google.golang.org/grpc@v1.62.1/testdata/x509/create.sh (about) 1 #!/bin/bash 2 3 # Create the server CA certs. 4 openssl req -x509 \ 5 -newkey rsa:4096 \ 6 -nodes \ 7 -days 3650 \ 8 -keyout server_ca_key.pem \ 9 -out server_ca_cert.pem \ 10 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server_ca/ \ 11 -config ./openssl.cnf \ 12 -extensions test_ca \ 13 -sha256 14 15 # Create the client CA certs. 16 openssl req -x509 \ 17 -newkey rsa:4096 \ 18 -nodes \ 19 -days 3650 \ 20 -keyout client_ca_key.pem \ 21 -out client_ca_cert.pem \ 22 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client_ca/ \ 23 -config ./openssl.cnf \ 24 -extensions test_ca \ 25 -sha256 26 27 # Generate two server certs. 28 openssl genrsa -out server1_key.pem 4096 29 openssl req -new \ 30 -key server1_key.pem \ 31 -days 3650 \ 32 -out server1_csr.pem \ 33 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server1/ \ 34 -config ./openssl.cnf \ 35 -reqexts test_server 36 openssl x509 -req \ 37 -in server1_csr.pem \ 38 -CAkey server_ca_key.pem \ 39 -CA server_ca_cert.pem \ 40 -days 3650 \ 41 -set_serial 1000 \ 42 -out server1_cert.pem \ 43 -extfile ./openssl.cnf \ 44 -extensions test_server \ 45 -sha256 46 openssl verify -verbose -CAfile server_ca_cert.pem server1_cert.pem 47 48 openssl genrsa -out server2_key.pem 4096 49 openssl req -new \ 50 -key server2_key.pem \ 51 -days 3650 \ 52 -out server2_csr.pem \ 53 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server2/ \ 54 -config ./openssl.cnf \ 55 -reqexts test_server 56 openssl x509 -req \ 57 -in server2_csr.pem \ 58 -CAkey server_ca_key.pem \ 59 -CA server_ca_cert.pem \ 60 -days 3650 \ 61 -set_serial 1000 \ 62 -out server2_cert.pem \ 63 -extfile ./openssl.cnf \ 64 -extensions test_server \ 65 -sha256 66 openssl verify -verbose -CAfile server_ca_cert.pem server2_cert.pem 67 68 # Generate two client certs. 69 openssl genrsa -out client1_key.pem 4096 70 openssl req -new \ 71 -key client1_key.pem \ 72 -days 3650 \ 73 -out client1_csr.pem \ 74 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \ 75 -config ./openssl.cnf \ 76 -reqexts test_client 77 openssl x509 -req \ 78 -in client1_csr.pem \ 79 -CAkey client_ca_key.pem \ 80 -CA client_ca_cert.pem \ 81 -days 3650 \ 82 -set_serial 1000 \ 83 -out client1_cert.pem \ 84 -extfile ./openssl.cnf \ 85 -extensions test_client \ 86 -sha256 87 openssl verify -verbose -CAfile client_ca_cert.pem client1_cert.pem 88 89 openssl genrsa -out client2_key.pem 4096 90 openssl req -new \ 91 -key client2_key.pem \ 92 -days 3650 \ 93 -out client2_csr.pem \ 94 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client2/ \ 95 -config ./openssl.cnf \ 96 -reqexts test_client 97 openssl x509 -req \ 98 -in client2_csr.pem \ 99 -CAkey client_ca_key.pem \ 100 -CA client_ca_cert.pem \ 101 -days 3650 \ 102 -set_serial 1000 \ 103 -out client2_cert.pem \ 104 -extfile ./openssl.cnf \ 105 -extensions test_client \ 106 -sha256 107 openssl verify -verbose -CAfile client_ca_cert.pem client2_cert.pem 108 109 # Generate a cert with SPIFFE ID. 110 openssl req -x509 \ 111 -newkey rsa:4096 \ 112 -keyout spiffe_key.pem \ 113 -out spiffe_cert.pem \ 114 -nodes \ 115 -days 3650 \ 116 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \ 117 -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1" \ 118 -sha256 119 120 # Generate a cert with SPIFFE ID and another SAN URI field(which doesn't meet SPIFFE specs). 121 openssl req -x509 \ 122 -newkey rsa:4096 \ 123 -keyout multiple_uri_key.pem \ 124 -out multiple_uri_cert.pem \ 125 -nodes \ 126 -days 3650 \ 127 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \ 128 -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1, URI:https://bar.baz.com/client" \ 129 -sha256 130 131 # Generate a cert with SPIFFE ID using client_with_spiffe_openssl.cnf 132 openssl req -new \ 133 -key client_with_spiffe_key.pem \ 134 -out client_with_spiffe_csr.pem \ 135 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \ 136 -config ./client_with_spiffe_openssl.cnf \ 137 -reqexts test_client 138 openssl x509 -req \ 139 -in client_with_spiffe_csr.pem \ 140 -CAkey client_ca_key.pem \ 141 -CA client_ca_cert.pem \ 142 -days 3650 \ 143 -set_serial 1000 \ 144 -out client_with_spiffe_cert.pem \ 145 -extfile ./client_with_spiffe_openssl.cnf \ 146 -extensions test_client \ 147 -sha256 148 openssl verify -verbose -CAfile client_with_spiffe_cert.pem 149 150 # Cleanup the CSRs. 151 rm *_csr.pem