blob: 618b0f45cd09f574d71fc1eb7ef437ab3a266fb9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
#!/bin/bash
# tested with git bash on Windows
# probably needs a bit of tweaking for other environments
# re the "//SKIP=this" in sub see at https://stackoverflow.com/a/54924640/499466
echo init folder
rm *.p12 2> /dev/null
rm *.pem 2> /dev/null
rm *.crt 2> /dev/null
rm *.key 2> /dev/null
rm *.cfg 2> /dev/null
rm *.csr 2> /dev/null
#cp ../*.key .
echo writing config
echo '[ req ]' > my.cfg
echo 'default_bits= 4096' >> my.cfg
echo 'distinguished_name=req' >> my.cfg
echo 'x509_extensions = v3_ca' >> my.cfg
echo 'req_extensions = v3_req' >> my.cfg
echo '' >> my.cfg
echo '[ v3_req ]' >> my.cfg
echo 'basicConstraints = CA:FALSE' >> my.cfg
echo 'keyUsage = nonRepudiation, digitalSignature, keyEncipherment' >> my.cfg
echo 'subjectAltName=@alternate_names' >> my.cfg
echo '' >> my.cfg
echo '[ alternate_names ]' >> my.cfg
echo 'IP.1=127.0.0.1' >> my.cfg
echo 'IP.2=::1' >> my.cfg
echo 'IP.3=::ffff:127.0.0.1' >> my.cfg
echo 'DNS.1=localhost' >> my.cfg
echo '' >> my.cfg
echo '[ v3_ca ]' >> my.cfg
echo 'subjectKeyIdentifier=hash' >> my.cfg
echo 'authorityKeyIdentifier=keyid:always,issuer' >> my.cfg
echo 'basicConstraints = critical, CA:TRUE, pathlen:0' >> my.cfg
echo 'keyUsage = critical, cRLSign, keyCertSign, nonRepudiation, digitalSignature, keyEncipherment' >> my.cfg
echo 'extendedKeyUsage = serverAuth, clientAuth' >> my.cfg
echo 'subjectAltName=@alternate_names' >> my.cfg
echo '' >> my.cfg
echo
echo step 1a
winpty openssl req \
-new \
-x509 \
-nodes \
-days 3000 \
-out server.crt \
-keyout server.key \
-subj '//SKIP=this/CN=localhost/emailAddress=dev@thrift.apache.org/OU=Apache Thrift/O=The Apache Software Foundation/L=Forest Hill/ST=Maryland/C=US' \
-extensions v3_ca \
-config my.cfg
echo
echo step 1b
openssl x509 -in server.crt -text > CA.pem
echo
echo step 1c
cat server.crt server.key > server.pem
echo
echo step 2
echo 'Use "thrift" as password (without the quotes)'
winpty openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12
echo
echo step 3
winpty openssl genrsa -out client.key
echo
echo step 4
winpty openssl req \
-new \
-subj '//SKIP=this/CN=localhost/emailAddress=dev@thrift.apache.org/OU=Apache Thrift/O=The Apache Software Foundation/L=Forest Hill/ST=Maryland/C=US' \
-key client.key \
-out client.csr
echo
echo step 5
winpty openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt
echo
echo step 6
winpty openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
echo
echo step 7
winpty openssl pkcs12 -in client.p12 -out client.pem -clcerts
echo
echo step 8a
openssl genrsa -out client_v3.key
echo
echo step 8b
winpty openssl req \
-new \
-subj '//SKIP=this/CN=localhost/emailAddress=dev@thrift.apache.org/OU=Apache Thrift/O=The Apache Software Foundation/L=Forest Hill/ST=Maryland/C=US' \
-key client_v3.key \
-out client_v3.csr \
-extensions v3_req \
-config my.cfg
echo
echo step 9
winpty openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile my.cfg
echo
echo cleanup
rm *.cfg 2> /dev/null
rm *.csr 2> /dev/null
echo
echo test
openssl s_client -connect localhost:9090 &
openssl s_server -accept 9090 -www
echo
echo done
|