -out \ 224 fake-startcom-root-cert.pem 225 echo '01' > fake-startcom-root-serial 226 touch fake-startcom-root-database.txt 227 228# 229# agent1 is signed by ca1. 230# 231 232agent1-key.pem: 233 openssl genrsa -out agent1-key.pem 1024 234 235agent1-csr.pem: agent1.cnf agent1-key.pem 236 openssl req -new -config agent1.cnf -key agent1-key.pem -out agent1-csr.pem 237 238agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem 239 openssl x509 -req \ 240 -extfile agent1.cnf \ 241 -extensions v3_ca \ 242 -days 99999 \ 243 -passin "pass:password" \ 244 -in agent1-csr.pem \ 245 -CA ca1-cert.pem \ 246 -CAkey ca1-key.pem \ 247 -CAcreateserial \ 248 -out agent1-cert.pem 249 250agent1.pfx: agent1-cert.pem agent1-key.pem ca1-cert.pem 251 openssl pkcs12 -export \ 252 -descert \ 253 -in agent1-cert.pem \ 254 -inkey agent1-key.pem \ 255 -certfile ca1-cert.pem \ 256 -out agent1.pfx \ 257 -password pass:sample 258 259agent1-verify: agent1-cert.pem ca1-cert.pem 260 openssl verify -CAfile ca1-cert.pem agent1-cert.pem 261 262 263# 264# agent2 has a self signed cert 265# 266# Generate new private key 267agent2-key.pem: 268 openssl genrsa -out agent2-key.pem 1024 269 270# Create a Certificate Signing Request for the key 271agent2-csr.pem: agent2-key.pem agent2.cnf 272 openssl req -new -config agent2.cnf -key agent2-key.pem -out agent2-csr.pem 273 274# Create a Certificate for the agent. 275agent2-cert.pem: agent2-csr.pem agent2-key.pem 276 openssl x509 -req \ 277 -days 99999 \ 278 -in agent2-csr.pem \ 279 -signkey agent2-key.pem \ 280 -out agent2-cert.pem 281 282agent2-verify: agent2-cert.pem 283 openssl verify -CAfile agent2-cert.pem agent2-cert.pem 284 285# 286# agent3 is signed by ca2. 287# 288 289agent3-key.pem: 290 openssl genrsa -out agent3-key.pem 1024 291 292agent3-csr.pem: agent3.cnf agent3-key.pem 293 openssl req -new -config agent3.cnf -key agent3-key.pem -out agent3-csr.pem 294 295agent3-cert.pem: agent3-csr.pem ca2-cert.pem ca2-key.pem 296 openssl x509 -req \ 297 -days 99999 \ 298 -passin "pass:password" \ 299 -in agent3-csr.pem \ 300 -CA ca2-cert.pem \ 301 -CAkey ca2-key.pem \ 302 -CAcreateserial \ 303 -out agent3-cert.pem 304 305agent3-verify: agent3-cert.pem ca2-cert.pem 306 openssl verify -CAfile ca2-cert.pem agent3-cert.pem 307 308 309# 310# agent4 is signed by ca2 (client cert) 311# 312 313agent4-key.pem: 314 openssl genrsa -out agent4-key.pem 1024 315 316agent4-csr.pem: agent4.cnf agent4-key.pem 317 openssl req -new -config agent4.cnf -key agent4-key.pem -out agent4-csr.pem 318 319agent4-cert.pem: agent4-csr.pem ca2-cert.pem ca2-key.pem 320 openssl x509 -req \ 321 -days 99999 \ 322 -passin "pass:password" \ 323 -in agent4-csr.pem \ 324 -CA ca2-cert.pem \ 325 -CAkey ca2-key.pem \ 326 -CAcreateserial \ 327 -extfile agent4.cnf \ 328 -extensions ext_key_usage \ 329 -out agent4-cert.pem 330 331agent4-verify: agent4-cert.pem ca2-cert.pem 332 openssl verify -CAfile ca2-cert.pem agent4-cert.pem 333 334# 335# Make CRL with