1
- all : agent1-cert.pem agent1-pfx.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem agent5-cert.pem agent6-cert.pem agent7-cert.pem agent8-cert.pem agent9-cert.pem ca1-cert.pem ca2-crl.pem ca3-cert.pem ec-cert.pem dh512.pem dh1024.pem dh2048.pem dsa1025.pem dsa_private_1025.pem dsa_public_1025.pem rsa_private_1024.pem rsa_private_2048.pem rsa_private_4096.pem rsa_public_1024.pem rsa_public_2048.pem rsa_public_4096.pem ec-pfx.pem
1
+ all : \
2
+ ca1-cert.pem \
3
+ ca2-cert.pem \
4
+ ca2-crl.pem \
5
+ ca3-cert.pem \
6
+ ca4-cert.pem \
7
+ ca5-cert.pem \
8
+ ca6-cert.pem \
9
+ agent1-cert.pem \
10
+ agent1.pfx \
11
+ agent2-cert.pem \
12
+ agent3-cert.pem \
13
+ agent4-cert.pem \
14
+ agent5-cert.pem \
15
+ agent6-cert.pem \
16
+ agent6.pfx \
17
+ agent7-cert.pem \
18
+ agent8-cert.pem \
19
+ agent9-cert.pem \
20
+ agent10-cert.pem \
21
+ agent10.pfx \
22
+ ec10-cert.pem \
23
+ ec10.pfx \
24
+ dh512.pem \
25
+ dh1024.pem \
26
+ dh2048.pem \
27
+ dsa1025.pem \
28
+ dsa_private_1025.pem \
29
+ dsa_public_1025.pem \
30
+ ec-cert.pem \
31
+ ec.pfx \
32
+ fake-cnnic-root-cert.pem \
33
+ rsa_private_1024.pem \
34
+ rsa_private_2048.pem \
35
+ rsa_private_4096.pem \
36
+ rsa_public_1024.pem \
37
+ rsa_public_2048.pem \
38
+ rsa_public_4096.pem \
2
39
3
40
#
4
41
# Create Certificate Authority: ca1
@@ -17,7 +54,7 @@ ca2-cert.pem: ca2.cnf
17
54
touch ca2-database.txt
18
55
19
56
#
20
- # Create Subordinate Certificate Authority: ca3
57
+ # Create Subordinate Certificate Authority: ca3 issued by ca1
21
58
# ('password' is used for the CA password.)
22
59
#
23
60
ca3-key.pem :
@@ -42,6 +79,81 @@ ca3-cert.pem: ca3-csr.pem ca3-key.pem ca3.cnf ca1-cert.pem ca1-key.pem
42
79
-CAcreateserial \
43
80
-out ca3-cert.pem
44
81
82
+ #
83
+ # Create Subordinate Certificate Authority: ca4 issued by ca2
84
+ # ('password' is used for the CA password.)
85
+ #
86
+ ca4-key.pem :
87
+ openssl genrsa -out ca4-key.pem 1024
88
+
89
+ ca4-csr.pem : ca4.cnf ca4-key.pem
90
+ openssl req -new \
91
+ -extensions v3_ca \
92
+ -config ca4.cnf \
93
+ -key ca4-key.pem \
94
+ -out ca4-csr.pem
95
+
96
+ ca4-cert.pem : ca4-csr.pem ca4-key.pem ca4.cnf ca2-cert.pem ca2-key.pem
97
+ openssl x509 -req \
98
+ -extfile ca4.cnf \
99
+ -extensions v3_ca \
100
+ -days 99999 \
101
+ -passin " pass:password" \
102
+ -in ca4-csr.pem \
103
+ -CA ca2-cert.pem \
104
+ -CAkey ca2-key.pem \
105
+ -CAcreateserial \
106
+ -out ca4-cert.pem
107
+
108
+ #
109
+ # Create Certificate Authority: ca5 with ECC
110
+ # ('password' is used for the CA password.)
