Skip to content

Instantly share code, notes, and snippets.

@jpopesculian
Created April 23, 2020 09:23
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jpopesculian/55f42c72995ad196fb3c2383cad291f8 to your computer and use it in GitHub Desktop.
Save jpopesculian/55f42c72995ad196fb3c2383cad291f8 to your computer and use it in GitHub Desktop.
Generating Test PKI
#!/bin/sh
set -xe
rm -rf generated/
mkdir -p generated/
openssl ecparam -name prime256v1 -out generated/nistp256.pem
openssl ecparam -name secp384r1 -out generated/nistp384.pem
openssl req -nodes \
-x509 \
-newkey ec:generated/nistp384.pem \
-keyout generated/ca.key \
-out generated/ca.cert \
-sha256 \
-batch \
-days 3650 \
-subj "/CN=riddleandcode generated CA"
openssl req -nodes \
-newkey ec:generated/nistp256.pem \
-keyout generated/inter.key \
-out generated/inter.req \
-sha256 \
-batch \
-days 3000 \
-subj "/CN=riddleandcode generated level 2 intermediate"
openssl req -nodes \
-newkey ec:generated/nistp256.pem \
-keyout generated/end.key \
-out generated/end.req \
-sha256 \
-batch \
-days 2000 \
-subj "/CN=riddleandcode service"
for kt in generated; do
openssl x509 -req \
-in $kt/inter.req \
-out $kt/inter.cert \
-CA $kt/ca.cert \
-CAkey $kt/ca.key \
-sha256 \
-days 3650 \
-set_serial 123 \
-extensions v3_inter -extfile openssl.cnf
openssl x509 -req \
-in $kt/end.req \
-out $kt/end.cert \
-CA $kt/inter.cert \
-CAkey $kt/inter.key \
-sha256 \
-days 2000 \
-set_serial 456 \
-extensions v3_end -extfile openssl.cnf
cat $kt/inter.cert $kt/ca.cert > $kt/end.chain
cat $kt/end.cert $kt/inter.cert $kt/ca.cert > $kt/end.fullchain
openssl asn1parse -in $kt/ca.cert -out $kt/ca.der > /dev/null
done
[ v3_end ]
basicConstraints = critical,CA:false
keyUsage = nonRepudiation, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = @alt_names
[ v3_inter ]
subjectKeyIdentifier = hash
extendedKeyUsage = critical, serverAuth, clientAuth
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
[ alt_names ]
DNS.1 = trusted_node
DNS.2 = localhost
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment