blob: 277734aa174562efb11980251a2cc5d903eb6ae0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
|
all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem agent5-cert.pem ca2-crl.pem ec-cert.pem dh512.pem dh1024.pem dh2048.pem dsa1025.pem dsa_private_1025.pem dsa_public_1025.pem rsa_private_1024.pem rsa_private_2048.pem rsa_private_4096.pem rsa_public_1024.pem rsa_public_2048.pem rsa_public_4096.pem
#
# Create Certificate Authority: ca1
# ('password' is used for the CA password.)
#
ca1-cert.pem: ca1.cnf
openssl req -new -x509 -days 9999 -config ca1.cnf -keyout ca1-key.pem -out ca1-cert.pem
#
# Create Certificate Authority: ca2
# ('password' is used for the CA password.)
#
ca2-cert.pem: ca2.cnf
openssl req -new -x509 -days 9999 -config ca2.cnf -keyout ca2-key.pem -out ca2-cert.pem
echo '01' > ca2-serial
touch ca2-database.txt
#
# Create Subordinate Certificate Authority: ca3
# ('password' is used for the CA password.)
#
ca3-key.pem:
openssl genrsa -out ca3-key.pem 1024
ca3-csr.pem: ca3.cnf ca3-key.pem
openssl req -new \
-extensions v3_ca \
-config ca3.cnf \
-key ca3-key.pem \
-out ca3-csr.pem
ca3-cert.pem: ca3-csr.pem ca3-key.pem ca3.cnf ca1-cert.pem ca1-key.pem
openssl x509 -req \
-extfile ca3.cnf \
-extensions v3_ca \
-days 9999 \
-passin "pass:password" \
-in ca3-csr.pem \
-CA ca1-cert.pem \
-CAkey ca1-key.pem \
-CAcreateserial \
-out ca3-cert.pem
#
# Create Fake CNNIC Root Certificate Authority: fake-cnnic-root
#
fake-cnnic-root-key.pem:
openssl genrsa -out fake-cnnic-root-key.pem 2048
fake-cnnic-root-cert.pem: fake-cnnic-root.cnf fake-cnnic-root-key.pem
openssl req -x509 -new \
-key fake-cnnic-root-key.pem \
-days 1024 \
-out fake-cnnic-root-cert.pem \
-config fake-cnnic-root.cnf
#
# agent1 is signed by ca1.
#
agent1-key.pem:
openssl genrsa -out agent1-key.pem 1024
agent1-csr.pem: agent1.cnf agent1-key.pem
openssl req -new -config agent1.cnf -key agent1-key.pem -out agent1-csr.pem
agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem
openssl x509 -req \
-extfile agent1.cnf \
-extensions v3_ca \
-days 9999 \
-passin "pass:password" \
-in agent1-csr.pem \
-CA ca1-cert.pem \
-CAkey ca1-key.pem \
-CAcreateserial \
-out agent1-cert.pem
agent1-pfx.pem: agent1-cert.pem agent1-key.pem ca1-cert.pem
openssl pkcs12 -export \
-descert \
-in agent1-cert.pem \
-inkey agent1-key.pem \
-certfile ca1-cert.pem \
-out agent1-pfx.pem \
-password pass:sample
agent1-verify: agent1-cert.pem ca1-cert.pem
openssl verify -CAfile ca1-cert.pem agent1-cert.pem
#
# agent2 has a self signed cert
#
# Generate new private key
agent2-key.pem:
