mirror of https://github.com/rwf2/Rocket.git
Generate CA cert in 'gen_certs.sh'.
This commit is contained in:
parent
af48d1f2e6
commit
b24e53454a
|
@ -1,5 +1,5 @@
|
||||||
# The certificate/private key pairs used here was generated via openssl using the
|
# The certificate/private key pairs used here where generated via openssl using
|
||||||
# scripts 'gen_ca.sh' and 'gen_certs.sh' located in the `private/` subdirectory.
|
# the 'gen_certs.sh' script located in the `private/` subdirectory.
|
||||||
#
|
#
|
||||||
# The certificates are self-signed. As such, you will need to trust them directly
|
# The certificates are self-signed. As such, you will need to trust them directly
|
||||||
# for your browser to refer to the connection as secure. You should NEVER use
|
# for your browser to refer to the connection as secure. You should NEVER use
|
||||||
|
@ -11,6 +11,7 @@ key = "private/rsa_sha256_key.pem"
|
||||||
[rsa_sha256.tls]
|
[rsa_sha256.tls]
|
||||||
certs = "private/rsa_sha256_cert.pem"
|
certs = "private/rsa_sha256_cert.pem"
|
||||||
key = "private/rsa_sha256_key.pem"
|
key = "private/rsa_sha256_key.pem"
|
||||||
|
|
||||||
[ecdsa_nistp256_sha256.tls]
|
[ecdsa_nistp256_sha256.tls]
|
||||||
certs = "private/ecdsa_nistp256_sha256_cert.pem"
|
certs = "private/ecdsa_nistp256_sha256_cert.pem"
|
||||||
key = "private/ecdsa_nistp256_sha256_key_pkcs8.pem"
|
key = "private/ecdsa_nistp256_sha256_key_pkcs8.pem"
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
#! /bin/bash
|
|
||||||
|
|
||||||
CA_SUBJECT="/C=US/ST=CA/O=Rocket CA/CN=Rocket Root CA"
|
|
||||||
|
|
||||||
openssl genrsa -out ca_key.pem 4096
|
|
||||||
openssl req -new -x509 -days 3650 -key ca_key.pem -subj "${CA_SUBJECT}" -out ca_cert.pem
|
|
|
@ -1,12 +1,20 @@
|
||||||
#! /bin/bash
|
#! /bin/bash
|
||||||
|
|
||||||
# Should use gen_ca.sh first to generate the CA.
|
# Usage:
|
||||||
|
# ./gen_certs.sh [cert-kind]
|
||||||
# To generate certificates of specific private key type, pass any of the following arguements:
|
|
||||||
# 'ed25519', 'rsa_sha256', 'ecdsa_nistp256_sha256' or 'ecdsa_nistp384_sha384'
|
|
||||||
#
|
#
|
||||||
# If no argument is passed all supported certificates types will be generated.
|
# [cert-kind]:
|
||||||
|
# ed25519
|
||||||
|
# rsa_sha256
|
||||||
|
# ecdsa_nistp256_sha256
|
||||||
|
# ecdsa_nistp384_sha384
|
||||||
#
|
#
|
||||||
|
# Generate a certificate of the [cert-kind] key type, or if no cert-kind is
|
||||||
|
# specified, all of the certificates.
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
# ./gen_certs.sh ed25519
|
||||||
|
# ./gen_certs.sh rsa_sha256
|
||||||
|
|
||||||
# TODO: `rustls` (really, `webpki`) doesn't currently use the CN in the subject
|
# TODO: `rustls` (really, `webpki`) doesn't currently use the CN in the subject
|
||||||
# to check if a certificate is valid for a server name sent via SNI. It's not
|
# to check if a certificate is valid for a server name sent via SNI. It's not
|
||||||
|
@ -14,11 +22,26 @@
|
||||||
# with a DNS name, or if it simply hasn't been implemented yet. See
|
# with a DNS name, or if it simply hasn't been implemented yet. See
|
||||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=552346 for a bit more info.
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=552346 for a bit more info.
