1all: \ 2 ca1-cert.pem \ 3 ca2-cert.pem \ 4 ca2-crl.pem \ 5 ca3-cert.pem \ 6 ca4-cert.pem \ 7 ca5-cert.pem \ 8 ca6-cert.pem \ 9 agent1-cert.pem \ 10 agent1.pfx \ 11 agent2-cert.pem \ 12 agent3-cert.pem \ 13 agent4-cert.pem \ 14 agent5-cert.pem \ 15 agent6-cert.pem \ 16 agent6.pfx \ 17 agent7-cert.pem \ 18 agent8-cert.pem \ 19 agent9-cert.pem \ 20 agent10-cert.pem \ 21 agent10.pfx \ 22 ec10-cert.pem \ 23 ec10.pfx \ 24 dh512.pem \ 25 dh1024.pem \ 26 dh2048.pem \ 27 dherror.pem \ 28 dsa_params.pem \ 29 dsa_private.pem \ 30 dsa_private_encrypted.pem \ 31 dsa_private_pkcs8.pem \ 32 dsa_public.pem \ 33 dsa1025.pem \ 34 dsa_private_1025.pem \ 35 dsa_private_encrypted_1025.pem \ 36 dsa_public_1025.pem \ 37 ec-cert.pem \ 38 ec.pfx \ 39 fake-cnnic-root-cert.pem \ 40 rsa_private.pem \ 41 rsa_private_encrypted.pem \ 42 rsa_private_pkcs8.pem \ 43 rsa_private_pkcs8_bad.pem \ 44 rsa_public.pem \ 45 rsa_ca.crt \ 46 rsa_cert.crt \ 47 rsa_cert.pfx \ 48 rsa_public_sha1_signature_signedby_rsa_private.sha1 \ 49 rsa_public_sha1_signature_signedby_rsa_private_pkcs8.sha1 \ 50 rsa_private_b.pem \ 51 I_AM_THE_WALRUS_sha256_signature_signedby_rsa_private_b.sha256 \ 52 rsa_public_b.pem \ 53 rsa_cert_foafssl_b.crt \ 54 rsa_cert_foafssl_b.modulus \ 55 rsa_cert_foafssl_b.exponent \ 56 rsa_spkac.spkac \ 57 rsa_spkac_invalid.spkac \ 58 rsa_private_2048.pem \ 59 rsa_private_4096.pem \ 60 rsa_public_2048.pem \ 61 rsa_public_4096.pem \ 62 rsa_pss_private_2048.pem \ 63 rsa_pss_private_2048_sha256_sha256_16.pem \ 64 rsa_pss_private_2048_sha512_sha256_20.pem \ 65 rsa_pss_private_2048_sha1_sha1_20.pem \ 66 rsa_pss_public_2048.pem \ 67 rsa_pss_public_2048_sha256_sha256_16.pem \ 68 rsa_pss_public_2048_sha512_sha256_20.pem \ 69 rsa_pss_public_2048_sha1_sha1_20.pem \ 70 ed25519_private.pem \ 71 ed25519_public.pem \ 72 x25519_private.pem \ 73 x25519_public.pem \ 74 ed448_private.pem \ 75 ed448_public.pem \ 76 x448_private.pem \ 77 x448_public.pem \ 78 ec_p256_private.pem \ 79 ec_p256_public.pem \ 80 ec_p384_private.pem \ 81 ec_p384_public.pem \ 82 ec_p521_private.pem \ 83 ec_p521_public.pem \ 84 ec_secp256k1_private.pem \ 85 ec_secp256k1_public.pem \ 86 incorrect_san_correct_subject-cert.pem \ 87 incorrect_san_correct_subject-key.pem \ 88 irrelevant_san_correct_subject-cert.pem \ 89 irrelevant_san_correct_subject-key.pem \ 90 91# 92# Create Certificate Authority: ca1 93# ('password' is used for the CA password.) 94# 95ca1-cert.pem: ca1.cnf 96 openssl req -new -x509 -days 99999 -config ca1.cnf -keyout ca1-key.pem -out ca1-cert.pem 97 98# 99# Create Certificate Authority: ca2 100# ('password' is used for the CA password.) 101# 102ca2-cert.pem: ca2.cnf 103 openssl req -new -x509 -days 99999 -config ca2.cnf -keyout ca2-key.pem -out ca2-cert.pem 104 echo '01' > ca2-serial 105 touch ca2-database.txt 106 107# 108# Create Subordinate Certificate Authority: ca3 issued by ca1 109# ('password' is used for the CA password.) 