111
+ #
112
+ ca5-key.pem :
113
+ openssl ecparam -genkey -out ca5-key.pem -name prime256v1
114
+
115
+ ca5-csr.pem : ca5.cnf ca5-key.pem
116
+ openssl req -new \
117
+ -config ca5.cnf \
118
+ -key ca5-key.pem \
119
+ -out ca5-csr.pem
120
+
121
+ ca5-cert.pem : ca5.cnf ca5-key.pem ca5-csr.pem
122
+ openssl x509 -req \
123
+ -extfile ca5.cnf \
124
+ -extensions v3_ca \
125
+ -days 99999 \
126
+ -passin " pass:password" \
127
+ -in ca5-csr.pem \
128
+ -signkey ca5-key.pem \
129
+ -out ca5-cert.pem
130
+
131
+ #
132
+ # Create Subordinate Certificate Authority: ca6 issued by ca5 with ECC
133
+ # ('password' is used for the CA password.)
134
+ #
135
+ ca6-key.pem :
136
+ openssl ecparam -genkey -out ca6-key.pem -name prime256v1
137
+
138
+ ca6-csr.pem : ca6.cnf ca6-key.pem
139
+ openssl req -new \
140
+ -extensions v3_ca \
141
+ -config ca6.cnf \
142
+ -key ca6-key.pem \
143
+ -out ca6-csr.pem
144
+
145
+ ca6-cert.pem : ca6-csr.pem ca6-key.pem ca6.cnf ca5-cert.pem ca5-key.pem
146
+ openssl x509 -req \
147
+ -extfile ca6.cnf \
148
+ -extensions v3_ca \
149
+ -days 99999 \
150
+ -passin " pass:password" \
151
+ -in ca6-csr.pem \
152
+ -CA ca5-cert.pem \
153
+ -CAkey ca5-key.pem \
154
+ -CAcreateserial \
155
+ -out ca6-cert.pem
156
+
45
157
#
46
158
# Create Fake CNNIC Root Certificate Authority: fake-cnnic-root
47
159
#
@@ -179,7 +291,7 @@ agent4-verify: agent4-cert.pem ca2-cert.pem
179
291
#
180
292
# Make CRL with agent4 being rejected
181
293
#
182
- ca2-crl.pem : ca2-key.pem ca2-cert.pem ca2.cnf
294
+ ca2-crl.pem : ca2-key.pem ca2-cert.pem ca2.cnf agent4-cert.pem
183
295
openssl ca -revoke agent4-cert.pem \
184
296
-keyfile ca2-key.pem \
185
297
-cert ca2-cert.pem \
@@ -219,7 +331,7 @@ agent5-verify: agent5-cert.pem ca2-cert.pem
219
331
openssl verify -CAfile ca2-cert.pem agent5-cert.pem
220
332
221
333
#
222
- # agent6 is signed by ca3
334
+ # agent6 is a client RSA cert signed by ca3
223
335
#
224
336
225
337
agent6-key.pem :
