xtreemfs/tests/certs/client_ssl_test/README
2020-09-22 02:25:22 +02:00

60 lines
5.5 KiB
Plaintext

# As of today (20/11/2014), the certificates expire on 31/12/2099.
# Root CA, self signed
openssl req -new -newkey rsa:1024 -nodes -out CA_Root.req -keyout CA_Root.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=Root CA"
openssl x509 -trustout -signkey CA_Root.key -days 31087 -req -in CA_Root.req -out CA_Root.pem
echo "02" > CA_Root.srl
# Intermediate CA, signed by root
openssl req -new -newkey rsa:1024 -nodes -out CA_Intermediate.req -keyout CA_Intermediate.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=Intermediate CA"
openssl x509 -CA CA_Root.pem -CAkey CA_Root.key -CAserial CA_Root.srl -req -in CA_Intermediate.req -out CA_Intermediate.pem -days 31087
echo "42" > CA_Intermediate.srl
# Leaf CA, signed by intermediate
openssl req -new -newkey rsa:1024 -nodes -out CA_Leaf.req -keyout CA_Leaf.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=Leaf CA"
openssl x509 -CA CA_Intermediate.pem -CAkey CA_Intermediate.key -CAserial CA_Intermediate.srl -req -in CA_Leaf.req -out CA_Leaf.pem -days 31087
echo "82" > CA_Leaf.srl
# Sign each service twice, once with the root CA and once with the leaf CA
openssl req -new -newkey rsa:1024 -nodes -out DIR_Root.req -keyout DIR_Root.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=DIR (Root)"
openssl x509 -CA CA_Root.pem -CAkey CA_Root.key -CAserial CA_Root.srl -req -in DIR_Root.req -out DIR_Root.pem -days 31087
openssl req -new -newkey rsa:1024 -nodes -out DIR_Leaf.req -keyout DIR_Leaf.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=DIR (Leaf)"
openssl x509 -CA CA_Leaf.pem -CAkey CA_Leaf.key -CAserial CA_Leaf.srl -req -in DIR_Leaf.req -out DIR_Leaf.pem -days 31087
openssl req -new -newkey rsa:1024 -nodes -out MRC_Root.req -keyout MRC_Root.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=MRC (Root)"
openssl x509 -CA CA_Root.pem -CAkey CA_Root.key -CAserial CA_Root.srl -req -in MRC_Root.req -out MRC_Root.pem -days 31087
openssl req -new -newkey rsa:1024 -nodes -out MRC_Leaf.req -keyout MRC_Leaf.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=MRC (Leaf)"
openssl x509 -CA CA_Leaf.pem -CAkey CA_Leaf.key -CAserial CA_Leaf.srl -req -in MRC_Leaf.req -out MRC_Leaf.pem -days 31087
openssl req -new -newkey rsa:1024 -nodes -out OSD_Root.req -keyout OSD_Root.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=OSD (Root)"
openssl x509 -CA CA_Root.pem -CAkey CA_Root.key -CAserial CA_Root.srl -req -in OSD_Root.req -out OSD_Root.pem -days 31087
openssl req -new -newkey rsa:1024 -nodes -out OSD_Leaf.req -keyout OSD_Leaf.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=OSD (Leaf)"
openssl x509 -CA CA_Leaf.pem -CAkey CA_Leaf.key -CAserial CA_Leaf.srl -req -in OSD_Leaf.req -out OSD_Leaf.pem -days 31087
openssl req -new -newkey rsa:1024 -nodes -out Client_Root.req -keyout Client_Root.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=Client (Root)"
openssl x509 -CA CA_Root.pem -CAkey CA_Root.key -CAserial CA_Root.srl -req -in Client_Root.req -out Client_Root.pem -days 31087
openssl req -new -newkey rsa:1024 -nodes -out Client_Leaf.req -keyout Client_Leaf.key -subj "/C=DE/ST=Berlin/L=Berlin/O=ZIB/CN=Client (Leaf)"
openssl x509 -CA CA_Leaf.pem -CAkey CA_Leaf.key -CAserial CA_Leaf.srl -req -in Client_Leaf.req -out Client_Leaf.pem -days 31087
# PCKS#12 export
openssl pkcs12 -export -in DIR_Root.pem -inkey DIR_Root.key -out DIR_Root.p12 -name "DIR (Root signed)" -passout "pass:dir_root"
openssl pkcs12 -export -in DIR_Leaf.pem -inkey DIR_Leaf.key -out DIR_Leaf.p12 -name "DIR (Leaf signed)" -passout "pass:dir_leaf"
openssl pkcs12 -export -in MRC_Root.pem -inkey MRC_Root.key -out MRC_Root.p12 -name "MRC (Root signed)" -passout "pass:mrc_root"
openssl pkcs12 -export -in MRC_Leaf.pem -inkey MRC_Leaf.key -out MRC_Leaf.p12 -name "MRC (Leaf signed)" -passout "pass:mrc_leaf"
openssl pkcs12 -export -in OSD_Root.pem -inkey OSD_Root.key -out OSD_Root.p12 -name "OSD (Root signed)" -passout "pass:osd_root"
openssl pkcs12 -export -in OSD_Leaf.pem -inkey OSD_Leaf.key -out OSD_Leaf.p12 -name "OSD (Leaf signed)" -passout "pass:osd_leaf"
# Boatloads of client exports.
cat CA_Leaf.pem CA_Intermediate.pem CA_Root.pem > CA_Chain.pem
openssl pkcs12 -export -in Client_Root.pem -inkey Client_Root.key -out Client_Root.p12 -name "Client (Root signed)" -passout "pass:"
openssl pkcs12 -export -in Client_Root.pem -inkey Client_Root.key -out Client_Root_Chain.p12 -name "Client (Root signed, full chain)" -passout "pass:" -certfile CA_Chain.pem
openssl pkcs12 -export -in Client_Root.pem -inkey Client_Root.key -out Client_Root_Root.p12 -name "Client (Root signed, root CA)" -passout "pass:" -certfile CA_Root.pem
openssl pkcs12 -export -in Client_Root.pem -inkey Client_Root.key -out Client_Root_Leaf.p12 -name "Client (Root signed, leaf CA)" -passout "pass:" -certfile CA_Leaf.pem
openssl pkcs12 -export -in Client_Leaf.pem -inkey Client_Leaf.key -out Client_Leaf.p12 -name "Client (Leaf signed)" -passout "pass:"
openssl pkcs12 -export -in Client_Leaf.pem -inkey Client_Leaf.key -out Client_Leaf_Chain.p12 -name "Client (Leaf signed, full chain)" -passout "pass:" -certfile CA_Chain.pem
openssl pkcs12 -export -in Client_Leaf.pem -inkey Client_Leaf.key -out Client_Leaf_Root.p12 -name "Client (Leaf signed, root CA)" -passout "pass:" -certfile CA_Root.pem
openssl pkcs12 -export -in Client_Leaf.pem -inkey Client_Leaf.key -out Client_Leaf_Leaf.p12 -name "Client (Leaf signed, leaf CA)" -passout "pass:" -certfile CA_Leaf.pem
# Two keystores, passwords just like their names without the .jks extension
keytool -import -alias CA_Root -keystore trusted_root.jks -trustcacerts -file CA_Root.pem
keytool -import -alias CA_Leaf -keystore trusted_leaf.jks -trustcacerts -file CA_Leaf.pem