test/certs/setup.sh: structural cleanup
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14413)
This commit is contained in:
Dr. David von Oheimb
Tomas Mraz
parent
a485561b2e
commit
4f449d90dd
@ -1,14 +1,13 @@
|
||||
#! /bin/bash
|
||||
|
||||
# Primary root: root-cert
|
||||
# root cert variants: CA:false, key2, DN2
|
||||
# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
|
||||
#
|
||||
./mkcert.sh genroot "Root CA" root-key root-cert
|
||||
# root cert variants: CA:false, key2, DN2, expired
|
||||
./mkcert.sh genss "Root CA" root-key root-nonca
|
||||
./mkcert.sh genroot "Root CA" root-key2 root-cert2
|
||||
./mkcert.sh genroot "Root Cert 2" root-key root-name2
|
||||
#
|
||||
DAYS=-1 ./mkcert.sh genroot "Root CA" root-key root-expired
|
||||
# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth,
|
||||
openssl x509 -in root-cert.pem -trustout \
|
||||
-addtrust serverAuth -out root+serverAuth.pem
|
||||
openssl x509 -in root-cert.pem -trustout \
|
||||
@ -17,16 +16,19 @@ openssl x509 -in root-cert.pem -trustout \
|
||||
-addtrust clientAuth -out root+clientAuth.pem
|
||||
openssl x509 -in root-cert.pem -trustout \
|
||||
-addreject clientAuth -out root-clientAuth.pem
|
||||
openssl x509 -in root-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out root-anyEKU.pem
|
||||
# trust variants: +anyEKU -anyEKU
|
||||
openssl x509 -in root-cert.pem -trustout \
|
||||
-addtrust anyExtendedKeyUsage -out root+anyEKU.pem
|
||||
openssl x509 -in root-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out root-anyEKU.pem
|
||||
# root-cert2 trust variants: +serverAuth -serverAuth +clientAuth
|
||||
openssl x509 -in root-cert2.pem -trustout \
|
||||
-addtrust serverAuth -out root2+serverAuth.pem
|
||||
openssl x509 -in root-cert2.pem -trustout \
|
||||
-addreject serverAuth -out root2-serverAuth.pem
|
||||
openssl x509 -in root-cert2.pem -trustout \
|
||||
-addtrust clientAuth -out root2+clientAuth.pem
|
||||
# root-nonca trust variants: +serverAuth +anyEKU
|
||||
openssl x509 -in root-nonca.pem -trustout \
|
||||
-addtrust serverAuth -out nroot+serverAuth.pem
|
||||
openssl x509 -in root-nonca.pem -trustout \
|
||||
@ -41,10 +43,8 @@ OPENSSL_KEYBITS=768 \
|
||||
./mkcert.sh genroot "Root CA" root-key-768 root-cert-768
|
||||
|
||||
# primary client-EKU root: croot-cert
|
||||
# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
|
||||
#
|
||||
./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth
|
||||
#
|
||||
# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
|
||||
openssl x509 -in croot-cert.pem -trustout \
|
||||
-addtrust serverAuth -out croot+serverAuth.pem
|
||||
openssl x509 -in croot-cert.pem -trustout \
|
||||
@ -53,16 +53,14 @@ openssl x509 -in croot-cert.pem -trustout \
|
||||
-addtrust clientAuth -out croot+clientAuth.pem
|
||||
openssl x509 -in croot-cert.pem -trustout \
|
||||
-addreject clientAuth -out croot-clientAuth.pem
|
||||
openssl x509 -in croot-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out croot-anyEKU.pem
|
||||
openssl x509 -in croot-cert.pem -trustout \
|
||||
-addtrust anyExtendedKeyUsage -out croot+anyEKU.pem
|
||||
openssl x509 -in croot-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out croot-anyEKU.pem
|
||||
|
||||
# primary server-EKU root: sroot-cert
|
||||
# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
|
||||
#
|
||||
./mkcert.sh genroot "Root CA" root-key sroot-cert serverAuth
|
||||
#
|
||||
# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
|
||||
openssl x509 -in sroot-cert.pem -trustout \
|
||||
-addtrust serverAuth -out sroot+serverAuth.pem
|
||||
openssl x509 -in sroot-cert.pem -trustout \
|
||||
@ -71,24 +69,21 @@ openssl x509 -in sroot-cert.pem -trustout \
|
||||
-addtrust clientAuth -out sroot+clientAuth.pem
|
||||
openssl x509 -in sroot-cert.pem -trustout \
|
||||
-addreject clientAuth -out sroot-clientAuth.pem
|
||||
openssl x509 -in sroot-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out sroot-anyEKU.pem
|
||||
openssl x509 -in sroot-cert.pem -trustout \
|
||||
-addtrust anyExtendedKeyUsage -out sroot+anyEKU.pem
|
||||
openssl x509 -in sroot-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out sroot-anyEKU.pem
|
||||
|
||||
# Primary intermediate ca: ca-cert
|
||||
# ca variants: CA:false, key2, DN2, issuer2, expired
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
|
||||
#
|
||||
./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert
|
||||
DAYS=-1 ./mkcert.sh genroot "Root CA" root-key root-expired
|
||||
# ca variants: CA:false, key2, DN2, issuer2, expired
|
||||
./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert
|
