blob: 378bd10cf24fd3ea9d2956482ea7fcb3fa593f31 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
#!/bin/bash
# Create the server CA certs.
openssl req -x509 \
-newkey rsa:4096 \
-nodes \
-days 3650 \
-keyout server_ca_key.pem \
-out server_ca_cert.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server_ca/ \
-config ./openssl.cnf \
-extensions test_ca \
-sha256
# Create the client CA certs.
openssl req -x509 \
-newkey rsa:4096 \
-nodes \
-days 3650 \
-keyout client_ca_key.pem \
-out client_ca_cert.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client_ca/ \
-config ./openssl.cnf \
-extensions test_ca \
-sha256
# Generate two server certs.
openssl genrsa -out server1_key.pem 4096
openssl req -new \
-key server1_key.pem \
-days 3650 \
-out server1_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server1/ \
-config ./openssl.cnf \
-reqexts test_server
openssl x509 -req \
-in server1_csr.pem \
-CAkey server_ca_key.pem \
-CA server_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out server1_cert.pem \
-extfile ./openssl.cnf \
-extensions test_server \
-sha256
openssl verify -verbose -CAfile server_ca_cert.pem server1_cert.pem
openssl genrsa -out server2_key.pem 4096
openssl req -new \
-key server2_key.pem \
-days 3650 \
-out server2_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server2/ \
-config ./openssl.cnf \
-reqexts test_server
openssl x509 -req \
-in server2_csr.pem \
-CAkey server_ca_key.pem \
-CA server_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out server2_cert.pem \
-extfile ./openssl.cnf \
-extensions test_server \
-sha256
openssl verify -verbose -CAfile server_ca_cert.pem server2_cert.pem
# Generate two client certs.
openssl genrsa -out client1_key.pem 4096
openssl req -new \
-key client1_key.pem \
-days 3650 \
-out client1_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-config ./openssl.cnf \
-reqexts test_client
openssl x509 -req \
-in client1_csr.pem \
-CAkey client_ca_key.pem \
-CA client_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out client1_cert.pem \
-extfile ./openssl.cnf \
-extensions test_client \
-sha256
openssl verify -verbose -CAfile client_ca_cert.pem client1_cert.pem
openssl genrsa -out client2_key.pem 4096
openssl req -new \
-key client2_key.pem \
-days 3650 \
-out client2_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client2/ \
-config ./openssl.cnf \
-reqexts test_client
openssl x509 -req \
-in client2_csr.pem \
-CAkey client_ca_key.pem \
-CA client_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out client2_cert.pem \
-extfile ./openssl.cnf \
-extensions test_client \
-sha256
openssl verify -verbose -CAfile client_ca_cert.pem client2_cert.pem
# Generate a cert with SPIFFE ID.
openssl req -x509 \
-newkey rsa:4096 \
-keyout spiffe_key.pem \
-out spiffe_cert.pem \
-nodes \
-days 3650 \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1" \
-sha256
# Generate a cert with SPIFFE ID and another SAN URI field(which doesn't meet SPIFFE specs).
openssl req -x509 \
-newkey rsa:4096 \
-keyout multiple_uri_key.pem \
-out multiple_uri_cert.pem \
-nodes \
-days 3650 \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1, URI:https://bar.baz.com/client" \
-sha256
# Generate a cert with SPIFFE ID using client_with_spiffe_openssl.cnf
openssl req -new \
-key client_with_spiffe_key.pem \
-out client_with_spiffe_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-config ./client_with_spiffe_openssl.cnf \
-reqexts test_client
openssl x509 -req \
-in client_with_spiffe_csr.pem \
-CAkey client_ca_key.pem \
-CA client_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out client_with_spiffe_cert.pem \
-extfile ./client_with_spiffe_openssl.cnf \
-extensions test_client \
-sha256
openssl verify -verbose -CAfile client_with_spiffe_cert.pem
# Cleanup the CSRs.
rm *_csr.pem
|
