mkdir -p ca/x/certs
mkdir -p ca/x/crl
mkdir -p ca/x/csr
mkdir -p ca/x/newcerts
mkdir -p ca/x/private
mkdir -p ca/y/certs
mkdir -p ca/y/crl
mkdir -p ca/y/csr
mkdir -p ca/y/newcerts
mkdir -p ca/y/private
mkdir -p ca/z/certs
mkdir -p ca/z/crl
mkdir -p ca/z/csr
mkdir -p ca/z/newcerts
mkdir -p ca/z/private
mkdir -p ca/customer/certs
mkdir -p ca/customer/csr
mkdir -p ca/customer/pfx
mkdir -p ca/customer/private
mkdir -p ca/machine/certs
mkdir -p ca/machine/csr
mkdir -p ca/machine/pfx
mkdir -p ca/machine/private
touch ca/x/database
touch ca/y/database
touch ca/z/database
openssl ecparam -name secp256r1 -genkey -out ca/x/private/pkcs8.x.private.pem
openssl ec -in ca/x/private/pkcs8.x.private.pem -aes256 -out ca/x/private/x.private.pem -passout pass:helloworld
openssl req -new -x509 -sha256 -inform der -key ca/x/private/x.private.pem -out ca/x/certs/x.public.pem -days 7300 -passin pass:helloworld -config ca/openssl.cnf -extensions ext_x -subj /C=US/ST=CA/L=SF/O=PCG/OU=/CN=Hello world/emailAddress=user@example.com
openssl ecparam -name secp256r1 -genkey -out ca/y/private/pkcs8.y.private.pem
openssl ec -in ca/y/private/pkcs8.y.private.pem -aes256 -out ca/y/private/y.private.pem -passout pass:foobar
openssl req -new -key ca/y/private/y.private.pem -out ca/y/csr/y.request.pem -passin pass:foobar -config ca/openssl.cnf -subj /C=US/ST=CA/L=SF/O=PCG/OU=/CN=Hello world Intermediate/emailAddress=user@example.com
openssl ca -notext -batch -name ca_x -in ca/y/csr/y.request.pem -out ca/y/certs/y.public.pem -config ca/openssl.cnf -extensions ext_y -passin pass:helloworld
openssl ecparam -name secp256r1 -genkey -out ca/z/private/pkcs8.z.private.pem
openssl ec -in ca/z/private/pkcs8.z.private.pem -aes256 -out ca/z/private/z.private.pem -passout pass:random
openssl req -new -key ca/z/private/z.private.pem -out ca/z/csr/z.request.pem -passin pass:random -config ca/openssl.cnf -subj /C=US/ST=CA/L=SF/O=PCG/OU=/CN=Hello world Intermediate 2/emailAddress=user@example.com
openssl ca -notext -batch -name ca_x -in ca/z/csr/z.request.pem -out ca/z/certs/z.public.pem -config ca/openssl.cnf -extensions ext_z -passin pass:helloworld
openssl ecparam -name secp256r1 -genkey -out ca/customer/private/pkcs8.1234.private.pem
openssl ec -in ca/customer/private/pkcs8.1234.private.pem -aes256 -out ca/customer/private/1234.private.pem -passout pass:asdfasdf
openssl req -new -key ca/customer/private/1234.private.pem -out ca/customer/csr/1234.request.pem -passin pass:asdfasdf -config ca/openssl.cnf -subj /C=US/ST=CA/L=SF/O=PCG/OU=/CN=Hello world/emailAddress=user@example.com
openssl ca -notext -batch -name ca_y -in ca/customer/csr/1234.request.pem -out ca/customer/certs/1234.public.pem -config ca/openssl.cnf -extensions ext_y -passin pass:foobar
[ ca ]
default_ca = ca_x
[ ca_x ]
dir = ca/x
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/database
serial = $dir/serial
crlnumber = $dir/crlnumber
private_key = $dir/private/x.private.pem
certificate = $dir/certs/x.public.pem
crl = $dir/crl/x.crl.pem
crl_extensions = ext_crl
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_crl_days = 30
default_days = 3650
preserve = no
policy = policy_strict
[ ca_y ]
dir = ca/y
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/database
serial = $dir/serial
crlnumber = $dir/crlnumber
private_key = $dir/private/y.private.pem
certificate = $dir/certs/y.public.pem
crl = $dir/crl/y.crl.pem
crl_extensions = ext_crl
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_crl_days = 30
default_days = 375
preserve = no
policy = policy_loose
[ ca_z ]
dir = ca/z
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/database
serial = $dir/serial
crlnumber = $dir/crlnumber
private_key = $dir/private/z.private.pem
certificate = $dir/certs/z.public.pem
crl = $dir/crl/z.crl.pem
crl_extensions = ext_crl
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_crl_days = 30
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
string_mask = utf8only
default_md = sha256
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ ext_x ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
# The Basic Constraints extension is used to mark certificates as belonging to a CA, giving them the ability to sign other certificates. Non-CA certificates will either have this extension omitted or will have the value of CA set to FALSE. This extension is critical, which means that all software-consuming certificates must understand its meaning.
# Each extension in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process. A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized.
# There is a slight exception to this rule, with the CRL Distribution Points extension. It has two purposes: to document where CRL can be downloaded from, and to implement scope segmentation. This latter role is active only when the extension is critical. When the extension is critical, then a CRL can be deemed to cover the certificate (i.e. to be able to tell something about its revocation status) only if the CRL contains an Issuing Distribution Point extension, with a "distribution point" which matches one of those specified in the CRL Distribution Point extension in the certificate. When the extension is not critical, the extension serves only in its documentation role.
