zoukankan      html  css  js  c++  java
  • 命令行证书生成

    google.golang.org\grpc@v1.43.0\testdata\x509

    #!/bin/bash
    
    # Create the server CA certs.
    openssl req -x509                                     \
      -newkey rsa:4096                                    \
      -nodes                                              \
      -days 3650                                          \
      -keyout server_ca_key.pem                           \
      -out server_ca_cert.pem                             \
      -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server_ca/   \
      -config ./openssl.cnf                               \
      -extensions test_ca
    
    # Create the client CA certs.
    openssl req -x509                                     \
      -newkey rsa:4096                                    \
      -nodes                                              \
      -days 3650                                          \
      -keyout client_ca_key.pem                           \
      -out client_ca_cert.pem                             \
      -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client_ca/   \
      -config ./openssl.cnf                               \
      -extensions test_ca
    
    # Generate two server certs.
    openssl genrsa -out server1_key.pem 4096
    openssl req -new                                    \
      -key server1_key.pem                              \
      -days 3650                                        \
      -out server1_csr.pem                              \
      -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server1/   \
      -config ./openssl.cnf                             \
      -reqexts test_server
    openssl x509 -req           \
      -in server1_csr.pem       \
      -CAkey server_ca_key.pem  \
      -CA server_ca_cert.pem    \
      -days 3650                \
      -set_serial 1000          \
      -out server1_cert.pem     \
      -extfile ./openssl.cnf    \
      -extensions test_server
    openssl verify -verbose -CAfile server_ca_cert.pem  server1_cert.pem
    
    openssl genrsa -out server2_key.pem 4096
    openssl req -new                                    \
      -key server2_key.pem                              \
      -days 3650                                        \
      -out server2_csr.pem                              \
      -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server2/   \
      -config ./openssl.cnf                             \
      -reqexts test_server
    openssl x509 -req           \
      -in server2_csr.pem       \
      -CAkey server_ca_key.pem  \
      -CA server_ca_cert.pem    \
      -days 3650                \
      -set_serial 1000          \
      -out server2_cert.pem     \
      -extfile ./openssl.cnf    \
      -extensions test_server
    openssl verify -verbose -CAfile server_ca_cert.pem  server2_cert.pem
    
    # Generate two client certs.
    openssl genrsa -out client1_key.pem 4096
    openssl req -new                                    \
      -key client1_key.pem                              \
      -days 3650                                        \
      -out client1_csr.pem                              \
      -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/   \
      -config ./openssl.cnf                             \
      -reqexts test_client
    openssl x509 -req           \
      -in client1_csr.pem       \
      -CAkey client_ca_key.pem  \
      -CA client_ca_cert.pem    \
      -days 3650                \
      -set_serial 1000          \
      -out client1_cert.pem     \
      -extfile ./openssl.cnf    \
      -extensions test_client
    openssl verify -verbose -CAfile client_ca_cert.pem  client1_cert.pem
    
    openssl genrsa -out client2_key.pem 4096
    openssl req -new                                    \
      -key client2_key.pem                              \
      -days 3650                                        \
      -out client2_csr.pem                              \
      -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client2/   \
      -config ./openssl.cnf                             \
      -reqexts test_client
    openssl x509 -req           \
      -in client2_csr.pem       \
      -CAkey client_ca_key.pem  \
      -CA client_ca_cert.pem    \
      -days 3650                \
      -set_serial 1000          \
      -out client2_cert.pem     \
      -extfile ./openssl.cnf    \
      -extensions test_client
    openssl verify -verbose -CAfile client_ca_cert.pem  client2_cert.pem
    
    # Generate a cert with SPIFFE ID.
    openssl req -x509                                                         \
      -newkey rsa:4096                                                        \
      -keyout spiffe_key.pem                                                  \
      -out spiffe_cert.pem                                                    \
      -nodes                                                                  \
      -days 3650                                                              \
      -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/                         \
      -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1"
    
    # Generate a cert with SPIFFE ID and another SAN URI field(which doesn't meet SPIFFE specs).
    openssl req -x509                                                         \
      -newkey rsa:4096                                                        \
      -keyout multiple_uri_key.pem                                            \
      -out multiple_uri_cert.pem                                              \
      -nodes                                                                  \
      -days 3650                                                              \
      -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/                         \
      -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1, URI:https://bar.baz.com/client"
    # Cleanup the CSRs.
    rm *_csr.pem
    

    google.golang.org\grpc@v1.43.0\testdata\x509\openssl.cnf 

    [req]
    distinguished_name = req_distinguished_name
    attributes = req_attributes

    [req_distinguished_name]

    [req_attributes]

    [test_ca]
    basicConstraints = critical,CA:TRUE
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer:always
    keyUsage = critical,keyCertSign

    [test_server]
    basicConstraints = critical,CA:FALSE
    subjectKeyIdentifier = hash
    keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
    subjectAltName = @server_alt_names

    [server_alt_names]
    DNS.1 = *.test.example.com

    [test_client]
    basicConstraints = critical,CA:FALSE
    subjectKeyIdentifier = hash
    keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
    extendedKeyUsage = critical,clientAuth
  • 相关阅读:
    Ubuntu下配置PHP和CakePHP记录
    VMware Workstation “以独占方式锁定此配置文件失败。可能其它正在运行VMware进程在使用此配置文件”
    c语言结构体链表
    Linux下VNC配置使用总结:开启+桌面配置+安全访问
    git服务器使用
    MYSQL外键(Foreign Key)的使用
    MySQL 安装与使用(三)
    Percona XtraBackup的部分备份与恢复/单库备份/单表备份/指定库备份/指定表备份
    Percona XtraBackup 核心文档
    mysql 半同步复制 插件安装以及测试
  • 原文地址:https://www.cnblogs.com/rsapaper/p/15714586.html
Copyright © 2011-2022 走看看