||||
./mkcert.sh gen_nonbc_ca "CA" ca-key ca-nonbc root-key root-cert
|
||||
./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert
|
||||
./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert
|
||||
./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2
|
||||
DAYS=-1 ./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert
|
||||
#
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
|
||||
openssl x509 -in ca-cert.pem -trustout \
|
||||
-addtrust serverAuth -out ca+serverAuth.pem
|
||||
openssl x509 -in ca-cert.pem -trustout \
|
||||
@ -97,10 +92,12 @@ openssl x509 -in ca-cert.pem -trustout \
|
||||
-addtrust clientAuth -out ca+clientAuth.pem
|
||||
openssl x509 -in ca-cert.pem -trustout \
|
||||
-addreject clientAuth -out ca-clientAuth.pem
|
||||
openssl x509 -in ca-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out ca-anyEKU.pem
|
||||
# trust variants: +anyEKU, -anyEKU
|
||||
openssl x509 -in ca-cert.pem -trustout \
|
||||
-addtrust anyExtendedKeyUsage -out ca+anyEKU.pem
|
||||
openssl x509 -in ca-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out ca-anyEKU.pem
|
||||
# ca-nonca trust variants: +serverAuth, -serverAuth
|
||||
openssl x509 -in ca-nonca.pem -trustout \
|
||||
-addtrust serverAuth -out nca+serverAuth.pem
|
||||
openssl x509 -in ca-nonca.pem -trustout \
|
||||
@ -123,10 +120,8 @@ OPENSSL_KEYBITS=768 \
|
||||
./mkcert.sh genca "CA" ca-key-ec-named ca-cert-ec-named root-key root-cert
|
||||
|
||||
# client intermediate ca: cca-cert
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
|
||||
#
|
||||
./mkcert.sh genca -p clientAuth "CA" ca-key cca-cert root-key root-cert
|
||||
#
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, +anyEKU, -anyEKU
|
||||
openssl x509 -in cca-cert.pem -trustout \
|
||||
-addtrust serverAuth -out cca+serverAuth.pem
|
||||
openssl x509 -in cca-cert.pem -trustout \
|
||||
@ -135,16 +130,14 @@ openssl x509 -in cca-cert.pem -trustout \
|
||||
-addtrust clientAuth -out cca+clientAuth.pem
|
||||
openssl x509 -in cca-cert.pem -trustout \
|
||||
-addtrust clientAuth -out cca-clientAuth.pem
|
||||
openssl x509 -in cca-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out cca-anyEKU.pem
|
||||
openssl x509 -in cca-cert.pem -trustout \
|
||||
-addtrust anyExtendedKeyUsage -out cca+anyEKU.pem
|
||||
openssl x509 -in cca-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out cca-anyEKU.pem
|
||||
|
||||
# server intermediate ca: sca-cert
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
|
||||
#
|
||||
./mkcert.sh genca -p serverAuth "CA" ca-key sca-cert root-key root-cert
|
||||
#
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, +anyEKU, -anyEKU
|
||||
openssl x509 -in sca-cert.pem -trustout \
|
||||
-addtrust serverAuth -out sca+serverAuth.pem
|
||||
openssl x509 -in sca-cert.pem -trustout \
|
||||
@ -153,24 +146,22 @@ openssl x509 -in sca-cert.pem -trustout \
|
||||
-addtrust clientAuth -out sca+clientAuth.pem
|
||||
openssl x509 -in sca-cert.pem -trustout \
|
||||
-addreject clientAuth -out sca-clientAuth.pem
|
||||
openssl x509 -in sca-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out sca-anyEKU.pem
|
||||
openssl x509 -in sca-cert.pem -trustout \
|
||||
-addtrust anyExtendedKeyUsage -out sca+anyEKU.pem
|
||||
openssl x509 -in sca-cert.pem -trustout \
|
||||
-addreject anyExtendedKeyUsage -out sca-anyEKU.pem
|
||||
|
||||
# Primary leaf cert: ee-cert
|
||||
# ee variants: expired, issuer-key2, issuer-name2, bad-pathlen
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
|
||||
# purpose variants: client
|
||||
#
|
||||
# Primary leaf cert: ee-cert with default purpose: serverAuth
|
||||
./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert
|
||||
# ee variants: expired, issuer-key2, issuer-name2, bad-pathlen
|
||||
./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1
|
||||
./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
|
||||
./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
|
||||
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
|
||||
./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \
|
||||
-extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") # bash needed here
|
||||
#
|
||||
-extfile <(echo "basicConstraints=CA:false,pathlen:0") # bash needed here
|
||||
# purpose variants: clientAuth
|
||||
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
|
||||
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
|
||||
openssl x509 -in ee-cert.pem -trustout \
|
||||
-addtrust serverAuth -out ee+serverAuth.pem
|
||||
openssl x509 -in ee-cert.pem -trustout \
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user