gitee.com/ks-custle/core-gm@v0.0.0-20230922171213-b83bdd97b62c/grpc/testdata/x509/create.sh (about)

     1  #!/bin/bash
     2  
     3  # Create the server CA certs.
     4  openssl req -x509                                     \
     5    -newkey rsa:4096                                    \
     6    -nodes                                              \
     7    -days 3650                                          \
     8    -keyout server_ca_key.pem                           \
     9    -out server_ca_cert.pem                             \
    10    -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server_ca/   \
    11    -config ./openssl.cnf                               \
    12    -extensions test_ca
    13  
    14  # Create the client CA certs.
    15  openssl req -x509                                     \
    16    -newkey rsa:4096                                    \
    17    -nodes                                              \
    18    -days 3650                                          \
    19    -keyout client_ca_key.pem                           \
    20    -out client_ca_cert.pem                             \
    21    -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client_ca/   \
    22    -config ./openssl.cnf                               \
    23    -extensions test_ca
    24  
    25  # Generate two server certs.
    26  openssl genrsa -out server1_key.pem 4096
    27  openssl req -new                                    \
    28    -key server1_key.pem                              \
    29    -days 3650                                        \
    30    -out server1_csr.pem                              \
    31    -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server1/   \
    32    -config ./openssl.cnf                             \
    33    -reqexts test_server
    34  openssl x509 -req           \
    35    -in server1_csr.pem       \
    36    -CAkey server_ca_key.pem  \
    37    -CA server_ca_cert.pem    \
    38    -days 3650                \
    39    -set_serial 1000          \
    40    -out server1_cert.pem     \
    41    -extfile ./openssl.cnf    \
    42    -extensions test_server
    43  openssl verify -verbose -CAfile server_ca_cert.pem  server1_cert.pem
    44  
    45  openssl genrsa -out server2_key.pem 4096
    46  openssl req -new                                    \
    47    -key server2_key.pem                              \
    48    -days 3650                                        \
    49    -out server2_csr.pem                              \
    50    -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server2/   \
    51    -config ./openssl.cnf                             \
    52    -reqexts test_server
    53  openssl x509 -req           \
    54    -in server2_csr.pem       \
    55    -CAkey server_ca_key.pem  \
    56    -CA server_ca_cert.pem    \
    57    -days 3650                \
    58    -set_serial 1000          \
    59    -out server2_cert.pem     \
    60    -extfile ./openssl.cnf    \
    61    -extensions test_server
    62  openssl verify -verbose -CAfile server_ca_cert.pem  server2_cert.pem
    63  
    64  # Generate two client certs.
    65  openssl genrsa -out client1_key.pem 4096
    66  openssl req -new                                    \
    67    -key client1_key.pem                              \
    68    -days 3650                                        \
    69    -out client1_csr.pem                              \
    70    -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/   \
    71    -config ./openssl.cnf                             \
    72    -reqexts test_client
    73  openssl x509 -req           \
    74    -in client1_csr.pem       \
    75    -CAkey client_ca_key.pem  \
    76    -CA client_ca_cert.pem    \
    77    -days 3650                \
    78    -set_serial 1000          \
    79    -out client1_cert.pem     \
    80    -extfile ./openssl.cnf    \
    81    -extensions test_client
    82  openssl verify -verbose -CAfile client_ca_cert.pem  client1_cert.pem
    83  
    84  openssl genrsa -out client2_key.pem 4096
    85  openssl req -new                                    \
    86    -key client2_key.pem                              \
    87    -days 3650                                        \
    88    -out client2_csr.pem                              \
    89    -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client2/   \
    90    -config ./openssl.cnf                             \
    91    -reqexts test_client
    92  openssl x509 -req           \
    93    -in client2_csr.pem       \
    94    -CAkey client_ca_key.pem  \
    95    -CA client_ca_cert.pem    \
    96    -days 3650                \
    97    -set_serial 1000          \
    98    -out client2_cert.pem     \
    99    -extfile ./openssl.cnf    \
   100    -extensions test_client
   101  openssl verify -verbose -CAfile client_ca_cert.pem  client2_cert.pem
   102  
   103  # Generate a cert with SPIFFE ID.
   104  openssl req -x509                                                         \
   105    -newkey rsa:4096                                                        \
   106    -keyout spiffe_key.pem                                                  \
   107    -out spiffe_cert.pem                                                    \
   108    -nodes                                                                  \
   109    -days 3650                                                              \
   110    -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/                         \
   111    -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1"
   112  
   113  # Generate a cert with SPIFFE ID and another SAN URI field(which doesn't meet SPIFFE specs).
   114  openssl req -x509                                                         \
   115    -newkey rsa:4096                                                        \
   116    -keyout multiple_uri_key.pem                                            \
   117    -out multiple_uri_cert.pem                                              \
   118    -nodes                                                                  \
   119    -days 3650                                                              \
   120    -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/                         \
   121    -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1, URI:https://bar.baz.com/client"
   122  # Cleanup the CSRs.
   123  rm *_csr.pem