agent4 being rejected 336# 337ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf agent4-cert.pem 338 openssl ca -revoke agent4-cert.pem \ 339 -keyfile ca2-key.pem \ 340 -cert ca2-cert.pem \ 341 -config ca2.cnf \ 342 -passin 'pass:password' 343 openssl ca \ 344 -keyfile ca2-key.pem \ 345 -cert ca2-cert.pem \ 346 -config ca2.cnf \ 347 -gencrl \ 348 -out ca2-crl.pem \ 349 -passin 'pass:password' 350 351# 352# agent5 is signed by ca2 (client cert) 353# 354 355agent5-key.pem: 356 openssl genrsa -out agent5-key.pem 1024 357 358agent5-csr.pem: agent5.cnf agent5-key.pem 359 openssl req -new -config agent5.cnf -key agent5-key.pem -out agent5-csr.pem 360 361agent5-cert.pem: agent5-csr.pem ca2-cert.pem ca2-key.pem 362 openssl x509 -req \ 363 -days 99999 \ 364 -passin "pass:password" \ 365 -in agent5-csr.pem \ 366 -CA ca2-cert.pem \ 367 -CAkey ca2-key.pem \ 368 -CAcreateserial \ 369 -extfile agent5.cnf \ 370 -extensions ext_key_usage \ 371 -out agent5-cert.pem 372 373agent5-verify: agent5-cert.pem ca2-cert.pem 374 openssl verify -CAfile ca2-cert.pem agent5-cert.pem 375 376# 377# agent6 is a client RSA cert signed by ca3 378# 379 380agent6-key.pem: 381 openssl genrsa -out agent6-key.pem 1024 382 383agent6-csr.pem: agent6.cnf agent6-key.pem 384 openssl req -new -config agent6.cnf -key agent6-key.pem -out agent6-csr.pem 385 386agent6-cert.pem: agent6-csr.pem ca3-cert.pem ca3-key.pem 387 openssl x509 -req \ 388 -days 99999 \ 389 -passin "pass:password" \ 390 -in agent6-csr.pem \ 391 -CA ca3-cert.pem \ 392 -CAkey ca3-key.pem \ 393 -CAcreateserial \ 394 -extfile agent6.cnf \ 395 -out agent6-cert.pem 396 cat ca3-cert.pem >> agent6-cert.pem 397 398agent6-verify: agent6-cert.pem ca3-cert.pem ca1-cert.pem 399 openssl verify -trusted ca1-cert.pem -untrusted ca3-cert.pem agent6-cert.pem 400 401agent6.pfx: agent6-cert.pem agent6-key.pem ca1-cert.pem 402 openssl pkcs12 -export \ 403 -descert \ 404 -in agent6-cert.pem \ 405 -inkey agent6-key.pem \ 406 -certfile ca1-cert.pem \ 407 -out agent6.pfx \ 408 -password pass:sample 409 410# 411# agent7 is signed by fake-cnnic-root. 412# 413 414agent7-key.pem: 415 openssl genrsa -out agent7-key.pem 2048 416 417agent7-csr.pem: agent1.cnf agent7-key.pem 418 openssl req -new -config agent7.cnf -key agent7-key.pem -out agent7-csr.pem 419 420agent7-cert.pem: agent7-csr.pem fake-cnnic-root-cert.pem fake-cnnic-root-key.pem 421 openssl x509 -req \ 422 -extfile agent7.cnf \ 423 -days 99999 \ 424 -passin "pass:password" \ 425 -in agent7-csr.pem \ 426 -CA fake-cnnic-root-cert.pem \ 427 -CAkey fake-cnnic-root-key.pem \ 428 -CAcreateserial \ 429 -out agent7-cert.pem 430 431agent7-verify: agent7-cert.pem fake-cnnic-root-cert.pem 432 openssl verify -CAfile fake-cnnic-root-cert.pem agent7-cert.pem 433 434# 435# agent8 is signed by fake-startcom-root with notBefore 436# of Oct 20 23:59:59 2016 GMT 437# 438 439agent8-key.pem: 440 openssl genrsa -out agent8-key.pem 2048 441 442agent8-csr.pem: agent8.cnf agent8-key.pem 