Home | History | Annotate | Download | only in certs 
      1 The test credentials (CONFIRMEDTESTKEY) have been generated with the following
      2 commands:
      3 
      4 Bad credentials (badclient.* / badserver.*):
      5 ============================================
      6 
      7 These are self-signed certificates:
      8 
      9 $ openssl req -x509 -newkey rsa:1024 -keyout badserver.key -out badserver.pem \
     10   -days 3650 -nodes
     11 
     12 When prompted for certificate information, everything is default except the
     13 common name which is set to badserver.test.google.com.
     14 
     15 
     16 Valid test credentials:
     17 =======================
     18 
     19 The ca is self-signed:
     20 ----------------------
     21 
     22 $ openssl req -x509 -new -newkey rsa:1024 -nodes -out ca.pem -config ca-openssl.cnf -days 3650 -extensions v3_req
     23 When prompted for certificate information, everything is default.
     24 
     25 client is issued by CA:
     26 -----------------------
     27 
     28 $ openssl genrsa -out client.key.rsa 1024
     29 $ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
     30 $ rm client.key.rsa
     31 $ openssl req -new -key client.key -out client.csr
     32 
     33 When prompted for certificate information, everything is default except the
     34 common name which is set to testclient.
     35 
     36 $ openssl ca -in client.csr -out client.pem -keyfile ca.key -cert ca.pem -verbose -config openssl.cnf -days 3650 -updatedb
     37 $ openssl x509 -in client.pem -out client.pem -outform PEM
     38 
     39 server0 is issued by CA:
     40 ------------------------
     41 
     42 $ openssl genrsa -out server0.key.rsa 1024
     43 $ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt
     44 $ rm server0.key.rsa
     45 $ openssl req -new -key server0.key -out server0.csr
     46 
     47 When prompted for certificate information, everything is default except the
     48 common name which is set to *.test.google.com.au.
     49 
     50 $ openssl ca -in server0.csr -out server0.pem -keyfile ca.key -cert ca.pem -verbose -config openssl.cnf -days 3650 -updatedb
     51 $ openssl x509 -in server0.pem -out server0.pem -outform PEM
     52 
     53 server1 is issued by CA with a special config for subject alternative names:
     54 ----------------------------------------------------------------------------
     55 
     56 $ openssl genrsa -out server1.key.rsa 1024
     57 $ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
     58 $ rm server1.key.rsa
     59 $ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf
     60 
     61 When prompted for certificate information, everything is default except the
     62 common name which is set to *.test.google.com.
     63 
     64 $ openssl ca -in server1.csr -out server1.pem -keyfile ca.key -cert ca.pem -verbose -config server1-openssl.cnf -days 3650 -extensions v3_req -updatedb
     65 $ openssl x509 -in server1.pem -out server1.pem -outform PEM
     66 
     67 Gotchas
     68 =======
     69 
     70 You may have to delete and recreate the index.txt file so that it is empty when
     71 running the `openssl ca` command.
     72 
     73