110# 111ca3-key.pem: 112 openssl genrsa -out ca3-key.pem 2048 113 114ca3-csr.pem: ca3.cnf ca3-key.pem 115 openssl req -new \ 116 -extensions v3_ca \ 117 -config ca3.cnf \ 118 -key ca3-key.pem \ 119 -out ca3-csr.pem 120 121ca3-cert.pem: ca3-csr.pem ca3-key.pem ca3.cnf ca1-cert.pem ca1-key.pem 122 openssl x509 -req \ 123 -extfile ca3.cnf \ 124 -extensions v3_ca \ 125 -days 99999 \ 126 -passin "pass:password" \ 127 -in ca3-csr.pem \ 128 -CA ca1-cert.pem \ 129 -CAkey ca1-key.pem \ 130 -CAcreateserial \ 131 -out ca3-cert.pem 132 133# 134# Create Subordinate Certificate Authority: ca4 issued by ca2 135# ('password' is used for the CA password.) 136# 137ca4-key.pem: 138 openssl genrsa -out ca4-key.pem 2048 139 140ca4-csr.pem: ca4.cnf ca4-key.pem 141 openssl req -new \ 142 -extensions v3_ca \ 143 -config ca4.cnf \ 144 -key ca4-key.pem \ 145 -out ca4-csr.pem 146 147ca4-cert.pem: ca4-csr.pem ca4-key.pem ca4.cnf ca2-cert.pem ca2-key.pem 148 openssl x509 -req \ 149 -extfile ca4.cnf \ 150 -extensions v3_ca \ 151 -days 99999 \ 152 -passin "pass:password" \ 153 -in ca4-csr.pem \ 154 -CA ca2-cert.pem \ 155 -CAkey ca2-key.pem \ 156 -CAcreateserial \ 157 -out ca4-cert.pem 158 159# 160# Create Certificate Authority: ca5 with ECC 161# ('password' is used for the CA password.) 162# 163ca5-key.pem: 164 openssl ecparam -genkey -out ca5-key.pem -name prime256v1 165 166ca5-csr.pem: ca5.cnf ca5-key.pem 167 openssl req -new \ 168 -config ca5.cnf \ 169 -key ca5-key.pem \ 170 -out ca5-csr.pem 171 172ca5-cert.pem: ca5.cnf ca5-key.pem ca5-csr.pem 173 openssl x509 -req \ 174 -extfile ca5.cnf \ 175 -extensions v3_ca \ 176 -days 99999 \ 177 -passin "pass:password" \ 178 -in ca5-csr.pem \ 179 -signkey ca5-key.pem \ 180 -out ca5-cert.pem 181 182# 183# Create Subordinate Certificate Authority: ca6 issued by ca5 with ECC 184# ('password' is used for the CA password.) 185# 186ca6-key.pem: 187 openssl ecparam -genkey -out ca6-key.pem -name prime256v1 188 189ca6-csr.pem: ca6.cnf ca6-key.pem 190 openssl req -new \ 191 -extensions v3_ca \ 192 -config ca6.cnf \ 193 -key ca6-key.pem \ 194 -out ca6-csr.pem 195 196ca6-cert.pem: ca6-csr.pem ca6-key.pem ca6.cnf ca5-cert.pem ca5-key.pem 197 openssl x509 -req \ 198 -extfile ca6.cnf \ 199 -extensions v3_ca \ 200 -days 99999 \ 201 -passin "pass:password" \ 202 -in ca6-csr.pem \ 203 -CA ca5-cert.pem \ 204 -CAkey ca5-key.pem \ 205 -CAcreateserial \ 206 -out ca6-cert.pem 207 208# 209# Create Fake CNNIC Root Certificate Authority: fake-cnnic-root 210# 211 212fake-cnnic-root-key.pem: 213 openssl genrsa -out fake-cnnic-root-key.pem 2048 214 215fake-cnnic-root-cert.pem: fake-cnnic-root.cnf fake-cnnic-root-key.pem 216 openssl req -x509 -new \ 217 -key fake-cnnic-root-key.pem \ 218 -days 99999 \ 219 -out fake-cnnic-root-cert.pem \ 220 -config fake-cnnic-root.cnf 221 222# 223# Create Fake StartCom Root Certificate Authority: fake-startcom-root 224# 225fake-startcom-root-key.pem: 226 openssl genrsa -out fake-startcom-root-key.pem 2048 227 228fake-startcom-root-cert.pem: fake-startcom-root.cnf \ 229 fake-startcom-root-key.pem 230 openssl req -new -x509 -days 99999 -config \ 231 fake-startcom-root.cnf -key fake-startcom-root-key.pem -out \ 232 fake-startcom-root-cert.pem 233 echo '01' > fake-startcom-root-serial 234 touch fake-startcom-root-database.txt 235 236# 237# agent1 is signed by ca1. 