Lines Matching +full:openssl +full:-
4 # Use of this source code is governed by a BSD-style license that can be
7 # This script generates a set of test (end-entity, intermediate, root)
9 set -e -x
13 # min(OS verifier max lifetime for local certs, built-in verifier max lifetime
16 # The current built-in verifier max lifetime is 39 months
18 # iOS 13/macOS 10.15 - https://support.apple.com/en-us/HT210176
19 # 730 is used here as just a short-hand for 2 years
22 rm -rf out
26 openssl rand -hex -out out/2048-sha256-root-serial 16
27 touch out/2048-sha256-root-index.txt
33 if grep -q -- '-----BEGIN.*PRIVATE KEY-----' "$existing_pem_filename" ; then
34 openssl pkey -in "$existing_pem_filename" -out "$out_key_filename"
36 openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 \
37 -out "$out_key_filename"
42 copy_or_generate_key ../certificates/root_ca_cert.pem out/2048-sha256-root.key
46 openssl req \
47 -new \
48 -key out/2048-sha256-root.key \
49 -out out/2048-sha256-root.req \
50 -config ca.cnf
53 openssl x509 \
54 -req -days 3650 \
55 -in out/2048-sha256-root.req \
56 -signkey out/2048-sha256-root.key \
57 -extfile ca.cnf \
58 -extensions ca_cert \
59 -text > out/2048-sha256-root.pem
62 openssl rand -hex -out out/int/2048-sha256-int-serial 16
63 touch out/int/2048-sha256-int-index.txt
67 out/int/2048-sha256-int.key
70 openssl req \
71 -new \
72 -key out/int/2048-sha256-int.key \
73 -out out/int/2048-sha256-int.req \
74 -config ca.cnf
77 openssl ca \
78 -batch \
79 -extensions ca_cert \
80 -days 3650 \
81 -in out/int/2048-sha256-int.req \
82 -out out/int/2048-sha256-int.pem \
83 -config ca.cnf
88 openssl req \
89 -new \
90 -key out/expired_cert.key \
91 -out out/expired_cert.req \
92 -config ee.cnf
95 openssl req \
96 -new \
97 -key out/ok_cert.key \
98 -out out/ok_cert.req \
99 -config ee.cnf
102 openssl req \
103 -new \
104 -key out/wildcard.key \
105 -out out/wildcard.req \
106 -reqexts req_wildcard \
107 -config ee.cnf
111 openssl req \
112 -new \
113 -key out/localhost_cert.key \
114 -out out/localhost_cert.req \
115 -reqexts req_localhost_san \
116 -config ee.cnf
119 openssl req \
120 -new \
121 -key out/test_names.key \
122 -out out/test_names.req \
123 -reqexts req_test_names \
124 -config ee.cnf
128 openssl ca \
129 -batch \
130 -extensions user_cert \
131 -startdate 060101000000Z \
132 -enddate 070101000000Z \
133 -in out/expired_cert.req \
134 -out out/expired_cert.pem \
135 -config ca.cnf
138 openssl ca \
139 -batch \
140 -extensions user_cert \
141 -days ${CERT_LIFETIME} \
142 -in out/ok_cert.req \
143 -out out/ok_cert.pem \
144 -config ca.cnf
149 openssl ca \
150 -batch \
151 -extensions user_cert \
152 -days ${CERT_LIFETIME} \
153 -in out/ok_cert.req \
154 -out out/int/ok_cert.pem \
155 -config ca.cnf
158 openssl ca \
159 -batch \
160 -extensions user_cert \
161 -in out/wildcard.req \
162 -out out/wildcard.pem \
163 -config ca.cnf
166 openssl ca \
167 -batch \
168 -extensions user_cert \
169 -days ${CERT_LIFETIME} \
170 -in out/localhost_cert.req \
171 -out out/localhost_cert.pem \
172 -config ca.cnf
175 openssl ca \
176 -batch \
177 -extensions user_cert \
178 -subj "/CN=Leaf Certificate/" \
179 -startdate 00010101000000Z \
180 -enddate 00010101000000Z \
181 -in out/ok_cert.req \
182 -out out/bad_validity.pem \
183 -config ca.cnf
186 openssl ca \
187 -batch \
188 -extensions user_cert \
189 -days ${CERT_LIFETIME} \
190 -in out/test_names.req \
191 -out out/test_names.pem \
192 -config ca.cnf
194 /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
196 /bin/sh -c "cat out/wildcard.key out/wildcard.pem \
198 /bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \
200 /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
202 /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
204 /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \
206 /bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \
207 out/int/2048-sha256-int.pem \
209 /bin/sh -c "cat out/int/2048-sha256-int.key out/int/2048-sha256-int.pem \
211 /bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \
212 out/2048-sha256-root.pem \
214 /bin/sh -c "cat out/test_names.key out/test_names.pem \
217 # Now generate the one-off certs
218 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
219 openssl req -x509 -days 3650 -extensions req_spdy_pooling \
220 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
221 -out ../certificates/spdy_pooling.pem
224 openssl req -x509 -days 3650 -extensions req_san_sanity \
225 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
226 -out ../certificates/subjectAltName_sanity_check.pem
229 openssl req -x509 -days 3650 -extensions req_san_example \
230 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
231 -out ../certificates/subjectAltName_www_example_com.pem
234 openssl req -x509 -days 3650 -extensions req_policies_sanity \
235 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
236 -out ../certificates/policies_sanity_check.pem
240 openssl req -x509 -days 3650 -extensions req_punycode \
241 -config ../scripts/ee.cnf -newkey rsa:2048 -text \
242 -out ../certificates/punycodetest.pem
245 openssl req -config ../scripts/ee.cnf \
246 -newkey rsa:2048 -text -out out/sha1_2016.req
248 openssl ca \
249 -batch \
250 -extensions user_cert \
251 -startdate 081030000000Z \
252 -enddate 161230000000Z \
253 -in out/sha1_2016.req \
254 -out ../certificates/sha1_2016.pem \
255 -config ca.cnf \
256 -md sha1
259 openssl req -config ../scripts/ee.cnf \
260 -newkey rsa:2048 -text -out out/10_year_validity.req
262 openssl ca \
263 -batch \
264 -extensions user_cert \
265 -startdate 081030000000Z \
266 -enddate 181029000000Z \
267 -in out/10_year_validity.req \
268 -out ../certificates/10_year_validity.pem \
269 -config ca.cnf
270 openssl req -config ../scripts/ee.cnf \
271 -newkey rsa:2048 -text -out out/11_year_validity.req
273 openssl ca \
274 -batch \
275 -extensions user_cert \
276 -startdate 141030000000Z \
277 -enddate 251030000000Z \
278 -in out/11_year_validity.req \
279 -out ../certificates/11_year_validity.pem \
280 -config ca.cnf
281 openssl req -config ../scripts/ee.cnf \
282 -newkey rsa:2048 -text -out out/39_months_after_2015_04.req
284 openssl ca \
285 -batch \
286 -extensions user_cert \
287 -startdate 150402000000Z \
288 -enddate 180702000000Z \
289 -in out/39_months_after_2015_04.req \
290 -out ../certificates/39_months_after_2015_04.pem \
291 -config ca.cnf
292 openssl req -config ../scripts/ee.cnf \
293 -newkey rsa:2048 -text -out out/40_months_after_2015_04.req
295 openssl ca \
296 -batch \
297 -extensions user_cert \
298 -startdate 150402000000Z \
299 -enddate 180801000000Z \
300 -in out/40_months_after_2015_04.req \
301 -out ../certificates/40_months_after_2015_04.pem \
302 -config ca.cnf
303 openssl req -config ../scripts/ee.cnf \
304 -newkey rsa:2048 -text -out out/60_months_after_2012_07.req
306 openssl ca \
307 -batch \
308 -extensions user_cert \
309 -startdate 141030000000Z \
310 -enddate 190930000000Z \
311 -in out/60_months_after_2012_07.req \
312 -out ../certificates/60_months_after_2012_07.pem \
313 -config ca.cnf
314 openssl req -config ../scripts/ee.cnf \
315 -newkey rsa:2048 -text -out out/61_months_after_2012_07.req
317 openssl ca \
318 -batch \
319 -extensions user_cert \
320 -startdate 141030000000Z \
321 -enddate 191103000000Z \
322 -in out/61_months_after_2012_07.req \
323 -out ../certificates/61_months_after_2012_07.pem \
324 -config ca.cnf
327 openssl req -config ../scripts/ee.cnf \
328 -newkey rsa:2048 -text -out out/39_months_based_on_last_day.req
330 openssl ca \
331 -batch \
332 -extensions user_cert \
333 -startdate 170228000000Z \
334 -enddate 200530000000Z \
335 -in out/39_months_based_on_last_day.req \
336 -out ../certificates/39_months_based_on_last_day.pem \
