Loading demos/certs/README 0 → 100644 +9 −0 Original line number Diff line number Diff line There is often a need to generate test certificates automatically using a script. This is often a cause for confusion which can result in incorrect CA certificates, obsolete V1 certificates or duplicate serial numbers. The range of command line options can be daunting for a beginner. This is a simple example of how to generate certificates automatically using scripts. Example creates a root CA, a server certificate signed by the root, an intermediate CA signed by the root and finally a client certificate signed by the intermediate CA. demos/certs/ca.cnf 0 → 100644 +57 −0 Original line number Diff line number Diff line # # OpenSSL example configuration file for automated certificate creation. # # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem # Don't prompt for fields: use those in section directly prompt = no distinguished_name = req_distinguished_name x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = UK organizationName = OpenSSL Group # Take CN from environment so it can come from a script. commonName = $ENV::CN [ usr_cert ] # These extensions are added when 'ca' signs a request for an end entity # certificate basicConstraints=critical, CA:FALSE keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always basicConstraints = critical,CA:true keyUsage = critical, cRLSign, keyCertSign demos/certs/mkcerts.sh 0 → 100644 +25 −0 Original line number Diff line number Diff line #!/bin/sh OPENSSL=openssl # Root CA: create certificate directly CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \ -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650 # Server certificate: create request first CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ -keyout skey.pem -out req.pem -newkey rsa:1024 # Sign request: end entity extensions $OPENSSL x509 -req -in req.pem -CA root.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem # Intermediate CA: request first CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \ -keyout intkey.pem -out intreq.pem -newkey rsa:2048 # Sign request: CA extensions $OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \ -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem # Client certificate: request first CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ -keyout ckey.pem -out creq.pem -newkey rsa:1024 # Sign using intermediate CA $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem Loading
demos/certs/README 0 → 100644 +9 −0 Original line number Diff line number Diff line There is often a need to generate test certificates automatically using a script. This is often a cause for confusion which can result in incorrect CA certificates, obsolete V1 certificates or duplicate serial numbers. The range of command line options can be daunting for a beginner. This is a simple example of how to generate certificates automatically using scripts. Example creates a root CA, a server certificate signed by the root, an intermediate CA signed by the root and finally a client certificate signed by the intermediate CA.
demos/certs/ca.cnf 0 → 100644 +57 −0 Original line number Diff line number Diff line # # OpenSSL example configuration file for automated certificate creation. # # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem # Don't prompt for fields: use those in section directly prompt = no distinguished_name = req_distinguished_name x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = utf8only # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName = UK organizationName = OpenSSL Group # Take CN from environment so it can come from a script. commonName = $ENV::CN [ usr_cert ] # These extensions are added when 'ca' signs a request for an end entity # certificate basicConstraints=critical, CA:FALSE keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always basicConstraints = critical,CA:true keyUsage = critical, cRLSign, keyCertSign
demos/certs/mkcerts.sh 0 → 100644 +25 −0 Original line number Diff line number Diff line #!/bin/sh OPENSSL=openssl # Root CA: create certificate directly CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \ -keyout root.pem -out root.pem -newkey rsa:2048 -days 3650 # Server certificate: create request first CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ -keyout skey.pem -out req.pem -newkey rsa:1024 # Sign request: end entity extensions $OPENSSL x509 -req -in req.pem -CA root.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial -out server.pem # Intermediate CA: request first CN="Test Intermediate CA" $OPENSSL req -config ca.cnf -nodes \ -keyout intkey.pem -out intreq.pem -newkey rsa:2048 # Sign request: CA extensions $OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \ -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem # Client certificate: request first CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \ -keyout ckey.pem -out creq.pem -newkey rsa:1024 # Sign using intermediate CA $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
