src/core/tsi/test_creds/README - platform/external/grpc-grpc - Git at Google

 The test credentials (CONFIRMEDTESTKEY) have been generated with the following
 commands:

 Bad credentials (badclient.* / badserver.*):
 ============================================

 These are self-signed certificates:

 $ openssl req -x509 -newkey rsa:1024 -keyout badserver.key -out badserver.pem \
   -days 3650 -nodes

 When prompted for certificate information, everything is default except the
 common name which is set to badserver.test.google.com.


 Valid test credentials:
 =======================

 The ca is self-signed:
 ----------------------

 $ openssl req -x509 -new -newkey rsa:1024 -nodes -out ca.pem -config ca-openssl.cnf -days 3650 -extensions v3_req
 When prompted for certificate information, everything is default.

 client is issued by CA:
 -----------------------

 $ openssl genrsa -out client.key.rsa 1024
 $ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
 $ rm client.key.rsa
 $ openssl req -new -key client.key -out client.csr

 When prompted for certificate information, everything is default except the
 common name which is set to testclient.

 $ openssl ca -in client.csr -out client.pem

 server0 is issued by CA:
 ------------------------

 $ openssl genrsa -out server0.key.rsa 1024
 $ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt
 $ rm server0.key.rsa
 $ openssl req -new -key server0.key -out server0.csr

 When prompted for certificate information, everything is default except the
 common name which is set to *.test.google.com.au.

 $ openssl ca -in server0.csr -out server0.pem

 server1 is issued by CA with a special config for subject alternative names:
 ----------------------------------------------------------------------------

 $ openssl genrsa -out server1.key.rsa 1024
 $ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
 $ rm server1.key.rsa
 $ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf

 When prompted for certificate information, everything is default except the
 common name which is set to *.test.google.com.

 $ openssl ca -in server1.csr -out server1.pem
	The test credentials (CONFIRMEDTESTKEY) have been generated with the following
	commands:

	Bad credentials (badclient.* / badserver.*):
	============================================

	These are self-signed certificates:

	$ openssl req -x509 -newkey rsa:1024 -keyout badserver.key -out badserver.pem \
	-days 3650 -nodes

	When prompted for certificate information, everything is default except the
	common name which is set to badserver.test.google.com.


	Valid test credentials:
	=======================

	The ca is self-signed:
	----------------------

	$ openssl req -x509 -new -newkey rsa:1024 -nodes -out ca.pem -config ca-openssl.cnf -days 3650 -extensions v3_req
	When prompted for certificate information, everything is default.

	client is issued by CA:
	-----------------------

	$ openssl genrsa -out client.key.rsa 1024
	$ openssl pkcs8 -topk8 -in client.key.rsa -out client.key -nocrypt
	$ rm client.key.rsa
	$ openssl req -new -key client.key -out client.csr

	When prompted for certificate information, everything is default except the
	common name which is set to testclient.

	$ openssl ca -in client.csr -out client.pem

	server0 is issued by CA:
	------------------------

	$ openssl genrsa -out server0.key.rsa 1024
	$ openssl pkcs8 -topk8 -in server0.key.rsa -out server0.key -nocrypt
	$ rm server0.key.rsa
	$ openssl req -new -key server0.key -out server0.csr

	When prompted for certificate information, everything is default except the
	common name which is set to *.test.google.com.au.

	$ openssl ca -in server0.csr -out server0.pem

	server1 is issued by CA with a special config for subject alternative names:
	----------------------------------------------------------------------------

	$ openssl genrsa -out server1.key.rsa 1024
	$ openssl pkcs8 -topk8 -in server1.key.rsa -out server1.key -nocrypt
	$ rm server1.key.rsa
	$ openssl req -new -key server1.key -out server1.csr -config server1-openssl.cnf

	When prompted for certificate information, everything is default except the
	common name which is set to *.test.google.com.

	$ openssl ca -in server1.csr -out server1.pem