blob: 378bd10cf24fd3ea9d2956482ea7fcb3fa593f31 [file] [log] [blame]
#!/bin/bash
# Create the server CA certs.
openssl req -x509 \
-newkey rsa:4096 \
-nodes \
-days 3650 \
-keyout server_ca_key.pem \
-out server_ca_cert.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server_ca/ \
-config ./openssl.cnf \
-extensions test_ca \
-sha256
# Create the client CA certs.
openssl req -x509 \
-newkey rsa:4096 \
-nodes \
-days 3650 \
-keyout client_ca_key.pem \
-out client_ca_cert.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client_ca/ \
-config ./openssl.cnf \
-extensions test_ca \
-sha256
# Generate two server certs.
openssl genrsa -out server1_key.pem 4096
openssl req -new \
-key server1_key.pem \
-days 3650 \
-out server1_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server1/ \
-config ./openssl.cnf \
-reqexts test_server
openssl x509 -req \
-in server1_csr.pem \
-CAkey server_ca_key.pem \
-CA server_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out server1_cert.pem \
-extfile ./openssl.cnf \
-extensions test_server \
-sha256
openssl verify -verbose -CAfile server_ca_cert.pem server1_cert.pem
openssl genrsa -out server2_key.pem 4096
openssl req -new \
-key server2_key.pem \
-days 3650 \
-out server2_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server2/ \
-config ./openssl.cnf \
-reqexts test_server
openssl x509 -req \
-in server2_csr.pem \
-CAkey server_ca_key.pem \
-CA server_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out server2_cert.pem \
-extfile ./openssl.cnf \
-extensions test_server \
-sha256
openssl verify -verbose -CAfile server_ca_cert.pem server2_cert.pem
# Generate two client certs.
openssl genrsa -out client1_key.pem 4096
openssl req -new \
-key client1_key.pem \
-days 3650 \
-out client1_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-config ./openssl.cnf \
-reqexts test_client
openssl x509 -req \
-in client1_csr.pem \
-CAkey client_ca_key.pem \
-CA client_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out client1_cert.pem \
-extfile ./openssl.cnf \
-extensions test_client \
-sha256
openssl verify -verbose -CAfile client_ca_cert.pem client1_cert.pem
openssl genrsa -out client2_key.pem 4096
openssl req -new \
-key client2_key.pem \
-days 3650 \
-out client2_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client2/ \
-config ./openssl.cnf \
-reqexts test_client
openssl x509 -req \
-in client2_csr.pem \
-CAkey client_ca_key.pem \
-CA client_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out client2_cert.pem \
-extfile ./openssl.cnf \
-extensions test_client \
-sha256
openssl verify -verbose -CAfile client_ca_cert.pem client2_cert.pem
# Generate a cert with SPIFFE ID.
openssl req -x509 \
-newkey rsa:4096 \
-keyout spiffe_key.pem \
-out spiffe_cert.pem \
-nodes \
-days 3650 \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1" \
-sha256
# Generate a cert with SPIFFE ID and another SAN URI field(which doesn't meet SPIFFE specs).
openssl req -x509 \
-newkey rsa:4096 \
-keyout multiple_uri_key.pem \
-out multiple_uri_cert.pem \
-nodes \
-days 3650 \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1, URI:https://bar.baz.com/client" \
-sha256
# Generate a cert with SPIFFE ID using client_with_spiffe_openssl.cnf
openssl req -new \
-key client_with_spiffe_key.pem \
-out client_with_spiffe_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-config ./client_with_spiffe_openssl.cnf \
-reqexts test_client
openssl x509 -req \
-in client_with_spiffe_csr.pem \
-CAkey client_ca_key.pem \
-CA client_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out client_with_spiffe_cert.pem \
-extfile ./client_with_spiffe_openssl.cnf \
-extensions test_client \
-sha256
openssl verify -verbose -CAfile client_with_spiffe_cert.pem
# Cleanup the CSRs.
rm *_csr.pem