#!/bin/bash
# Generate some test certificates which are used by the regression test suite:
#
# tests/tls/ca.{crt,key} Self signed CA certificate.
# tests/tls/redis.{crt,key} A certificate with no key usage/policy restrictions.
# tests/tls/client.{crt,key} A certificate restricted for SSL client usage.
# tests/tls/server.{crt,key} A certificate restricted for SSL server usage.
# tests/tls/redis.dh DH Params file.
generate_cert() {
local name=$1
local cn="$2"
local opts="$3"
local keyfile=tests/tls/${name}.key
local certfile=tests/tls/${name}.crt
[ -f $keyfile ] || openssl genrsa -out $keyfile 2048
openssl req -x509 \
-new -sha256 \
-subj "/O=Redis Test/CN=$cn" \
-addext "subjectAltName=DNS:example.com,DNS:*.example.com,IP:127.0.0.1,IP:192.168.1.2,IP:0.0.0.0" \
-key $keyfile \
-CA tests/tls/ca.crt \
-CAkey tests/tls/ca.key \
-days 1 \
-out $certfile
}
mkdir -p tests/tls
[ -f tests/tls/ca.key ] || openssl genrsa -out tests/tls/ca.key 4096
openssl req \
-x509 -new -nodes -sha256 \
-key tests/tls/ca.key \
-days 3650 \
-subj '/O=Redis Test/CN=Certificate Authority' \
-out tests/tls/ca.crt
cat > tests/tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 0.0.0.0
IP.2 = 192.168.1.2
IP.3 = 127.0.0.1
DNS.1 = localhost
_END_
generate_cert server "Server-only" "-extfile tests/tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tests/tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"
[ -f tests/tls/redis.dh ] || openssl dhparam -out tests/tls/redis.dh 2048
Run with faked time
faketime 'Jun 22 16:54:12Z' bash ./gen-test-certs.sh
redis-server --tls-port 6379 --port 16379 \
--tls-cert-file ./tests/tls/redis.crt \
--tls-key-file ./tests/tls/redis.key \
--tls-ca-cert-file ./tests/tls/ca.crt --loglevel debug --tls-auth-clients no
redis-cli CONFIG GET tls-key-file
redis-cli CONFIG GET tls-cert-file
redis-cli CONFIG SET tls-key-file ./tests/tls/redis.key
redis-cli CONFIG SET tls-cert-file ./tests/tls/redis.crt