• Home
Name Date Size #Lines LOC

..--

READMED03-May-20242.6 KiB7349

badclient.keyD03-May-2024916 1716

badclient.pemD03-May-2024973 1817

badserver.keyD03-May-2024916 1716

badserver.pemD03-May-2024973 1817

ca-openssl.cnfD03-May-2024542 1915

ca.keyD03-May-2024912 1716

ca.pemD03-May-2024855 1615

client.keyD03-May-2024920 1716

client.pemD03-May-20241 KiB1918

index.txtD03-May-20240

openssl.cnfD03-May-202410.7 KiB360270

server0.keyD03-May-2024916 1716

server0.pemD03-May-20241.1 KiB1918

server1-openssl.cnfD03-May-20242.8 KiB8369

server1.keyD03-May-2024912 1716

server1.pemD03-May-2024964 1716

README

1The test credentials (CONFIRMEDTESTKEY) have been generated with the following
2commands:
3
4Bad credentials (badclient.* / badserver.*):
5============================================
6
7These are self-signed certificates:
8
9$ openssl req -x509 -newkey rsa:1024 -keyout badserver.key -out badserver.pem \
10  -days 3650 -nodes
11
12When prompted for certificate information, everything is default except the
13common name which is set to badserver.test.google.com.
14
15
16Valid test credentials:
17=======================
18
19The ca is self-signed:
20----------------------
21
22$ openssl req -x509 -new -newkey rsa:1024 -nodes -out ca.pem -config ca-openssl.cnf -days 3650 -extensions v3_req
23When prompted for certificate information, everything is default.
24
25client is issued by CA:
26-----------------------
27
28$ openssl genrsa -out client.key.rsa 1024
29$ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
30$ rm client.key.rsa
31$ openssl req -new -key client.key -out client.csr
32
33When prompted for certificate information, everything is default except the
34common name which is set to testclient.
35
36$ openssl ca -in client.csr -out client.pem -keyfile ca.key -cert ca.pem -verbose -config openssl.cnf -days 3650 -updatedb
37$ openssl x509 -in client.pem -out client.pem -outform PEM
38
39server0 is issued by CA:
40------------------------
41
42$ openssl genrsa -out server0.key.rsa 1024
43$ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt
44$ rm server0.key.rsa
45$ openssl req -new -key server0.key -out server0.csr
46
47When prompted for certificate information, everything is default except the
48common name which is set to *.test.google.com.au.
49
50$ openssl ca -in server0.csr -out server0.pem -keyfile ca.key -cert ca.pem -verbose -config openssl.cnf -days 3650 -updatedb
51$ openssl x509 -in server0.pem -out server0.pem -outform PEM
52
53server1 is issued by CA with a special config for subject alternative names:
54----------------------------------------------------------------------------
55
56$ openssl genrsa -out server1.key.rsa 1024
57$ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
58$ rm server1.key.rsa
59$ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf
60
61When prompted for certificate information, everything is default except the
62common name which is set to *.test.google.com.
63
64$ openssl ca -in server1.csr -out server1.pem -keyfile ca.key -cert ca.pem -verbose -config server1-openssl.cnf -days 3650 -extensions v3_req -updatedb
65$ openssl x509 -in server1.pem -out server1.pem -outform PEM
66
67Gotchas
68=======
69
70You may have to delete and recreate the index.txt file so that it is empty when
71running the `openssl ca` command.
72
73