443 openssl req -new -config agent8.cnf -key agent8-key.pem \ 444 -out agent8-csr.pem 445 446agent8-cert.pem: agent8-csr.pem fake-startcom-root-cert.pem fake-startcom-root-key.pem 447 openssl ca \ 448 -config fake-startcom-root.cnf \ 449 -keyfile fake-startcom-root-key.pem \ 450 -cert fake-startcom-root-cert.pem \ 451 -batch \ 452 -days 99999 \ 453 -passin "pass:password" \ 454 -in agent8-csr.pem \ 455 -startdate 161020235959Z \ 456 -notext -out agent8-cert.pem 457 458 459agent8-verify: agent8-cert.pem fake-startcom-root-cert.pem 460 openssl verify -CAfile fake-startcom-root-cert.pem \ 461 agent8-cert.pem 462 463 464# 465# agent9 is signed by fake-startcom-root with notBefore 466# of Oct 21 00:00:01 2016 GMT 467# 468agent9-key.pem: 469 openssl genrsa -out agent9-key.pem 2048 470 471agent9-csr.pem: agent9.cnf agent9-key.pem 472 openssl req -new -config agent9.cnf -key agent9-key.pem \ 473 -out agent9-csr.pem 474 475 476agent9-cert.pem: agent9-csr.pem 477 openssl ca \ 478 -config fake-startcom-root.cnf \ 479 -keyfile fake-startcom-root-key.pem \ 480 -cert fake-startcom-root-cert.pem \ 481 -batch \ 482 -days 99999 \ 483 -passin "pass:password" \ 484 -in agent9-csr.pem \ 485 -startdate 20161021000001Z \ 486 -notext -out agent9-cert.pem 487 488# agent10 is a server RSA cert signed by ca4 for agent10.example.com 489# 490 491agent10-key.pem: 492 openssl genrsa -out agent10-key.pem 1024 493 494agent10-csr.pem: agent10.cnf agent10-key.pem 495 openssl req -new -config agent10.cnf -key agent10-key.pem -out agent10-csr.pem 496 497agent10-cert.pem: agent10-csr.pem ca4-cert.pem ca4-key.pem 498 openssl x509 -req \ 499 -days 99999 \ 500 -passin "pass:password" \ 501 -in agent10-csr.pem \ 502 -CA ca4-cert.pem \ 503 -CAkey ca4-key.pem \ 504 -CAcreateserial \ 505 -extfile agent10.cnf \ 506 -out agent10-cert.pem 507 cat ca4-cert.pem >> agent10-cert.pem 508 509agent10-verify: agent10-cert.pem ca4-cert.pem ca2-cert.pem 510 openssl verify -trusted ca2-cert.pem -untrusted ca4-cert.pem agent10-cert.pem 511 512agent10.pfx: agent10-cert.pem agent10-key.pem ca1-cert.pem 513 openssl pkcs12 -export \ 514 -descert \ 515 -in agent10-cert.pem \ 516 -inkey agent10-key.pem \ 517 -certfile ca1-cert.pem \ 518 -out agent10.pfx \ 519 -password pass:sample 520 521# 522# ec10 is a server EC cert signed by ca6 for agent10.example.com 523# 524 525ec10-key.pem: 526 openssl ecparam -genkey -out ec10-key.pem -name prime256v1 527 528ec10-csr.pem: ec10-key.pem 529 openssl req -new -config agent10.cnf -key ec10-key.pem -out ec10-csr.pem 530 531ec10-cert.pem: ec10-csr.pem ca6-cert.pem ca6-key.pem 532 openssl x509 -req \ 533 -days 99999 \ 534 -passin "pass:password" \ 535 -in ec10-csr.pem \ 536 -CA ca6-cert.pem \ 537 -CAkey ca6-key.pem \ 538 -CAcreateserial \ 539 -extfile agent10.cnf \ 540 -out ec10-cert.pem 541 cat ca6-cert.pem >> ec10-cert.pem 542 543ec10-verify: ec10-cert.pem ca6-cert.pem ca5-cert.pem 544 openssl verify -trusted ca5-cert.pem -untrusted ca6-cert.pem