238# 239 240agent1-key.pem: 241 openssl genrsa -out agent1-key.pem 2048 242 243agent1-csr.pem: agent1.cnf agent1-key.pem 244 openssl req -new -config agent1.cnf -key agent1-key.pem -out agent1-csr.pem 245 246agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem 247 openssl x509 -req \ 248 -extfile agent1.cnf \ 249 -extensions v3_ca \ 250 -days 99999 \ 251 -passin "pass:password" \ 252 -in agent1-csr.pem \ 253 -CA ca1-cert.pem \ 254 -CAkey ca1-key.pem \ 255 -CAcreateserial \ 256 -out agent1-cert.pem 257 258agent1.pfx: agent1-cert.pem agent1-key.pem ca1-cert.pem 259 openssl pkcs12 -export \ 260 -descert \ 261 -in agent1-cert.pem \ 262 -inkey agent1-key.pem \ 263 -certfile ca1-cert.pem \ 264 -out agent1.pfx \ 265 -password pass:sample 266 267agent1-verify: agent1-cert.pem ca1-cert.pem 268 openssl verify -CAfile ca1-cert.pem agent1-cert.pem 269 270 271# 272# agent2 has a self signed cert 273# 274# Generate new private key 275agent2-key.pem: 276 openssl genrsa -out agent2-key.pem 2048 277 278# Create a Certificate Signing Request for the key 279agent2-csr.pem: agent2-key.pem agent2.cnf 280 openssl req -new -config agent2.cnf -key agent2-key.pem -out agent2-csr.pem 281 282# Create a Certificate for the agent. 283agent2-cert.pem: agent2-csr.pem agent2-key.pem 284 openssl x509 -req \ 285 -days 99999 \ 286 -in agent2-csr.pem \ 287 -signkey agent2-key.pem \ 288 -out agent2-cert.pem 289 290agent2-verify: agent2-cert.pem 291 openssl verify -CAfile agent2-cert.pem agent2-cert.pem 292 293# 294# agent3 is signed by ca2. 295# 296 297agent3-key.pem: 298 openssl genrsa -out agent3-key.pem 2048 299 300agent3-csr.pem: agent3.cnf agent3-key.pem 301 openssl req -new -config agent3.cnf -key agent3-key.pem -out agent3-csr.pem 302 303agent3-cert.pem: agent3-csr.pem ca2-cert.pem ca2-key.pem 304 openssl x509 -req \ 305 -days 99999 \ 306 -passin "pass:password" \ 307 -in agent3-csr.pem \ 308 -CA ca2-cert.pem \ 309 -CAkey ca2-key.pem \ 310 -CAcreateserial \ 311 -out agent3-cert.pem 312 313agent3-verify: agent3-cert.pem ca2-cert.pem 314 openssl verify -CAfile ca2-cert.pem agent3-cert.pem 315 316 317# 318# agent4 is signed by ca2 (client cert) 319# 320 321agent4-key.pem: 322 openssl genrsa -out agent4-key.pem 2048 323 324agent4-csr.pem: agent4.cnf agent4-key.pem 325 openssl req -new -config agent4.cnf -key agent4-key.pem -out agent4-csr.pem 326 327agent4-cert.pem: agent4-csr.pem ca2-cert.pem ca2-key.pem 328 openssl x509 -req \ 329 -days 99999 \ 330 -passin "pass:password" \ 331 -in agent4-csr.pem \ 332 -CA ca2-cert.pem \ 333 -CAkey ca2-key.pem \ 334 -CAcreateserial \ 335 -extfile agent4.cnf \ 336 -extensions ext_key_usage \ 337 -out agent4-cert.pem 338 339agent4-verify: agent4-cert.pem ca2-cert.pem 340 openssl verify -CAfile ca2-cert.pem agent4-cert.pem 341 342# 343# Make CRL with agent4 being rejected 344# 345ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf agent4-cert.pem 346 openssl ca -revoke agent4-cert.pem \ 347 -keyfile ca2-key.pem \ 348 -cert ca2-cert.pem \ 349 -config ca2.cnf \ 350 -passin 'pass:password' 351 openssl ca \ 352 -keyfile ca2-key.pem \ 353 -cert ca2-cert.pem \ 354 -config ca2.cnf \ 355 -gencrl \ 356 -out ca2-crl.pem \ 357 -passin 'pass:password' 358 359# 360# agent5 is signed by ca2 (client cert) 361# 362 363agent5-key.pem: 364 openssl genrsa -out agent5-key.pem 2048 365 366agent5-csr.pem: agent5.cnf agent5-key.pem 367 openssl req -new -config agent5.cnf -key agent5-key.pem -out agent5-csr.pem 368 369agent5-cert.pem: agent5-csr.pem ca2-cert.pem ca2-key.pem 370 openssl x509 -req \ 371 -days 99999 \ 372 -passin "pass:password" \ 373 -in agent5-csr.pem \ 374 -CA ca2-cert.pem \ 375 -CAkey ca2-key.pem \ 376 -CAcreateserial \ 377 -extfile agent5.cnf \ 378 -extensions ext_key_usage \ 379 -out agent5-cert.pem 380 381agent5-verify: agent5-cert.pem ca2-cert.pem 382 openssl verify -CAfile ca2-cert.pem agent5-cert.pem 383 384# 385# agent6 is a client RSA cert signed by ca3 386# 387 388agent6-key.pem: 389 openssl genrsa -out agent6-key.pem 2048 390 391agent6-csr.pem: agent6.cnf agent6-key.pem 392 openssl req -new -config agent6.cnf -key agent6-key.pem -out agent6-csr.pem 393 394agent6-cert.pem: agent6-csr.pem ca3-cert.pem ca3-key.pem 395 openssl x509 -req \ 396 -days 99999 \ 397 -passin "pass:password" \ 398 -in agent6-csr.pem \ 399 -CA ca3-cert.pem \ 400 -CAkey ca3-key.pem \ 401 -CAcreateserial \ 402 -extfile agent6.cnf \ 403 -out agent6-cert.pem 404 cat ca3-cert.pem >> agent6-cert.pem 405 406agent6-verify: agent6-cert.pem ca3-cert.pem ca1-cert.pem 407 openssl verify -trusted ca1-cert.pem -untrusted ca3-cert.pem agent6-cert.pem 408 409agent6.pfx: agent6-cert.pem agent6-key.pem ca1-cert.pem 410 openssl pkcs12 -export \ 411 -descert \ 412 -in agent6-cert.pem \ 413 -inkey agent6-key.pem \ 414 -certfile ca1-cert.pem \ 415 -out agent6.pfx \ 416 -password pass:sample 417 418# 419# agent7 is signed by fake-cnnic-root. 420# 421 422agent7-key.pem: 423 openssl genrsa -out agent7-key.pem 2048 424 425agent7-csr.pem: agent1.cnf agent7-key.pem 426 openssl req -new -config agent7.cnf -key agent7-key.pem -out agent7-csr.pem 427 428agent7-cert.pem: agent7-csr.pem fake-cnnic-root-cert.pem fake-cnnic-root-key.pem 429 openssl x509 -req \ 430 -extfile agent7.cnf \ 431 -days 99999 \ 432 -passin "pass:password" \ 433 -in agent7-csr.pem \ 434 -CA fake-cnnic-root-cert.pem \ 435 -CAkey fake-cnnic-root-key.pem \ 436 -CAcreateserial \ 437 -out agent7-cert.pem 438 439agent7-verify: agent7-cert.pem fake-cnnic-root-cert.pem 440 openssl verify -CAfile fake-cnnic-root-cert.pem agent7-cert.pem 441 442# 443# agent8 is signed by fake-startcom-root with notBefore 444# of Oct 20 23:59:59 2016 GMT 445# 446 447agent8-key.pem: 448 openssl genrsa -out agent8-key.pem 2048 449 450agent8-csr.pem: agent8.cnf agent8-key.pem 451 openssl req -new -config agent8.cnf -key agent8-key.pem \ 452 -out agent8-csr.pem 453 454agent8-cert.pem: agent8-csr.pem fake-startcom-root-cert.pem fake-startcom-root-key.pem 455 openssl ca \ 456 -config fake-startcom-root.cnf \ 457 -keyfile fake-startcom-root-key.pem \ 458 -cert fake-startcom-root-cert.pem \ 459 -batch \ 460 -days 99999 \ 461 -passin "pass:password" \ 462 -in agent8-csr.pem \ 463 -startdate 161020235959Z \ 464 -notext -out agent8-cert.pem 465 466 467agent8-verify: agent8-cert.pem fake-startcom-root-cert.pem 468 openssl verify -CAfile fake-startcom-root-cert.pem \ 469 agent8-cert.pem 470 471 472# 473# agent9 is signed by fake-startcom-root with notBefore 474# of Oct 21 00:00:01 2016 GMT 475# 476agent9-key.pem: 477 openssl genrsa -out agent9-key.pem 2048 478 479agent9-csr.pem: agent9.cnf agent9-key.pem 480 openssl req -new -config agent9.cnf -key agent9-key.pem \ 481 -out agent9-csr.pem 482 483 484agent9-cert.pem: agent9-csr.pem 485 openssl ca \ 486 -config fake-startcom-root.cnf \ 487 -keyfile fake-startcom-root-key.pem \ 488 -cert fake-startcom-root-cert.pem \ 489 -batch \ 490 -days 99999 \ 491 -passin "pass:password" \ 492 -in agent9-csr.pem \ 493 -startdate 20161021000001Z \ 494 -notext -out agent9-cert.pem 495 496# agent10 is a server RSA cert signed by ca4 for agent10.example.com 497# 498 499agent10-key.pem: 500 openssl genrsa -out agent10-key.pem 2048 501 502agent10-csr.pem: agent10.cnf agent10-key.pem 503 openssl req -new -config agent10.cnf -key agent10-key.pem -out agent10-csr.pem 504 505agent10-cert.pem: agent10-csr.pem ca4-cert.pem ca4-key.pem 506 openssl x509 -req \ 507 -days 99999 \ 508 -passin "pass:password" \ 509 -in agent10-csr.pem \ 510 -CA ca4-cert.pem \ 511 -CAkey ca4-key.pem \ 512 -CAcreateserial \ 513 -extfile agent10.cnf \ 514 -out agent10-cert.pem 515 cat ca4-cert.pem >> agent10-cert.pem 516 517agent10-verify: agent10-cert.pem ca4-cert.pem ca2-cert.pem 518 openssl verify -trusted ca2-cert.pem -untrusted ca4-cert.pem agent10-cert.pem 519 520agent10.pfx: agent10-cert.pem agent10-key.pem ca1-cert.pem 521 openssl pkcs12 -export \ 522 -descert \ 523 -in agent10-cert.pem \ 524 -inkey agent10-key.pem \ 525 -certfile ca1-cert.pem \ 526 -out agent10.pfx \ 527 -password pass:sample 528 529# 530# ec10 is a server EC cert signed by ca6 for agent10.example.com 531# 532 533ec10-key.pem: 534 openssl ecparam -genkey -out ec10-key.pem -name prime256v1 535 536ec10-csr.pem: ec10-key.pem 537 openssl req -new -config agent10.cnf -key ec10-key.pem -out ec10-csr.pem 538 539ec10-cert.pem: ec10-csr.pem ca6-cert.pem ca6-key.pem 540 openssl x509 -req \ 541 -days 99999 \ 542 -passin "pass:password" \ 543 -in ec10-csr.pem \ 544 -CA ca6-cert.pem \ 545 -CAkey ca6-key.pem \ 546 -CAcreateserial \ 547 -extfile agent10.cnf \ 548 -out ec10-cert.pem 549 cat ca6-cert.pem >> ec10-cert.pem 550 551ec10-verify: ec10-cert.pem ca6-cert.pem ca5-cert.pem 552 openssl verify -trusted ca5-cert.pem -untrusted ca6-cert.pem ec10-cert.pem 553 554ec10.pfx: ec10-cert.pem ec10-key.pem ca6-cert.pem 555 openssl pkcs12 -export \ 556 -descert \ 557 -in ec10-cert.pem \ 558 -inkey ec10-key.pem \ 559 -certfile ca6-cert.pem \ 560 -out ec10.pfx \ 561 -password pass:sample 562 563 564# 565# ec is a self-signed EC cert for CN "agent2" 566# 567ec-key.pem: 568 openssl ecparam -genkey -out ec-key.pem -name prime256v1 569 570ec-csr.pem: ec-key.pem 571 openssl req -new -config ec.cnf -key ec-key.pem -out ec-csr.pem 572 573ec-cert.pem: ec-csr.pem ec-key.pem 574 openssl x509 -req \ 575 -days 99999 \ 576 -in ec-csr.pem \ 577 -signkey ec-key.pem \ 578 -out ec-cert.pem 579 580ec.pfx: ec-cert.pem ec-key.pem 581 openssl pkcs12 -export \ 582 -descert \ 583 -in ec-cert.pem \ 584 -inkey ec-key.pem \ 585 -out ec.pfx \ 586 -password pass: 587 588dh512.pem: 589 openssl dhparam -out dh512.pem 512 590 591dh1024.pem: 592 openssl dhparam -out dh1024.pem 1024 593 594dh2048.pem: 595 openssl dhparam -out dh2048.pem 2048 596 597dherror.pem: dh1024.pem 598 sed 's/^[^-].