337 -config ca.cnf
339 openssl req -config ../scripts/ee.cnf \
340 -newkey rsa:2048 -text -out out/start_after_expiry.req
342 openssl ca \
343 -batch \
344 -extensions user_cert \
345 -startdate 180901000000Z \
346 -enddate 150402000000Z \
347 -in out/start_after_expiry.req \
348 -out ../certificates/start_after_expiry.pem \
349 -config ca.cnf
350 openssl req -config ../scripts/ee.cnf \
351 -newkey rsa:2048 -text -out out/start_after_expiry.req
352 # Issued pre-BRs, lifetime < 120 months, expires before 2019-07-01
353 openssl req -config ../scripts/ee.cnf \
354 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req
356 openssl ca \
357 -batch \
358 -extensions user_cert \
359 -startdate 080101000000Z \
360 -enddate 150101000000Z \
361 -in out/pre_br_validity_ok.req \
362 -out ../certificates/pre_br_validity_ok.pem \
363 -config ca.cnf
364 openssl req -config ../scripts/ee.cnf \
365 -newkey rsa:2048 -text -out out/pre_br_validity_ok.req
366 # Issued pre-BRs, lifetime > 120 months, expires before 2019-07-01
367 openssl req -config ../scripts/ee.cnf \
368 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
370 openssl ca \
371 -batch \
372 -extensions user_cert \
373 -startdate 080101000000Z \
374 -enddate 180501000000Z \
375 -in out/pre_br_validity_bad_121.req \
376 -out ../certificates/pre_br_validity_bad_121.pem \
377 -config ca.cnf
378 openssl req -config ../scripts/ee.cnf \
379 -newkey rsa:2048 -text -out out/pre_br_validity_bad_121.req
380 # Issued pre-BRs, lifetime < 120 months, expires after 2019-07-01
381 openssl req -config ../scripts/ee.cnf \
382 -newkey rsa:2048 -text -out out/pre_br_validity_bad_2020.req
384 openssl ca \
385 -batch \
386 -extensions user_cert \
387 -startdate 120501000000Z \
388 -enddate 190703000000Z \
389 -in out/pre_br_validity_bad_2020.req \
390 -out ../certificates/pre_br_validity_bad_2020.pem \
391 -config ca.cnf
392 # Issued after 2018-03-01, lifetime == 826 days (bad)
393 openssl req -config ../scripts/ee.cnf \
394 -newkey rsa:2048 -text -out out/826_days_after_2018_03_01.req
396 openssl ca \
397 -batch \
398 -extensions user_cert \
399 -startdate 180302000000Z \
400 -enddate 200605000000Z \
401 -in out/826_days_after_2018_03_01.req \
402 -out ../certificates/826_days_after_2018_03_01.pem \
403 -config ca.cnf
404 # Issued after 2018-03-01, lifetime == 825 days (good)
405 openssl req -config ../scripts/ee.cnf \
406 -newkey rsa:2048 -text -out out/825_days_after_2018_03_01.req
408 openssl ca \
409 -batch \
410 -extensions user_cert \
411 -startdate 180302000000Z \
412 -enddate 200604000000Z \
413 -in out/825_days_after_2018_03_01.req \
414 -out ../certificates/825_days_after_2018_03_01.pem \
415 -config ca.cnf
416 # Issued after 2018-03-01, lifetime == 825 days and one second (bad)
417 openssl req -config ../scripts/ee.cnf \
418 -newkey rsa:2048 -text -out out/825_days_1_second_after_2018_03_01.req
420 openssl ca \
421 -batch \
422 -extensions user_cert \
423 -startdate 180302000000Z \
424 -enddate 200604000001Z \
425 -in out/825_days_1_second_after_2018_03_01.req \
426 -out ../certificates/825_days_1_second_after_2018_03_01.pem \
427 -config ca.cnf
429 # Issued after 2020-09-01, lifetime == 399 days (bad)
430 openssl req -config ../scripts/ee.cnf \
431 -newkey rsa:2048 -text -out out/399_days_after_2020_09_01.req
433 openssl ca \
434 -batch \
435 -extensions user_cert \
436 -startdate 200902000000Z \
437 -enddate 211006000000Z \
438 -in out/399_days_after_2020_09_01.req \
439 -out ../certificates/399_days_after_2020_09_01.pem \
440 -config ca.cnf
441 # Issued after 2020-09-01, lifetime == 398 days (good)
442 openssl req -config ../scripts/ee.cnf \
443 -newkey rsa:2048 -text -out out/398_days_after_2020_09_01.req
445 openssl ca \
446 -batch \
447 -extensions user_cert \
448 -startdate 200902000000Z \
449 -enddate 211005000000Z \
450 -in out/398_days_after_2020_09_01.req \