ec10-cert.pem 545 546ec10.pfx: ec10-cert.pem ec10-key.pem ca6-cert.pem 547 openssl pkcs12 -export \ 548 -descert \ 549 -in ec10-cert.pem \ 550 -inkey ec10-key.pem \ 551 -certfile ca6-cert.pem \ 552 -out ec10.pfx \ 553 -password pass:sample 554 555 556# 557# ec is a self-signed EC cert for CN "agent2" 558# 559ec-key.pem: 560 openssl ecparam -genkey -out ec-key.pem -name prime256v1 561 562ec-csr.pem: ec-key.pem 563 openssl req -new -config ec.cnf -key ec-key.pem -out ec-csr.pem 564 565ec-cert.pem: ec-csr.pem ec-key.pem 566 openssl x509 -req \ 567 -days 99999 \ 568 -in ec-csr.pem \ 569 -signkey ec-key.pem \ 570 -out ec-cert.pem 571 572ec.pfx: ec-cert.pem ec-key.pem 573 openssl pkcs12 -export \ 574 -descert \ 575 -in ec-cert.pem \ 576 -inkey ec-key.pem \ 577 -out ec.pfx \ 578 -password pass: 579 580dh512.pem: 581 openssl dhparam -out dh512.pem 512 582 583dh1024.pem: 584 openssl dhparam -out dh1024.pem 1024 585 586dh2048.pem: 587 openssl dhparam -out dh2048.pem 2048 588 589dherror.pem: dh512.pem 590 sed 's/^[^-].*/AAAAAAAAAA/g' dh512.pem > dherror.pem 591 592dsa_params.pem: 593 openssl dsaparam -out dsa_params.pem 2048 594 595dsa_private.pem: dsa_params.pem 596 openssl gendsa -out dsa_private.pem dsa_params.pem 597 598dsa_private_encrypted.pem: dsa_private.pem 599 openssl dsa -aes256 -in dsa_private.pem -passout 'pass:password' -out dsa_private_encrypted.pem 600 601dsa_private_pkcs8.pem: dsa_private.pem 602 openssl pkcs8 -topk8 -inform PEM -outform PEM -in dsa_private.pem -out dsa_private_pkcs8.pem -nocrypt 603 604dsa_public.pem: dsa_private.pem 605 openssl dsa -in dsa_private.pem -pubout -out dsa_public.pem 606 607dsa1025.pem: 608 openssl dsaparam -out dsa1025.pem 1025 609 610dsa_private_1025.pem: 611 openssl gendsa -out dsa_private_1025.pem dsa1025.pem 612 613dsa_private_encrypted_1025.pem: 614 openssl pkcs8 -in dsa_private_1025.pem -topk8 -passout 'pass:secret' -out dsa_private_encrypted_1025.pem 615 616dsa_public_1025.pem: 617 openssl dsa -in dsa_private_1025.pem -pubout -out dsa_public_1025.pem 618 619rsa_private.pem: 620 openssl genrsa -out rsa_private.pem 2048 621 622rsa_private_encrypted.pem: rsa_private.pem 623 openssl rsa -aes256 -in rsa_private.pem -passout 'pass:password' -out rsa_private_encrypted.pem 624 625rsa_private_pkcs8.pem: rsa_private.pem 626 openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa_private.pem -out rsa_private_pkcs8.pem -nocrypt 627 628rsa_private_pkcs8_bad.pem: rsa_private_pkcs8.pem 629 sed 's/PRIVATE/RSA PRIVATE/g' rsa_private_pkcs8.pem > rsa_private_pkcs8_bad.pem 630 631rsa_public.pem: rsa_private.pem 632 openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem 633 634rsa_cert.crt: rsa_private.pem 635 openssl req -new -x509 -days 99999 -key rsa_private.pem -config rsa_cert.cnf -out rsa_cert.crt 636 637rsa_cert.pfx: rsa_cert.crt 638 openssl pkcs12 -export -descert -passout 'pass:sample' -inkey rsa_private.pem -in rsa_cert.crt -out rsa_cert.pfx 639 640rsa_ca.crt: rsa_cert.crt 