openssl genrsa -out agent2-key.pem 1024
# Create a Certificate Signing Request for the key
agent2-csr.pem: agent2-key.pem agent2.cnf
openssl req -new -config agent2.cnf -key agent2-key.pem -out agent2-csr.pem
# Create a Certificate for the agent.
agent2-cert.pem: agent2-csr.pem agent2-key.pem
openssl x509 -req \
-days 9999 \
-in agent2-csr.pem \
-signkey agent2-key.pem \
-out agent2-cert.pem
agent2-verify: agent2-cert.pem
openssl verify -CAfile agent2-cert.pem agent2-cert.pem
#
# agent3 is signed by ca2.
#
agent3-key.pem:
openssl genrsa -out agent3-key.pem 1024
agent3-csr.pem: agent3.cnf agent3-key.pem
openssl req -new -config agent3.cnf -key agent3-key.pem -out agent3-csr.pem
agent3-cert.pem: agent3-csr.pem ca2-cert.pem ca2-key.pem
openssl x509 -req \
-days 9999 \
-passin "pass:password" \
-in agent3-csr.pem \
-CA ca2-cert.pem \
-CAkey ca2-key.pem \
-CAcreateserial \
-out agent3-cert.pem
agent3-verify: agent3-cert.pem ca2-cert.pem
openssl verify -CAfile ca2-cert.pem agent3-cert.pem
#
# agent4 is signed by ca2 (client cert)
#
agent4-key.pem:
openssl genrsa -out agent4-key.pem 1024
agent4-csr.pem: agent4.cnf agent4-key.pem
openssl req -new -config agent4.cnf -key agent4-key.pem -out agent4-csr.pem
agent4-cert.pem: agent4-csr.pem ca2-cert.pem ca2-key.pem
openssl x509 -req \
-days 9999 \
-passin "pass:password" \
-in agent4-csr.pem \
-CA ca2-cert.pem \
-CAkey ca2-key.pem \
-CAcreateserial \
-extfile agent4.cnf \
-extensions ext_key_usage \
-out agent4-cert.pem
agent4-verify: agent4-cert.pem ca2-cert.pem
openssl verify -CAfile ca2-cert.pem agent4-cert.pem
#
# Make CRL with agent4 being rejected
#
ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf
openssl ca -revoke agent4-cert.pem \
-keyfile ca2-key.pem \
-cert ca2-cert.pem \
-config ca2.cnf \
-passin 'pass:password'
openssl ca \
-keyfile ca2-key.pem \
-cert ca2-cert.pem \
-config ca2.cnf \
-gencrl \
-out ca2-crl.pem \
-passin 'pass:password'
#
# agent5 is signed by ca2 (client cert)
#
agent5-key.pem:
openssl genrsa -out agent5-key.pem 1024
agent5-csr.pem: agent5.cnf agent5-key.pem
openssl req -new -config agent5.cnf -key agent5-key.pem -out agent5-csr.pem
agent5-cert.pem: agent5-csr.pem ca2-cert.pem ca2-key.pem
openssl x509 -req \
-days 9999 \
-passin "pass:password" \
-in agent5-csr.pem \
-CA ca2-cert.pem \
-CAkey ca2-key.pem \
-CAcreateserial \
-extfile agent5.cnf \
-extensions ext_key_usage \
-out agent5-cert.pem
agent5-verify: agent5-cert.pem ca2-cert.pem
openssl verify -CAfile ca2-cert.pem agent5-cert.pem
#
# agent6 is signed by ca3
#
agent6-key.pem:
openssl genrsa -out agent6-key.pem 1024
agent6-csr.pem: agent6.cnf agent6-key.pem
openssl req -new -config agent6.cnf -key agent6-key.pem -out agent6-csr.pem
agent6-cert.pem: agent6-csr.pem ca3-cert.pem ca3-key.pem
openssl x509 -req \
-days 9999 \
-passin "pass:password" \
-in agent6-csr.pem \
-CA ca3-cert.pem \
-CAkey ca3-key.pem \
-CAcreateserial \
-extfile agent6.cnf \
-out agent6-cert.pem
cat ca3-cert.pem >> agent6-cert.pem
agent6-verify: agent6-cert.pem ca3-cert.pem
openssl verify -CAfile ca3-cert.pem agent6-cert.pem
#
# agent7 is signed by fake-cnnic-root.
#
agent7-key.pem:
openssl genrsa -out agent7-key.pem 2048
agent7-csr.pem: agent1.cnf agent7-key.pem
openssl req -new -config agent7.cnf -key agent7-key.pem -out agent7-csr.pem
agent7-cert.pem: agent7-csr.pem fake-cnnic-root-cert.pem fake-cnnic-root-key.pem
openssl x509 -req \
-extfile agent7.cnf \
-days 9999 \
-passin "pass:password" \
-in agent7-csr.pem \
-CA fake-cnnic-root-cert.pem \
-CAkey fake-cnnic-root-key.pem \
-CAcreateserial \
-out agent7-cert.pem
agent7-verify: agent7-cert.pem fake-cnnic-root-cert.pem
openssl verify -CAfile fake-cnnic-root-cert.pem agent7-cert.pem
ec-key.pem:
openssl ecparam -genkey -out ec-key.pem -name prime256v1
ec-csr.pem: ec-key.pem
openssl req -new -config ec.cnf -key ec-key.pem -out ec-csr.pem
ec-cert.pem: ec-csr.pem ec-key.pem
openssl x509 -req \
-days 9999 \
-in ec-csr.pem \
-signkey ec-key.pem \
-out ec-cert.pem
dh512.pem:
openssl dhparam -out dh512.pem 512
dh1024.pem:
openssl dhparam -out dh1024.pem 1024
dh2048.pem:
openssl dhparam -out dh2048.pem 2048
dsa1025.pem:
openssl dsaparam -out dsa1025.pem 1025
dsa_private_1025.pem:
openssl gendsa -out dsa_private_1025.pem dsa1025.pem
dsa_public_1025.pem:
openssl dsa -in dsa_private_1025.pem -pubout -out dsa_public_1025.pem
rsa_private_1024.pem:
openssl genrsa -out rsa_private_1024.pem 1024
rsa_private_2048.pem:
openssl genrsa -out rsa_private_2048.pem 2048
rsa_private_4096.pem:
openssl genrsa -out rsa_private_4096.pem 4096
rsa_public_1024.pem: rsa_private_1024.pem
openssl rsa -in rsa_private_1024.pem -out rsa_public_1024.pem
rsa_public_2048.pem: rsa_private_2048.pem
openssl rsa -in rsa_private_2048.pem -out rsa_public_2048.pem
rsa_public_4096.pem: rsa_private_4096.pem
openssl rsa -in rsa_private_4096.pem -out rsa_public_4096.pem
clean:
rm -f *.pem *.srl ca2-database.txt ca2-serial
test: agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify
.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify
|