*/AAAAAAAAAA/g' dh1024.pem > dherror.pem 599 600dsa_params.pem: 601 openssl dsaparam -out dsa_params.pem 2048 602 603dsa_private.pem: dsa_params.pem 604 openssl gendsa -out dsa_private.pem dsa_params.pem 605 606dsa_private_encrypted.pem: dsa_private.pem 607 openssl dsa -aes256 -in dsa_private.pem -passout 'pass:password' -out dsa_private_encrypted.pem 608 609dsa_private_pkcs8.pem: dsa_private.pem 610 openssl pkcs8 -topk8 -inform PEM -outform PEM -in dsa_private.pem -out dsa_private_pkcs8.pem -nocrypt 611 612dsa_public.pem: dsa_private.pem 613 openssl dsa -in dsa_private.pem -pubout -out dsa_public.pem 614 615dsa1025.pem: 616 openssl dsaparam -out dsa1025.pem 1025 617 618dsa_private_1025.pem: 619 openssl gendsa -out dsa_private_1025.pem dsa1025.pem 620 621dsa_private_encrypted_1025.pem: 622 openssl pkcs8 -in dsa_private_1025.pem -topk8 -passout 'pass:secret' -out dsa_private_encrypted_1025.pem 623 624dsa_public_1025.pem: 625 openssl dsa -in dsa_private_1025.pem -pubout -out dsa_public_1025.pem 626 627rsa_private.pem: 628 openssl genrsa -out rsa_private.pem 2048 629 630rsa_private_encrypted.pem: rsa_private.pem 631 openssl rsa -aes256 -in rsa_private.pem -passout 'pass:password' -out rsa_private_encrypted.pem 632 633rsa_private_pkcs8.pem: rsa_private.pem 634 openssl pkcs8 -topk8 -inform PEM -outform PEM -in rsa_private.pem -out rsa_private_pkcs8.pem -nocrypt 635 636rsa_private_pkcs8_bad.pem: rsa_private_pkcs8.pem 637 sed 's/PRIVATE/RSA PRIVATE/g' rsa_private_pkcs8.pem > rsa_private_pkcs8_bad.pem 638 639rsa_public.pem: rsa_private.pem 640 openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem 641 642rsa_cert.crt: rsa_private.pem 643 openssl req -new -x509 -days 99999 -key rsa_private.pem -config rsa_cert.cnf -out rsa_cert.crt 644 645rsa_cert.pfx: rsa_cert.crt 646 openssl pkcs12 -export -descert -passout 'pass:sample' -inkey rsa_private.pem -in rsa_cert.crt -out rsa_cert.pfx 647 648rsa_ca.crt: rsa_cert.crt 649 cp rsa_cert.crt rsa_ca.crt 650 651rsa_public_sha1_signature_signedby_rsa_private.sha1: rsa_public.pem rsa_private.pem 652 openssl dgst -sha1 -sign rsa_private.pem -out rsa_public_sha1_signature_signedby_rsa_private.sha1 rsa_public.pem 653 654rsa_public_sha1_signature_signedby_rsa_private_pkcs8.sha1: rsa_public.pem rsa_private_pkcs8.pem 655 openssl dgst -sha1 -sign rsa_private_pkcs8.pem -out rsa_public_sha1_signature_signedby_rsa_private_pkcs8.sha1 rsa_public.pem 656 657rsa_private_b.pem: 658 openssl genrsa -out rsa_private_b.pem 2048 659 660I_AM_THE_WALRUS_sha256_signature_signedby_rsa_private_b.sha256: rsa_private_b.pem 661 echo -n "I AM THE WALRUS" | openssl dgst -sha256 -sign rsa_private_b.pem -out I_AM_THE_WALRUS_sha256_signature_signedby_rsa_private_b.sha256 662 663rsa_public_b.pem: rsa_private_b.pem 664 openssl rsa -in rsa_private_b.pem -pubout -out rsa_public_b.pem 665 666# The following 'foafssl' cert is used in test/parallel/test-https-foafssl.js. 667# It requires a SAN like 'http://example.com/#me'. More info here: 668# https://www.w3.org/wiki/Foaf+ssl 669rsa_cert_foafssl_b.crt: rsa_private_b.pem 670 openssl req -new -x509 -days 99999 -config rsa_cert_foafssl_b.cnf -key rsa_private_b.pem -out rsa_cert_foafssl_b.crt 671 672# The 'modulus=' in the output must be stripped out 673rsa_cert_foafssl_b.modulus: rsa_cert_foafssl_b.crt 674 openssl x509 -modulus -in rsa_cert_foafssl_b.crt -noout | cut -c 9- > rsa_cert_foafssl_b.modulus 675 676# Have to parse out the hex exponent 677rsa_cert_foafssl_b.exponent: rsa_cert_foafssl_b.crt 678 openssl x509 -in rsa_cert_foafssl_b.crt -text | grep -o 'Exponent:.