# The "critical" flag is for extensions which are not standard: you make such an extension critical if it is important for security (implementations which do not understand the extension should reject the certificate)
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ ext_y ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ ext_z ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ ext_customer ]
basicConstraints = CA:FALSE
nsCertType = client, email, objsign
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ ext_machine ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ ext_crl ]
authorityKeyIdentifier = keyid:always
[ ext_ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
$ openssl x509 -noout -text -in x.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
da:06:6b:02:94:9e:ed:2f
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=CA, L=SF, O=Example, CN=Hello world/emailAddress=user@example.com
Validity
Not Before: Dec 1 16:17:01 2017 GMT
Not After : Nov 26 16:17:01 2037 GMT
Subject: C=US, ST=CA, L=SF, O=Example, CN=Hello world/emailAddress=user@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:f8:40:62:8f:5c:83:3c:ce:c4:57:8a:db:d1:11:
54:be:ff:f5:a0:a7:b1:d7:92:89:ef:02:1c:17:a1:
f6:6f:3e:95:85:2c:2e:7d:08:d9:a8:81:a1:79:ea:
30:ea:85:eb:b5:dd:0a:47:21:49:f3:ac:81:25:7d:
e7:19:56:29:9e
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
CD:56:70:EB:15:18:F9:68:17:85:7C:52:A5:3B:73:34:E4:74:B0:CA
X509v3 Authority Key Identifier:
keyid:CD:56:70:EB:15:18:F9:68:17:85:7C:52:A5:3B:73:34:E4:74:B0:CA
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:36:f6:12:60:b7:75:dd:8d:38:3c:1f:01:df:94:
81:31:61:23:3e:be:7d:97:b6:9d:2e:e8:06:c9:b4:7a:e2:8c:
02:21:00:a1:2b:7f:56:a3:7a:2b:97:e4:a7:45:be:8c:db:e0:
a2:83:b7:1d:f8:6e:eb:6b:bc:78:bc:70:e6:c2:dc:1e:ff
$ openssl x509 -noout -text -in y.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=CA, L=SF, O=Example, CN=Hello world/emailAddress=user@example.com
Validity
Not Before: Dec 1 16:17:01 2017 GMT
Not After : Nov 29 16:17:01 2027 GMT
Subject: C=US, ST=CA, O=Example, CN=Hello world Intermediate/emailAddress=user@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:58:24:43:bb:4f:e4:0c:fa:80:e6:94:4e:f9:eb:
05:ff:ef:af:66:cf:bb:b4:04:7e:25:86:25:de:73:
c8:c2:63:c4:9b:80:a4:4a:bb:14:90:fe:a5:99:30:
e9:f7:bb:f0:51:15:65:d2:d5:3e:46:f4:b6:1f:3a:
bc:7e:f7:77:3d
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
B7:3A:9A:03:B4:49:52:C1:3A:D3:A8:08:F9:C5:D2:3D:04:2D:CF:8A
X509v3 Authority Key Identifier:
keyid:CD:56:70:EB:15:18:F9:68:17:85:7C:52:A5:3B:73:34:E4:74:B0:CA
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:d7:92:b7:8c:01:6b:f5:68:70:c9:50:27:f6:
b5:80:47:f9:53:91:f6:13:d1:60:6e:df:9b:d2:b1:ce:f9:ae:
3d:02:21:00:be:73:3b:d9:c6:8d:25:df:85:b9:bc:8e:94:3e:
d3:b9:36:9e:4a:57:8b:a4:56:5a:87:42:d7:8b:a5:48:9c:31
$ openssl x509 -noout -text -in machine.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=CA, O=Example, CN=Hello world Intermediate/emailAddress=user@example.com
Validity
Not Before: Dec 1 16:17:15 2017 GMT
Not After : Dec 11 16:17:15 2018 GMT
Subject: C=US, ST=CA, L=SF, O=PCG, CN=localhost/emailAddress=user@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:4a:3b:47:32:e8:be:a1:a9:0a:6b:ab:99:aa:1f:
fc:69:3a:1b:21:2e:e3:7e:6b:fc:a0:89:00:f6:e1:
93:d1:79:ba:cd:af:5f:e6:3b:84:a9:b9:48:0e:96:
c4:4d:36:b9:b7:cb:98:b5:af:01:68:a7:c0:83:8c:
1e:f5:e5:9c:13
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape CA Policy Url:
undefined
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
55:2A:9D:F9:F0:E9:4C:60:05:80:EE:EC:FC:25:99:B2:FE:16:A5:0D
X509v3 Authority Key Identifier:
keyid:B7:3A:9A:03:B4:49:52:C1:3A:D3:A8:08:F9:C5:D2:3D:04:2D:CF:8A
DirName:/C=US/ST=CA/L=SF/O=Example/CN=Hello world/emailAddress=user@example.com
serial:10:00
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Authority Information Access:
OCSP - URI:undefined
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:fc:c5:4b:fd:30:cd:62:14:77:87:bd:e1:2b:
6f:c5:c8:9a:d0:c4:55:e7:0a:01:29:51:23:34:ee:db:88:04:
06:02:21:00:e6:7c:eb:d3:8a:76:6a:dd:f0:6c:9e:da:e4:a6:
62:bc:34:b3:bf:c6:f8:fe:6a:8c:35:86:e7:17:a7:89:ea:d6
It seems like something is wrong with this:
Maybe
DirName
isn't supposed to be there at all since it doesn't match correctly? Or maybe the serial is off for some reason?