|
||||||
|
|
||||||
|
CA_SUBJECT="/C=US/ST=CA/O=Rocket CA/CN=Rocket Root CA"
|
||||||
SUBJECT="/C=US/ST=CA/O=Rocket/CN=localhost"
|
SUBJECT="/C=US/ST=CA/O=Rocket/CN=localhost"
|
||||||
ALT="DNS:localhost"
|
ALT="DNS:localhost"
|
||||||
|
|
||||||
|
function gen_ca() {
|
||||||
|
openssl genrsa -out ca_key.pem 4096
|
||||||
|
openssl req -new -x509 -days 3650 -key ca_key.pem \
|
||||||
|
-subj "${CA_SUBJECT}" -out ca_cert.pem
|
||||||
|
}
|
||||||
|
|
||||||
|
function gen_ca_if_non_existent() {
|
||||||
|
if ! [ -f ./ca_cert.pem ]; then gen_ca; fi
|
||||||
|
}
|
||||||
|
|
||||||
function gen_rsa_sha256() {
|
function gen_rsa_sha256() {
|
||||||
openssl req -newkey rsa:4096 -nodes -sha256 -keyout rsa_sha256_key.pem -subj "${SUBJECT}" -out server.csr
|
gen_ca_if_non_existent
|
||||||
|
|
||||||
|
openssl req -newkey rsa:4096 -nodes -sha256 -keyout rsa_sha256_key.pem \
|
||||||
|
-subj "${SUBJECT}" -out server.csr
|
||||||
|
|
||||||
openssl x509 -req -sha256 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
openssl x509 -req -sha256 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
||||||
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
||||||
-in server.csr -out rsa_sha256_cert.pem
|
-in server.csr -out rsa_sha256_cert.pem
|
||||||
|
@ -27,6 +50,8 @@ function gen_rsa_sha256() {
|
||||||
}
|
}
|
||||||
|
|
||||||
function gen_ed25519() {
|
function gen_ed25519() {
|
||||||
|
gen_ca_if_non_existent
|
||||||
|
|
||||||
openssl genpkey -algorithm ED25519 > ed25519_key.pem
|
openssl genpkey -algorithm ED25519 > ed25519_key.pem
|
||||||
|
|
||||||
openssl req -new -key ed25519_key.pem -subj "${SUBJECT}" -out server.csr
|
openssl req -new -key ed25519_key.pem -subj "${SUBJECT}" -out server.csr
|
||||||
|
@ -38,12 +63,17 @@ function gen_ed25519() {
|
||||||
}
|
}
|
||||||
|
|
||||||
function gen_ecdsa_nistp256_sha256() {
|
function gen_ecdsa_nistp256_sha256() {
|
||||||
|
gen_ca_if_non_existent
|
||||||
|
|
||||||
openssl ecparam -out ecdsa_nistp256_sha256_key.pem -name prime256v1 -genkey
|
openssl ecparam -out ecdsa_nistp256_sha256_key.pem -name prime256v1 -genkey
|
||||||
|
|
||||||
# Convert to pkcs8 format supported by rustls
|
# Convert to pkcs8 format supported by rustls
|
||||||
openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp256_sha256_key.pem -out ecdsa_nistp256_sha256_key_pkcs8.pem
|
openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp256_sha256_key.pem \
|
||||||
|
-out ecdsa_nistp256_sha256_key_pkcs8.pem
|
||||||
|
|
||||||
|
openssl req -new -nodes -sha256 -key ecdsa_nistp256_sha256_key_pkcs8.pem \
|
||||||
|
-subj "${SUBJECT}" -out server.csr
|
||||||
|
|
||||||
openssl req -new -nodes -sha256 -key ecdsa_nistp256_sha256_key_pkcs8.pem -subj "${SUBJECT}" -out server.csr
|
|
||||||
openssl x509 -req -sha256 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
openssl x509 -req -sha256 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
||||||
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
||||||
-in server.csr -out ecdsa_nistp256_sha256_cert.pem
|
-in server.csr -out ecdsa_nistp256_sha256_cert.pem
|
||||||
|
@ -51,14 +81,18 @@ function gen_ecdsa_nistp256_sha256() {
|
||||||
rm ca_cert.srl server.csr ecdsa_nistp256_sha256_key.pem
|
rm ca_cert.srl server.csr ecdsa_nistp256_sha256_key.pem
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function gen_ecdsa_nistp384_sha384() {
|
function gen_ecdsa_nistp384_sha384() {
|
||||||
|
gen_ca_if_non_existent
|
||||||
|
|
||||||
openssl ecparam -out ecdsa_nistp384_sha384_key.pem -name secp384r1 -genkey
|
openssl ecparam -out ecdsa_nistp384_sha384_key.pem -name secp384r1 -genkey
|
||||||
|
|
||||||
# Convert to pkcs8 format supported by rustls
|
# Convert to pkcs8 format supported by rustls
|
||||||
openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp384_sha384_key.pem -out ecdsa_nistp384_sha384_key_pkcs8.pem
|
openssl pkcs8 -topk8 -nocrypt -in ecdsa_nistp384_sha384_key.pem \
|
||||||
|
-out ecdsa_nistp384_sha384_key_pkcs8.pem
|
||||||
|
|
||||||
|
openssl req -new -nodes -sha384 -key ecdsa_nistp384_sha384_key_pkcs8.pem \
|
||||||
|
-subj "${SUBJECT}" -out server.csr
|
||||||
|
|
||||||
openssl req -new -nodes -sha384 -key ecdsa_nistp384_sha384_key_pkcs8.pem -subj "${SUBJECT}" -out server.csr
|
|
||||||
openssl x509 -req -sha384 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
openssl x509 -req -sha384 -extfile <(printf "subjectAltName=${ALT}") -days 3650 \
|
||||||
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
-CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
|
||||||
-in server.csr -out ecdsa_nistp384_sha384_cert.pem
|
-in server.csr -out ecdsa_nistp384_sha384_cert.pem
|
||||||
|
|
Loading…
Reference in New Issue