641 cp rsa_cert.crt rsa_ca.crt 642 643rsa_public_sha1_signature_signedby_rsa_private.sha1: rsa_public.pem rsa_private.pem 644 openssl dgst -sha1 -sign rsa_private.pem -out rsa_public_sha1_signature_signedby_rsa_private.sha1 rsa_public.pem 645 646rsa_public_sha1_signature_signedby_rsa_private_pkcs8.sha1: rsa_public.pem rsa_private_pkcs8.pem 647 openssl dgst -sha1 -sign rsa_private_pkcs8.pem -out rsa_public_sha1_signature_signedby_rsa_private_pkcs8.sha1 rsa_public.pem 648 649rsa_private_b.pem: 650 openssl genrsa -out rsa_private_b.pem 2048 651 652I_AM_THE_WALRUS_sha256_signature_signedby_rsa_private_b.sha256: rsa_private_b.pem 653 echo -n "I AM THE WALRUS" | openssl dgst -sha256 -sign rsa_private_b.pem -out I_AM_THE_WALRUS_sha256_signature_signedby_rsa_private_b.sha256 654 655rsa_public_b.pem: rsa_private_b.pem 656 openssl rsa -in rsa_private_b.pem -pubout -out rsa_public_b.pem 657 658# The following 'foafssl' cert is used in test/parallel/test-https-foafssl.js. 659# It requires a SAN like 'http://example.com/#me'. More info here: 660# https://www.w3.org/wiki/Foaf+ssl 661rsa_cert_foafssl_b.crt: rsa_private_b.pem 662 openssl req -new -x509 -days 99999 -config rsa_cert_foafssl_b.cnf -key rsa_private_b.pem -out rsa_cert_foafssl_b.crt 663 664# The 'modulus=' in the output must be stripped out 665rsa_cert_foafssl_b.modulus: rsa_cert_foafssl_b.crt 666 openssl x509 -modulus -in rsa_cert_foafssl_b.crt -noout | cut -c 9- > rsa_cert_foafssl_b.modulus 667 668# Have to parse out the hex exponent 669rsa_cert_foafssl_b.exponent: rsa_cert_foafssl_b.crt 670 openssl x509 -in rsa_cert_foafssl_b.crt -text | grep -o 'Exponent:.*' | sed 's/\(.*(\|).*\)//g' > rsa_cert_foafssl_b.exponent 671 672# openssl outputs `SPKAC=[SPKAC]`. That prefix needs to be removed to work with node 673rsa_spkac.spkac: rsa_private.pem 674 openssl spkac -key rsa_private.pem -challenge this-is-a-challenge | cut -c 7- > rsa_spkac.spkac 675 676# cutting characters from the start to invalidate the spkac 677rsa_spkac_invalid.spkac: rsa_spkac.spkac 678 cat rsa_spkac.spkac | cut -c 5- > rsa_spkac_invalid.spkac 679 680rsa_private_1024.pem: 681 openssl genrsa -out rsa_private_1024.pem 1024 682 683rsa_private_2048.pem: 684 openssl genrsa -out rsa_private_2048.pem 2048 685 686rsa_private_4096.pem: 687 openssl genrsa -out rsa_private_4096.pem 4096 688 689rsa_public_1024.pem: rsa_private_1024.pem 690 openssl rsa -in rsa_private_1024.pem -pubout -out rsa_public_1024.pem 691 692rsa_public_2048.pem: rsa_private_2048.pem 693 openssl rsa -in rsa_private_2048.pem -pubout -out rsa_public_2048.pem 694 695rsa_public_4096.pem: rsa_private_4096.pem 696 openssl rsa -in rsa_private_4096.pem -pubout -out rsa_public_4096.pem 697 698rsa_pss_private_2048.pem: 699 openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -out rsa_pss_private_2048.pem 700 701rsa_pss_private_2048_sha256_sha256_16.pem: 702 openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:16 -out