gitee.com/ks-custle/core-gm@v0.0.0-20230922171213-b83bdd97b62c/grpc/testdata/x509/README.md (about)

     1  This directory contains x509 certificates and associated private keys used in
     2  gRPC-Go tests.
     3  
     4  How were these test certs/keys generated ?
     5  ------------------------------------------
     6  0. Override the openssl configuration file environment variable:
     7    ```
     8    $ export OPENSSL_CONF=${PWD}/openssl.cnf
     9    ```
    10  
    11  1. Generate a self-signed CA certificate along with its private key:
    12    ```
    13    $ openssl req -x509                             \
    14        -newkey rsa:4096                            \
    15        -nodes                                      \
    16        -days 3650                                  \
    17        -keyout ca_key.pem                          \
    18        -out ca_cert.pem                            \
    19        -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-ca/  \
    20        -config ./openssl.cnf                       \
    21        -extensions test_ca
    22    ```
    23  
    24    To view the CA cert:
    25    ```
    26    $ openssl x509 -text -noout -in ca_cert.pem
    27    ```
    28  
    29  2.a Generate a private key for the server:
    30    ```
    31    $ openssl genrsa -out server_key.pem 4096
    32    ```
    33  
    34  2.b Generate a private key for the client:
    35    ```
    36    $ openssl genrsa -out client_key.pem 4096
    37    ```
    38  
    39  3.a Generate a CSR for the server:
    40    ```
    41    $ openssl req -new                                \
    42      -key server_key.pem                             \
    43      -days 3650                                      \
    44      -out server_csr.pem                             \
    45      -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server/  \
    46      -config ./openssl.cnf                           \
    47      -reqexts test_server
    48    ```
    49  
    50    To view the CSR:
    51    ```
    52    $ openssl req -text -noout -in server_csr.pem
    53    ```
    54  
    55  3.b Generate a CSR for the client:
    56    ```
    57    $ openssl req -new                                \
    58      -key client_key.pem                             \
    59      -days 3650                                      \
    60      -out client_csr.pem                             \
    61      -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client/  \
    62      -config ./openssl.cnf                           \
    63      -reqexts test_client
    64    ```
    65  
    66    To view the CSR:
    67    ```
    68    $ openssl req -text -noout -in client_csr.pem
    69    ```
    70  
    71  4.a Use the self-signed CA created in step #1 to sign the csr generated above:
    72    ```
    73    $ openssl x509 -req       \
    74      -in server_csr.pem      \
    75      -CAkey ca_key.pem       \
    76      -CA ca_cert.pem         \
    77      -days 3650              \
    78      -set_serial 1000        \
    79      -out server_cert.pem    \
    80      -extfile ./openssl.cnf  \
    81      -extensions test_server
    82    ```
    83  
    84  4.b Use the self-signed CA created in step #1 to sign the csr generated above:
    85    ```
    86    $ openssl x509 -req       \
    87      -in client_csr.pem      \
    88      -CAkey ca_key.pem       \
    89      -CA ca_cert.pem         \
    90      -days 3650              \
    91      -set_serial 1000        \
    92      -out client_cert.pem    \
    93      -extfile ./openssl.cnf  \
    94      -extensions test_client
    95    ```
    96  
    97  5.a Verify the `server_cert.pem` is trusted by `ca_cert.pem`:
    98    ```
    99    $ openssl verify -verbose -CAfile ca_cert.pem  server_cert.pem
   100    ```
   101  
   102  5.b Verify the `client_cert.pem` is trusted by `ca_cert.pem`:
   103    ```
   104    $ openssl verify -verbose -CAfile ca_cert.pem  client_cert.pem
   105    ```
   106