Repository: qpid-dispatch Updated Branches: refs/heads/master 7e6a9156b -> 7ff381269
NO-JIRA - Modified gencerts_openssl.sh to include creation of an intermediate CA and create the certs from it Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/7ff38126 Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/7ff38126 Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/7ff38126 Branch: refs/heads/master Commit: 7ff38126966b34ca7c2170047d65afc0279e40aa Parents: 7e6a915 Author: Ganesh Murthy <[email protected]> Authored: Mon Jun 27 09:12:34 2016 -0400 Committer: Ganesh Murthy <[email protected]> Committed: Mon Jun 27 09:12:34 2016 -0400 ---------------------------------------------------------------------- tests/ssl_certs/gencerts_openssl.sh | 40 ++++++++++++++++++++++++++------ tests/ssl_certs/v3_ca.ext | 1 + 2 files changed, 34 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7ff38126/tests/ssl_certs/gencerts_openssl.sh ---------------------------------------------------------------------- diff --git a/tests/ssl_certs/gencerts_openssl.sh b/tests/ssl_certs/gencerts_openssl.sh index 2b20c93..e45d141 100755 --- a/tests/ssl_certs/gencerts_openssl.sh +++ b/tests/ssl_certs/gencerts_openssl.sh @@ -1,6 +1,6 @@ #!/bin/bash -ex -# Creates a root CA and creates password protected server and client certificates using openssl commands +# Creates a root CA and intermediate CA and creates password protected server and client certificates using openssl commands ##### Create root CA ##### # Create a password protected private key for root CA @@ -9,16 +9,36 @@ openssl genrsa -aes256 -passout pass:ca-password -out ca-private-key.pem 4096 # Use the private key to create a root CA cert openssl req -key ca-private-key.pem -new -x509 -days 99999 -sha256 -out ca-certificate.pem -passin pass:ca-password -subj "/C=US/ST=New York/L=Brooklyn/O=Trust Me Inc./CN=Trusted.CA.com" -##### Create a server certificate signed by the root CA ##### + + +##### Create an intermediate CA ##### +# Create a password protected private key for the intermediate CA +openssl genrsa -aes256 -passout pass:intermediate-ca-password -out intermediate-ca-private-key.pem 4096 + +# Create a CSR using the private key created from the previous step +openssl req -new -key intermediate-ca-private-key.pem -passin pass:intermediate-ca-password -out intermediate.csr -subj "/C=US/ST=FL/L=Miami/O=Server/CN=Trusted.IntermediateCA.com" + +# Create the intermediate signed certificate signed by the root CA +# Note here that the v3_ca.ext file sets basicConstraints=critical, CA:true which means that the issued certificate is for a Certificate Authority, in this case an intermediate CA +# and this certificate must not be used to create further CA certificates +openssl x509 -req -in intermediate.csr -CA ca-certificate.pem -CAkey ca-private-key.pem -CAcreateserial -days 9999 -out intermediate-ca-certificate.pem -passin pass:ca-password -extfile v3_ca.ext + +# Concatenate the intermediate-ca-certificate.pem and ca-certificate.pem to form the ca-chain-cert.pem +cat ca-certificate.pem intermediate-ca-certificate.pem > ca-chain-cert.pem + + + +##### Create a server certificate signed by the intermediate CA ##### # Create a password protected server private key which will be used to create the server certificate openssl genrsa -aes256 -passout pass:server-password -out server-private-key.pem 4096 # Create a CSR using the private key created from the previous step -openssl req -new -key server-private-key.pem -passin pass:server-password -out server.csr -subj "/C=US/ST=CA/L=San Francisco/O=Server/CN=127.0.0.1" +openssl req -new -key server-private-key.pem -passin pass:server-password -out server.csr -subj "/C=US/ST=CA/L=San Francisco/O=Server/CN=server.com" # Now the CSR has been created and must be sent to the CA. -# The root CA receives the CSR and runs this command to create a server certificate (server-certificate.pem) -openssl x509 -req -in server.csr -CA ca-certificate.pem -CAkey ca-private-key.pem -CAcreateserial -days 9999 -out server-certificate.pem -passin pass:ca-password +# The intermediate CA receives the CSR and runs this command to create a server certificate (server-certificate.pem) +openssl x509 -req -in server.csr -CA intermediate-ca-certificate.pem -CAkey intermediate-ca-private-key.pem -CAcreateserial -days 9999 -out server-certificate.pem -passin pass:intermediate-ca-password + ##### Create a client certificate signed by the root CA ##### @@ -26,8 +46,14 @@ openssl x509 -req -in server.csr -CA ca-certificate.pem -CAkey ca-private-key.pe openssl genrsa -aes256 -passout pass:client-password -out client-private-key.pem 4096 # Create a CSR using the client private key created from the previous step -openssl req -new -key client-private-key.pem -passin pass:client-password -out client.csr -subj "/C=US/ST=CA/L=San Francisco/O=Client/CN=127.0.0.1" +openssl req -new -key client-private-key.pem -passin pass:client-password -out client.csr -subj "/C=US/ST=CA/L=San Francisco/O=Client/CN=client.com" # Now the CSR has been created and must be sent to the CA. # The root CA receives the CSR and runs this command to create a client certificate (client_certificate.pem) -openssl x509 -req -in client.csr -CA ca-certificate.pem -CAkey ca-private-key.pem -CAcreateserial -days 9999 -out client-certificate.pem -passin pass:ca-password \ No newline at end of file +openssl x509 -req -in client.csr -CA intermediate-ca-certificate.pem -CAkey intermediate-ca-private-key.pem -CAcreateserial -days 9999 -out client-certificate.pem -passin pass:intermediate-ca-password + + +# Verify the certs with the cert chain +openssl verify -verbose -CAfile ca-chain-cert.pem server-certificate.pem +openssl verify -verbose -CAfile ca-chain-cert.pem client-certificate.pem +openssl verify -verbose -CAfile ca-chain-cert.pem intermediate-ca-certificate.pem \ No newline at end of file http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7ff38126/tests/ssl_certs/v3_ca.ext ---------------------------------------------------------------------- diff --git a/tests/ssl_certs/v3_ca.ext b/tests/ssl_certs/v3_ca.ext new file mode 100644 index 0000000..616de37 --- /dev/null +++ b/tests/ssl_certs/v3_ca.ext @@ -0,0 +1 @@ +basicConstraints=critical, CA:true \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
