Google Git
Sign in
fuchsia / third_party / github.com / grpc / grpc-java / 6cc2ff1cedc8a64c4494e62f2ea5f25bb129c7fe / . / s2a / src / test / resources
tree: 1db26127c1e1d23abafba433cba2af0af9a7b036 [path history] [tgz]
  1. cert_chain_ec.pem
  2. client_cert.pem
  3. client_key.pem
  4. config.cnf
  5. int_cert1_.cnf
  6. int_cert1_ec.pem
  7. int_cert2.cnf
  8. int_cert2_ec.pem
  9. int_key1_ec.pem
  10. int_key2_ec.pem
  11. leaf.cnf
  12. leaf_cert_ec.pem
  13. leaf_key_ec.pem
  14. README.md
  15. root_cert.pem
  16. root_cert_ec.pem
  17. root_ec.cnf
  18. root_key.pem
  19. root_key_ec.pem
  20. server_cert.pem
  21. server_key.pem
s2a/src/test/resources/README.md

Generating certificates and keys for testing mTLS-S2A

Content from: https://github.com/google/s2a-go/blob/main/testdata/README.md

Create root CA

openssl req -x509 -sha256 -days 7305 -newkey rsa:2048 -keyout root_key.pem -out
root_cert.pem

Generate private keys for server and client

openssl genrsa -out server_key.pem 2048
openssl genrsa -out client_key.pem 2048

Generate CSRs for server and client (set Common Name to localhost, leave all other fields blank)

openssl req -key server_key.pem -new -out server.csr -config config.cnf
openssl req -key client_key.pem -new -out client.csr -config config.cnf

Sign CSRs for server and client

openssl x509 -req -CA root_cert.pem -CAkey root_key.pem -in server.csr -out server_cert.pem -days 7305 -extfile config.cnf -extensions req_ext
openssl x509 -req -CA root_cert.pem -CAkey root_key.pem -in client.csr -out client_cert.pem -days 7305

Generate self-signed ECDSA root cert

openssl ecparam -name prime256v1 -genkey -noout -out temp.pem
openssl pkcs8 -topk8 -in temp.pem -out root_key_ec.pem -nocrypt
rm temp.pem
openssl req -x509 -days 7305 -new -key root_key_ec.pem -nodes -out root_cert_ec.pem -config root_ec.cnf -extensions 'v3_req'

Generate a chain of ECDSA certs

openssl ecparam -name prime256v1 -genkey -noout -out temp.pem
openssl pkcs8 -topk8 -in temp.pem -out int_key2_ec.pem -nocrypt
rm temp.pem
openssl req -key int_key2_ec.pem -new -out temp.csr -config int_cert2.cnf
openssl x509 -req -days 7305 -in temp.csr -CA root_cert_ec.pem -CAkey root_key_ec.pem -CAcreateserial -out int_cert2_ec.pem -extfile int_cert2.cnf -extensions 'v3_req'


openssl ecparam -name prime256v1 -genkey -noout -out temp.pem
openssl pkcs8 -topk8 -in temp.pem -out int_key1_ec.pem -nocrypt
rm temp.pem
openssl req -key int_key1_ec.pem -new -out temp.csr -config int_cert1.cnf
openssl x509 -req -days 7305 -in temp.csr -CA int_cert2_ec.pem -CAkey int_key2_ec.pem -CAcreateserial -out int_cert1_ec.pem -extfile int_cert1.cnf -extensions 'v3_req'


openssl ecparam -name prime256v1 -genkey -noout -out temp.pem
openssl pkcs8 -topk8 -in temp.pem -out leaf_key_ec.pem -nocrypt
rm temp.pem
openssl req -key leaf_key_ec.pem -new -out temp.csr -config leaf.cnf
openssl x509 -req -days 7305 -in temp.csr -CA int_cert1_ec.pem -CAkey int_key1_ec.pem -CAcreateserial -out leaf_cert_ec.pem -extfile leaf.cnf -extensions 'v3_req'

cat leaf_cert_ec.pem int_cert1_ec.pem int_cert2_ec.pem > cert_chain_ec.pem