| The test credentials have been generated with the following |
| commands: |
| |
| The ca is self-signed: |
| ---------------------- |
| |
| $ openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem \ |
| -config ca-openssl.cnf -days 3650 -extensions v3_req |
| When prompted for certificate information, everything is default. |
| |
| valid is issued by CA: |
| ---------------------------------------------------------------------------- |
| |
| $ openssl genrsa -out valid.key.rsa 2048 |
| $ openssl pkcs8 -topk8 -in valid.key.rsa -out valid.key -nocrypt |
| $ openssl req -new -key valid.key -out valid.csr |
| |
| When prompted for certificate information, everything is default except the |
| common name which is set to valid. |
| |
| $ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in valid.csr \ |
| -out valid.pem -days 3650 |
| |
| revoked is issued by CA: |
| ----------------------- |
| |
| $ openssl genrsa -out revoked.key.rsa 2048 |
| $ openssl pkcs8 -topk8 -in revoked.key.rsa -out revoked.key -nocrypt |
| $ openssl req -new -key revoked.key -out revoked.csr |
| |
| When prompted for certificate information, everything is default except the |
| common name which is set to revoked. |
| |
| $ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in revoked.csr \ |
| -out revoked.pem -days 3650 |
| |
| $ openssl ca -revoke revoked.pem -keyfile ca.key -cert ca.pem -days 3650 |
| |
| Generate the CRL file: |
| ---------------------------------------------------------------------------- |
| $ openssl ca -gencrl -out current.crl -keyfile ca.key -cert ca.pem |
| $ openssl rehash ./ |
| |
| Clean up: |
| --------- |
| $ rm *.rsa |
| $ rm *.csr |
| $ rm ca.srl |
| |
| demoCA folder: |
| ---------------------------------------------------------------------------- |
| |
| The demoCA folder contains files used by the openssl CA commands to revoke |
| credentials and create CRL files. |