rsa_pss_private_2048_sha256_sha256_16.pem 703 704rsa_pss_private_2048_sha512_sha256_20.pem: 705 openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -pkeyopt rsa_pss_keygen_md:sha512 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:20 -out rsa_pss_private_2048_sha512_sha256_20.pem 706 707rsa_pss_public_2048.pem: rsa_pss_private_2048.pem 708 openssl pkey -in rsa_pss_private_2048.pem -pubout -out rsa_pss_public_2048.pem 709 710rsa_pss_public_2048_sha256_sha256_16.pem: rsa_pss_private_2048_sha256_sha256_16.pem 711 openssl pkey -in rsa_pss_private_2048_sha256_sha256_16.pem -pubout -out rsa_pss_public_2048_sha256_sha256_16.pem 712 713rsa_pss_public_2048_sha512_sha256_20.pem: rsa_pss_private_2048_sha512_sha256_20.pem 714 openssl pkey -in rsa_pss_private_2048_sha512_sha256_20.pem -pubout -out rsa_pss_public_2048_sha512_sha256_20.pem 715 716ed25519_private.pem: 717 openssl genpkey -algorithm ED25519 -out ed25519_private.pem 718 719ed25519_public.pem: ed25519_private.pem 720 openssl pkey -in ed25519_private.pem -pubout -out ed25519_public.pem 721 722x25519_private.pem: 723 openssl genpkey -algorithm x25519 -out x25519_private.pem 724 725x25519_public.pem: x25519_private.pem 726 openssl pkey -in x25519_private.pem -pubout -out x25519_public.pem 727 728ed448_private.pem: 729 openssl genpkey -algorithm ed448 -out ed448_private.pem 730 731ed448_public.pem: ed448_private.pem 732 openssl pkey -in ed448_private.pem -pubout -out ed448_public.pem 733 734x448_private.pem: 735 openssl genpkey -algorithm x448 -out x448_private.pem 736 737x448_public.pem: x448_private.pem 738 openssl pkey -in x448_private.pem -pubout -out x448_public.pem 739 740incorrect_san_correct_subject-cert.pem: incorrect_san_correct_subject-key.pem 741 openssl req -x509 \ 742 -key incorrect_san_correct_subject-key.pem \ 743 -out incorrect_san_correct_subject-cert.pem \ 744 -sha256 \ 745 -days 3650 \ 746 -subj "/CN=good.example.com" \ 747 -addext "subjectAltName = DNS:evil.example.com" 748 749incorrect_san_correct_subject-key.pem: 750 openssl ecparam -name prime256v1 -genkey -noout -out incorrect_san_correct_subject-key.pem 751 752irrelevant_san_correct_subject-cert.pem: irrelevant_san_correct_subject-key.pem 753 openssl req -x509 \ 754 -key irrelevant_san_correct_subject-key.pem \ 755 -out irrelevant_san_correct_subject-cert.pem \ 756 -sha256 \ 757 -days 3650 \ 758 -subj "/CN=good.example.com" \ 759 -addext "subjectAltName = IP:1.2.3.4" 760 761irrelevant_san_correct_subject-key.pem: 762 openssl ecparam -name prime256v1 -genkey -noout -out irrelevant_san_correct_subject-key.pem 763 764clean: 765 rm -f *.pfx *.pem *.srl ca2-database.txt ca2-serial fake-startcom-root-serial *.print *.old fake-startcom-root-issued-certs/*.pem 766 @> fake-startcom-root-database.txt 767 768test: agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify 769 770%-cert.pem.print: %-cert.pem 771 openssl x509 -in $< -text -noout > $@ 772 773.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify 774