github.com/hxx258456/ccgo@v0.0.5-0.20230213014102-48b35f46f66f/grpc/testdata/x509/create.sh (about) 1 #!/bin/bash 2 3 # Create the server CA certs. 4 openssl req -x509 \ 5 -newkey rsa:4096 \ 6 -nodes \ 7 -days 3650 \ 8 -keyout server_ca_key.pem \ 9 -out server_ca_cert.pem \ 10 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server_ca/ \ 11 -config ./openssl.cnf \ 12 -extensions test_ca 13 14 # Create the client CA certs. 15 openssl req -x509 \ 16 -newkey rsa:4096 \ 17 -nodes \ 18 -days 3650 \ 19 -keyout client_ca_key.pem \ 20 -out client_ca_cert.pem \ 21 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client_ca/ \ 22 -config ./openssl.cnf \ 23 -extensions test_ca 24 25 # Generate two server certs. 26 openssl genrsa -out server1_key.pem 4096 27 openssl req -new \ 28 -key server1_key.pem \ 29 -days 3650 \ 30 -out server1_csr.pem \ 31 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server1/ \ 32 -config ./openssl.cnf \ 33 -reqexts test_server 34 openssl x509 -req \ 35 -in server1_csr.pem \ 36 -CAkey server_ca_key.pem \ 37 -CA server_ca_cert.pem \ 38 -days 3650 \ 39 -set_serial 1000 \ 40 -out server1_cert.pem \ 41 -extfile ./openssl.cnf \ 42 -extensions test_server 43 openssl verify -verbose -CAfile server_ca_cert.pem server1_cert.pem 44 45 openssl genrsa -out server2_key.pem 4096 46 openssl req -new \ 47 -key server2_key.pem \ 48 -days 3650 \ 49 -out server2_csr.pem \ 50 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server2/ \ 51 -config ./openssl.cnf \ 52 -reqexts test_server 53 openssl x509 -req \ 54 -in server2_csr.pem \ 55 -CAkey server_ca_key.pem \ 56 -CA server_ca_cert.pem \ 57 -days 3650 \ 58 -set_serial 1000 \ 59 -out server2_cert.pem \ 60 -extfile ./openssl.cnf \ 61 -extensions test_server 62 openssl verify -verbose -CAfile server_ca_cert.pem server2_cert.pem 63 64 # Generate two client certs. 65 openssl genrsa -out client1_key.pem 4096 66 openssl req -new \ 67 -key client1_key.pem \ 68 -days 3650 \ 69 -out client1_csr.pem \ 70 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \ 71 -config ./openssl.cnf \ 72 -reqexts test_client 73 openssl x509 -req \ 74 -in client1_csr.pem \ 75 -CAkey client_ca_key.pem \ 76 -CA client_ca_cert.pem \ 77 -days 3650 \ 78 -set_serial 1000 \ 79 -out client1_cert.pem \ 80 -extfile ./openssl.cnf \ 81 -extensions test_client 82 openssl verify -verbose -CAfile client_ca_cert.pem client1_cert.pem 83 84 openssl genrsa -out client2_key.pem 4096 85 openssl req -new \ 86 -key client2_key.pem \ 87 -days 3650 \ 88 -out client2_csr.pem \ 89 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client2/ \ 90 -config ./openssl.cnf \ 91 -reqexts test_client 92 openssl x509 -req \ 93 -in client2_csr.pem \ 94 -CAkey client_ca_key.pem \ 95 -CA client_ca_cert.pem \ 96 -days 3650 \ 97 -set_serial 1000 \ 98 -out client2_cert.pem \ 99 -extfile ./openssl.cnf \ 100 -extensions test_client 101 openssl verify -verbose -CAfile client_ca_cert.pem client2_cert.pem 102 103 # Generate a cert with SPIFFE ID. 104 openssl req -x509 \ 105 -newkey rsa:4096 \ 106 -keyout spiffe_key.pem \ 107 -out spiffe_cert.pem \ 108 -nodes \ 109 -days 3650 \ 110 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \ 111 -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1" 112 113 # Generate a cert with SPIFFE ID and another SAN URI field(which doesn't meet SPIFFE specs). 114 openssl req -x509 \ 115 -newkey rsa:4096 \ 116 -keyout multiple_uri_key.pem \ 117 -out multiple_uri_cert.pem \ 118 -nodes \ 119 -days 3650 \ 120 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \ 121 -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1, URI:https://bar.baz.com/client" 122 # Cleanup the CSRs. 123 rm *_csr.pem