451 -out ../certificates/398_days_after_2020_09_01.pem \
452 -config ca.cnf
453 # Issued after 2020-09-01, lifetime == 825 days and one second (bad)
454 openssl req -config ../scripts/ee.cnf \
455 -newkey rsa:2048 -text -out out/398_days_1_second_after_2020_09_01.req
457 openssl ca \
458 -batch \
459 -extensions user_cert \
460 -startdate 200902000000Z \
461 -enddate 211005000001Z \
462 -in out/398_days_1_second_after_2020_09_01.req \
463 -out ../certificates/398_days_1_second_after_2020_09_01.pem \
464 -config ca.cnf
468 openssl req -x509 -newkey rsa:2048 \
469 -keyout out/can_sign_http_exchanges_draft_extension.key \
470 -out ../certificates/can_sign_http_exchanges_draft_extension.pem \
471 -days 365 \
472 -extensions req_extensions_with_can_sign_http_exchanges_draft \
473 -nodes -config ee.cnf
477 openssl req -x509 -newkey rsa:2048 \
478 -keyout out/can_sign_http_exchanges_draft_extension_invalid.key \
479 -out ../certificates/can_sign_http_exchanges_draft_extension_invalid.pem \
480 -days 365 \
481 -extensions req_extensions_with_can_sign_http_exchanges_draft_invalid \
482 -nodes -config ee.cnf
484 # SHA-1 certificate issued by locally trusted CA
486 openssl req \
487 -config ../scripts/ee.cnf \
488 -new \
489 -text \
490 -key out/sha1_leaf.key \
491 -out out/sha1_leaf.req
493 openssl ca \
494 -batch \
495 -extensions user_cert \
496 -days ${CERT_LIFETIME} \
497 -in out/sha1_leaf.req \
498 -out out/sha1_leaf.pem \
499 -config ca.cnf \
500 -md sha1
501 /bin/sh -c "cat out/sha1_leaf.key out/sha1_leaf.pem \
507 openssl req \
508 -config ../scripts/ee.cnf \
509 -reqexts req_no_san \
510 -new \
511 -text \
512 -key out/common_name_only.key \
513 -out out/common_name_only.req
515 openssl ca \
516 -batch \
517 -extensions user_cert \
518 -startdate 171220000000Z \
519 -enddate 201220000000Z \
520 -in out/common_name_only.req \
521 -out out/common_name_only.pem \
522 -config ca.cnf
523 /bin/sh -c "cat out/common_name_only.key out/common_name_only.pem \
527 openssl req \
528 -config ../scripts/ee.cnf \
529 -newkey rsa:2048 \
530 -text \
531 -out out/may_2018.req
533 openssl ca \
534 -batch \
535 -extensions user_cert \
536 -startdate 180501000000Z \
537 -enddate 200803000000Z \
538 -in out/may_2018.req \
539 -out ../certificates/may_2018.pem \
540 -config ca.cnf
543 # policies for locally-trusted certificates - see
544 # https://support.apple.com/en-us/HT210176 ) and valid for >825
546 openssl req \
547 -config ../scripts/ee.cnf \
548 -newkey rsa:2048 \
549 -text \
550 -out out/900_days_after_2019_07_01.req
552 openssl ca \
553 -batch \
554 -extensions user_cert \
555 -days 900 \
556 -in out/900_days_after_2019_07_01.req \
557 -out ../certificates/900_days_after_2019_07_01.pem \
558 -config ca.cnf
562 openssl req -x509 -days ${CERT_LIFETIME} \
563 --config ../scripts/ee.cnf -newkey rsa:2048 -text \
564 -out ../certificates/ev_test.pem
567 openssl req -x509 -days ${CERT_LIFETIME} \
568 --config ../scripts/ee.cnf -newkey rsa:2048 -text \
569 -out ../certificates/ev_test_state_only.pem
573 python3 crlsetutil.py -o ../certificates/crlset_by_leaf_spki.raw \
581 python3 crlsetutil.py -o ../certificates/crlset_by_root_spki.raw \
588 ## Block a leaf cert by issuer-hash-and-serial
589 python3 crlsetutil.py -o ../certificates/crlset_by_root_serial.raw \
600 ## Block a leaf cert by issuer-hash-and-serial. However, this will be issued
602 python3 crlsetutil.py -o ../certificates/crlset_by_intermediate_serial.raw \
613 ## Block a subject with a single-entry allowlist of SPKI hashes.
614 python3 crlsetutil.py -o ../certificates/crlset_by_root_subject.raw \
626 python3 crlsetutil.py -o ../certificates/crlset_by_root_subject_no_spki.raw \
637 python3 crlsetutil.py -o ../certificates/crlset_by_leaf_subject_no_spki.raw \
647 python3 crlsetutil.py -o \
658 python3 crlsetutil.py -o \
669 python3 crlsetutil.py -o \