diff options
author | Igor Babaev <igor@askmonty.org> | 2019-02-03 18:41:18 -0800 |
---|---|---|
committer | Igor Babaev <igor@askmonty.org> | 2019-02-03 18:41:18 -0800 |
commit | 37deed3f37561f264f65e162146bbc2ad35fb1a2 (patch) | |
tree | c1cfb6c0995bfcc4ac3fb335f518a8b404413e32 /mysql-test/lib/generate-ssl-certs.sh | |
parent | 658128af43b4d7c6db445164f8ed25ed4d1e3109 (diff) | |
parent | 5b996782be6b752ce50a0ecaa222b0688aa9e75d (diff) | |
download | mariadb-git-37deed3f37561f264f65e162146bbc2ad35fb1a2.tar.gz |
Merge branch '10.4' into bb-10.4-mdev16188
Diffstat (limited to 'mysql-test/lib/generate-ssl-certs.sh')
-rwxr-xr-x | mysql-test/lib/generate-ssl-certs.sh | 37 |
1 files changed, 28 insertions, 9 deletions
diff --git a/mysql-test/lib/generate-ssl-certs.sh b/mysql-test/lib/generate-ssl-certs.sh index 8f15ba9d521..0894be3a299 100755 --- a/mysql-test/lib/generate-ssl-certs.sh +++ b/mysql-test/lib/generate-ssl-certs.sh @@ -10,30 +10,49 @@ rm -rf demoCA mkdir demoCA demoCA/newcerts touch demoCA/index.txt echo 01 > demoCA/serial +echo 01 > demoCA/crlnumber # CA certificate, self-signed openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text # server certificate signing request and private key. Note the very long subject (for MDEV-7859) -openssl req -newkey rsa:1024 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name' +openssl req -newkey rsa:2048 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name' # convert the key to yassl compatible format openssl rsa -in server-key.pem -out server-key.pem # sign the server certificate with CA certificate -openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -infiles demoCA/server-req.pem +openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -in demoCA/server-req.pem +# server certificate with different validity period (MDEV-7598) +openssl req -newkey rsa:2048 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' +openssl rsa -in server-new-key.pem -out server-new-key.pem +openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -in demoCA/server-new-req.pem + +# 8K cert openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' openssl rsa -in server8k-key.pem -out server8k-key.pem -openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -infiles demoCA/server8k-req.pem - -openssl req -newkey rsa:1024 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -openssl rsa -in client-key.pem -out client-key.pem -openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -infiles demoCA/client-req.pem +openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -in demoCA/server8k-req.pem # with SubjectAltName, only for OpenSSL 1.0.2+ cat > demoCA/sanext.conf <<EOF subjectAltName=DNS:localhost EOF -openssl req -newkey rsa:1024 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -infiles demoCA/serversan-req.pem +openssl req -newkey rsa:2048 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' +openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -in demoCA/serversan-req.pem + +# client cert +openssl req -newkey rsa:2048 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' +openssl rsa -in client-key.pem -out client-key.pem +openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -in demoCA/client-req.pem + +# generate crls +openssl ca -revoke server-cert.pem -keyfile cakey.pem -batch -cert cacert.pem +openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out server-cert.crl +# we only want to have one certificate per CRL. Un-revoke server-cert.crl +cp demoCA/index.txt.old demoCA/index.txt +openssl ca -revoke client-cert.pem -keyfile cakey.pem -batch -cert cacert.pem +openssl ca -gencrl -keyfile cakey.pem -crldays 7300 -batch -cert cacert.pem -out client-cert.crl + +rm -fv crldir/* +cp -v client-cert.crl crldir/`openssl x509 -in client-cert.pem -noout -issuer_hash`.r0 rm -rf demoCA |