mongoose/test/certs/generate.sh

37 lines
1.3 KiB
Bash
Raw Normal View History

2024-03-25 08:34:05 +00:00
#/bin/sh
#
# Geneate self-signed ECC certificates
cd `dirname $0`
# Create cnf for adding SAN DNS:localhost
# See https://security.stackexchange.com/questions/190905/subject-alternative-name-in-certificate-signing-request-apparently-does-not-surv
cat > cnf <<EOF
[SAN]
subjectAltName=DNS:localhost
EOF
# Generate CA
# Important: CN names must be different for CA and client/server certs
openssl ecparam -noout -name prime256v1 -genkey -out ca.key
openssl req -x509 -new -key ca.key -days 3650 -subj /CN=Mongoose -out ca.crt
# Generate server cert
openssl ecparam -noout -name prime256v1 -genkey -out server.key
2024-05-07 15:40:13 +01:00
openssl req -new -sha256 -key server.key -days 3650 -subj /CN=server -out server.csr
2024-03-25 08:34:05 +00:00
openssl x509 -req -sha256 -in server.csr -extensions SAN -extfile cnf \
2024-05-07 15:40:13 +01:00
-CAkey ca.key -CA ca.crt -CAcreateserial -days 3650 -out server.crt
2024-03-25 08:34:05 +00:00
# Generate client cert
openssl ecparam -noout -name prime256v1 -genkey -out client.key
2024-05-07 15:40:13 +01:00
openssl req -new -sha256 -key client.key -days 3650 -subj /CN=client -out client.csr
2024-03-25 08:34:05 +00:00
openssl x509 -req -sha256 -in client.csr -extensions SAN -extfile cnf \
2024-05-07 15:40:13 +01:00
-CAkey ca.key -CA ca.crt -CAcreateserial -days 3650 -out client.crt
2024-03-25 08:34:05 +00:00
# Verify
openssl verify -verbose -CAfile ca.crt server.crt
openssl verify -verbose -CAfile ca.crt client.crt
# Inspect
# openssl x509 -text -noout -ext subjectAltName -in server.crt