*' | sed 's/\(.*(\|).*\)//g' > rsa_cert_foafssl_b.exponent 679 680# openssl outputs `SPKAC=[SPKAC]`. That prefix needs to be removed to work with node 681rsa_spkac.spkac: rsa_private.pem 682 openssl spkac -key rsa_private.pem -challenge this-is-a-challenge | cut -c 7- > rsa_spkac.spkac 683 684# cutting characters from the start to invalidate the spkac 685rsa_spkac_invalid.spkac: rsa_spkac.spkac 686 cat rsa_spkac.spkac | cut -c 5- > rsa_spkac_invalid.spkac 687 688rsa_private_2048.pem: 689 openssl genrsa -out rsa_private_2048.pem 2048 690 691rsa_private_4096.pem: 692 openssl genrsa -out rsa_private_4096.pem 4096 693 694rsa_public_2048.pem: rsa_private_2048.pem 695 openssl rsa -in rsa_private_2048.pem -pubout -out rsa_public_2048.pem 696 697rsa_public_4096.pem: rsa_private_4096.pem 698 openssl rsa -in rsa_private_4096.pem -pubout -out rsa_public_4096.pem 699 700rsa_pss_private_2048.pem: 701 openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -out rsa_pss_private_2048.pem 702 703rsa_pss_private_2048_sha256_sha256_16.pem: 704 openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:16 -out rsa_pss_private_2048_sha256_sha256_16.pem 705 706rsa_pss_private_2048_sha512_sha256_20.pem: 707 openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -pkeyopt rsa_pss_keygen_md:sha512 -pkeyopt rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:20 -out rsa_pss_private_2048_sha512_sha256_20.pem 708 709rsa_pss_private_2048_sha1_sha1_20.pem: 710 openssl genpkey -algorithm RSA-PSS -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 -pkeyopt rsa_pss_keygen_md:sha1 -pkeyopt rsa_pss_keygen_mgf1_md:sha1 -pkeyopt rsa_pss_keygen_saltlen:20 -out rsa_pss_private_2048_sha1_sha1_20.pem 711 712rsa_pss_public_2048.pem: rsa_pss_private_2048.pem 713 openssl pkey -in rsa_pss_private_2048.pem -pubout -out rsa_pss_public_2048.pem 714 715rsa_pss_public_2048_sha256_sha256_16.pem: rsa_pss_private_2048_sha256_sha256_16.pem 716 openssl pkey -in rsa_pss_private_2048_sha256_sha256_16.pem -pubout -out rsa_pss_public_2048_sha256_sha256_16.pem 717 718rsa_pss_public_2048_sha512_sha256_20.pem: rsa_pss_private_2048_sha512_sha256_20.pem 719 openssl pkey -in rsa_pss_private_2048_sha512_sha256_20.pem -pubout -out rsa_pss_public_2048_sha512_sha256_20.pem 720 721rsa_pss_public_2048_sha1_sha1_20.pem: rsa_pss_private_2048_sha1_sha1_20.pem 722 openssl pkey -in rsa_pss_private_2048_sha1_sha1_20.pem -pubout -out rsa_pss_public_2048_sha1_sha1_20.pem 723 724ed25519_private.pem: 725 openssl genpkey -algorithm ED25519 -out ed25519_private.pem 726 727ed25519_public.pem: ed25519_private.pem 728 openssl pkey -in ed25519_private.pem -pubout -out ed25519_public.pem 729 730x25519_private.pem: 731 openssl genpkey -algorithm x25519 -out x25519_private.pem 732 733x25519_public.pem: x25519_private.pem 734 openssl pkey -in