@@ -240,8 +352,17 @@ agent6-cert.pem: agent6-csr.pem ca3-cert.pem ca3-key.pem
240
352
-out agent6-cert.pem
241
353
cat ca3-cert.pem >> agent6-cert.pem
242
354
243
- agent6-verify : agent6-cert.pem ca3-cert.pem
244
- openssl verify -CAfile ca3-cert.pem agent6-cert.pem
355
+ agent6-verify : agent6-cert.pem ca3-cert.pem ca1-cert.pem
356
+ openssl verify -trusted ca1-cert.pem -untrusted ca3-cert.pem agent6-cert.pem
357
+
358
+ agent6.pfx : agent6-cert.pem agent6-key.pem ca1-cert.pem
359
+ openssl pkcs12 -export \
360
+ -descert \
361
+ -in agent6-cert.pem \
362
+ -inkey agent6-key.pem \
363
+ -certfile ca1-cert.pem \
364
+ -out agent6.pfx \
365
+ -password pass:sample
245
366
246
367
#
247
368
# agent7 is signed by fake-cnnic-root.
@@ -318,9 +439,80 @@ agent9-cert.pem: agent9-csr.pem
318
439
-days 99999 \
319
440
-passin " pass:password" \
320
441
-in agent9-csr.pem \
321
- -startdate 161021000001Z \
442
+ -startdate 20161021000001Z \
322
443
-notext -out agent9-cert.pem
323
444
445
+ # agent10 is a server RSA cert signed by ca4 for agent10.example.com
446
+ #
447
+
448
+ agent10-key.pem :
449
+ openssl genrsa -out agent10-key.pem 1024
450
+
451
+ agent10-csr.pem : agent10.cnf agent10-key.pem
452
+ openssl req -new -config agent10.cnf -key agent10-key.pem -out agent10-csr.pem
453
+
454
+ agent10-cert.pem : agent10-csr.pem ca4-cert.pem ca4-key.pem
455
+ openssl x509 -req \
456
+ -days 99999 \
457
+ -passin " pass:password" \
458
+ -in agent10-csr.pem \
459
+ -CA ca4-cert.pem \
460
+ -CAkey ca4-key.pem \
461
+ -CAcreateserial \
462
+ -extfile agent10.cnf \
463
+ -out agent10-cert.pem
464
+ cat ca4-cert.pem >> agent10-cert.pem
465
+
466
+ agent10-verify : agent10-cert.pem ca4-cert.pem ca2-cert.pem
467
+ openssl verify -trusted ca2-cert.pem -untrusted ca4-cert.pem agent10-cert.pem
468
+
469
+ agent10.pfx : agent10-cert.pem agent10-key.pem ca1-cert.pem
470
+ openssl pkcs12 -export \
471
+ -descert \
472
+ -in agent10-cert.pem \
473
+ -inkey agent10-key.pem \
474
+ -certfile ca1-cert.pem \
475
+ -out agent10.pfx \
476
+ -password pass:sample
477
+
478
+ #
479
+ # ec10 is a server EC cert signed by ca6 for agent10.example.com
480
+ #
481
+
482
+ ec10-key.pem :
483
+ openssl ecparam -genkey -out ec10-key.pem -name prime256v1
484
+
485
+ ec10-csr.pem : ec10-key.pem
486
+ openssl req -new -config agent10.cnf -key ec10-key.pem -out ec10-csr.pem
487
+
488
+ ec10-cert.pem : ec10-csr.pem ca6-cert.pem ca6-key.pem
489
+ openssl x509 -req \
490
+ -days 99999 \
491
+ -passin " pass:password" \
492
+ -in ec10-csr.pem \
493
+ -CA ca6-cert.pem \
494
+ -CAkey ca6-key.pem \
495
+ -CAcreateserial \
496
+ -extfile agent10.cnf \
497
+ -out ec10-cert.pem
498
+ cat ca6-cert.pem >> ec10-cert.pem
499
+
500
+ ec10-verify : ec10-cert.pem ca6-cert.pem ca5-cert.pem
501
+ openssl verify -trusted ca5-cert.pem -untrusted ca6-cert.pem ec10-cert.pem
502
+
503
+ ec10.pfx : ec10-cert.pem ec10-key.pem ca6-cert.pem
504
+ openssl pkcs12 -export \
505
+ -descert \
506
+ -in ec10-cert.pem \
507
+ -inkey ec10-key.pem \
508
+ -certfile ca6-cert.pem \
509
+ -out ec10.pfx \
510
+ -password pass:sample
511
+
512
+
513
+ #
514
+ # ec is a self-signed EC cert for CN "agent2"
515
+ #
324
516
ec-key.pem :
325
517
openssl ecparam -genkey -out ec-key.pem -name prime256v1
326
518
@@ -379,10 +571,12 @@ rsa_public_4096.pem: rsa_private_4096.pem
379
571
openssl rsa -in rsa_private_4096.pem -pubout -out rsa_public_4096.pem
380
572
381
573
clean :
382
- rm -f * .pem * .srl ca2-database.txt ca2-serial fake-startcom-root-serial
574
+ rm -f * .pfx * . pem * .srl ca2-database.txt ca2-serial fake-startcom-root-serial * .print * .old fake-startcom-root-issued-certs/ * .pem
383
575
@> fake-startcom-root-database.txt
384
576
385
- test : agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify
577
+ test : agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify
386
578
579
+ % -cert.pem.print : % -cert.pem
580
+ openssl x509 -in $< -text -noout > $@
387
581
388
- .PHONY : all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify
582
+ .PHONY : all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify ec10-verify
0 commit comments