github.com/uber/kraken@v0.1.4/test/tls/README.md

github.com/uber/kraken@v0.1.4/test/tls/README.md (about)

     1  1. Create a self-signed certificate for server:
     2  # First create private key.
     3  $ openssl genrsa -aes256 -out server.key 4096
     4  # Create a sign request.
     5  $ openssl req -new -key server.key -out server.csr
     6  ```
     7  Enter pass phrase for server_private.pem:
     8  You are about to be asked to enter information that will be incorporated
     9  into your certificate request.
    10  What you are about to enter is what is called a Distinguished Name or a DN.
    11  There are quite a few fields but you can leave some blank
    12  For some fields there will be a default value,
    13  If you enter '.', the field will be left blank.
    14  -----
    15  Country Name (2 letter code) [AU]:US
    16  State or Province Name (full name) [Some-State]:CA
    17  Locality Name (eg, city) []:San Francisco
    18  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Uber
    19  Organizational Unit Name (eg, section) []:cluster-mgmt
    20  Common Name (e.g. server FQDN or YOUR name) []:kraken
    21  Email Address []:
    22  
    23  Please enter the following 'extra' attributes
    24  to be sent with your certificate request
    25  A challenge password []:
    26  An optional company name []:
    27  ```
    28  # Generate cert
    29  $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    30  
    31  2. Create an intermediate certificate for client:
    32  $ openssl genrsa -aes256 -out client.key 4096
    33  $ openssl req -new -key client.key -out client.csr
    34  ```
    35  Enter pass phrase for client.key:
    36  You are about to be asked to enter information that will be incorporated
    37  into your certificate request.
    38  What you are about to enter is what is called a Distinguished Name or a DN.
    39  There are quite a few fields but you can leave some blank
    40  For some fields there will be a default value,
    41  If you enter '.', the field will be left blank.
    42  -----
    43  Country Name (2 letter code) [AU]:US
    44  State or Province Name (full name) [Some-State]:CA
    45  Locality Name (eg, city) []:San Francisco
    46  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Uber
    47  Organizational Unit Name (eg, section) []:kraken
    48  Common Name (e.g. server FQDN or YOUR name) []:kraken
    49  Email Address []:
    50  
    51  Please enter the following 'extra' attributes
    52  to be sent with your certificate request
    53  A challenge password []:
    54  An optional company name []:
    55  ```
    56  Notice the difference in Organizational Unit Name. I think at least one of the names should be different from server.crt otherwise it would be treated as a self-signed key.
    57  $ openssl x509 -req -days 365 -in client.csr -CA server.crt -CAkey server.key -CAcreateserial -out client.crt
    58  
    59  3. Verify
    60  $ openssl verify -verbose -CAfile server.crt client.crt
    61  
    62  4. Decrypt client key (because curl does not support encrypted key)
    63  $ openssl rsa -in client.key -out client_decrypted.key 
    64  
    65  5. Both client and server should enforce verification.
    66  - `InsecureSkipVerify` should be `false` in client and `ClientAuth` should be equal to `tls.RequireAndVerifyClientCert` in tls.Config.
    67  - In nginx config, `ssl_verify_client` should be `on`.