x25519_private.pem -pubout -out x25519_public.pem 735 736ed448_private.pem: 737 openssl genpkey -algorithm ed448 -out ed448_private.pem 738 739ed448_public.pem: ed448_private.pem 740 openssl pkey -in ed448_private.pem -pubout -out ed448_public.pem 741 742x448_private.pem: 743 openssl genpkey -algorithm x448 -out x448_private.pem 744 745x448_public.pem: x448_private.pem 746 openssl pkey -in x448_private.pem -pubout -out x448_public.pem 747 748ec_p256_private.pem: 749 openssl ecparam -name prime256v1 -genkey -noout -out sec1_ec_p256_private.pem 750 openssl pkcs8 -topk8 -nocrypt -in sec1_ec_p256_private.pem -out ec_p256_private.pem 751 rm sec1_ec_p256_private.pem 752 753ec_p256_public.pem: ec_p256_private.pem 754 openssl ec -in ec_p256_private.pem -pubout -out ec_p256_public.pem 755 756ec_p384_private.pem: 757 openssl ecparam -name secp384r1 -genkey -noout -out sec1_ec_p384_private.pem 758 openssl pkcs8 -topk8 -nocrypt -in sec1_ec_p384_private.pem -out ec_p384_private.pem 759 rm sec1_ec_p384_private.pem 760 761ec_p384_public.pem: ec_p384_private.pem 762 openssl ec -in ec_p384_private.pem -pubout -out ec_p384_public.pem 763 764ec_p521_private.pem: 765 openssl ecparam -name secp521r1 -genkey -noout -out sec1_ec_p521_private.pem 766 openssl pkcs8 -topk8 -nocrypt -in sec1_ec_p521_private.pem -out ec_p521_private.pem 767 rm sec1_ec_p521_private.pem 768 769ec_p521_public.pem: ec_p521_private.pem 770 openssl ec -in ec_p521_private.pem -pubout -out ec_p521_public.pem 771 772ec_secp256k1_private.pem: 773 openssl ecparam -name secp256k1 -genkey -noout -out sec1_ec_secp256k1_private.pem 774 openssl pkcs8 -topk8 -nocrypt -in sec1_ec_secp256k1_private.pem -out ec_secp256k1_private.pem 775 rm sec1_ec_secp256k1_private.pem 776 777ec_secp256k1_public.pem: ec_secp256k1_private.pem 778 openssl ec -in ec_secp256k1_private.pem -pubout -out ec_secp256k1_public.pem 779 780incorrect_san_correct_subject-cert.pem: incorrect_san_correct_subject-key.pem 781 openssl req -x509 \ 782 -key incorrect_san_correct_subject-key.pem \ 783 -out incorrect_san_correct_subject-cert.pem \ 784 -sha256 \ 785 -days 3650 \ 786 -subj "/CN=good.example.com" \ 787 -addext "subjectAltName = DNS:evil.example.com" 788 789incorrect_san_correct_subject-key.pem: 790 openssl ecparam -name prime256v1 -genkey -noout -out incorrect_san_correct_subject-key.pem 791 792irrelevant_san_correct_subject-cert.pem: irrelevant_san_correct_subject-key.pem 793 openssl req -x509 \ 794 -key irrelevant_san_correct_subject-key.pem \ 795 -out irrelevant_san_correct_subject-cert.pem \ 796 -sha256 \ 797 -days 3650 \ 798 -subj "/CN=good.example.com" \ 799 -addext "subjectAltName = IP:1.2.3.4" 800 801irrelevant_san_correct_subject-key.pem: 802 openssl ecparam -name prime256v1 -genkey -noout -out irrelevant_san_correct_subject-key.pem 803 804clean: 805 rm -f *.pfx *.pem *.srl ca2-database.txt ca2-serial fake-startcom-root-serial *.print *.old fake-startcom-root-issued-certs/*.pem 806 @> fake-startcom-root-database.txt 807 808test: agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify 809 810%-cert.pem.print: %-cert.pem 811 openssl x509 -in $< -text -noout > $@ 812 813.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify 814