From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- ...inistrator@addom.samba.example.com-S03-cert.cer | Bin 0 -> 2335 bytes ...inistrator@addom.samba.example.com-S03-cert.pem | 169 ++++++++++++++ ...ministrator@addom.samba.example.com-S03-key.pem | 30 +++ ...strator@addom.samba.example.com-S03-openssl.cnf | 242 +++++++++++++++++++++ ...tor@addom.samba.example.com-S03-private-key.pem | 27 +++ ...strator@addom.samba.example.com-S03-private.p12 | Bin 0 -> 3933 bytes ...ministrator@addom.samba.example.com-S03-req.pem | 19 ++ ...-administrator@addom.samba.example.com-cert.pem | 1 + ...strator@addom.samba.example.com-private-key.pem | 1 + ...nistrator@addom2.samba.example.com-S07-cert.cer | Bin 0 -> 2340 bytes ...nistrator@addom2.samba.example.com-S07-cert.pem | 169 ++++++++++++++ ...inistrator@addom2.samba.example.com-S07-key.pem | 30 +++ ...trator@addom2.samba.example.com-S07-openssl.cnf | 242 +++++++++++++++++++++ ...or@addom2.samba.example.com-S07-private-key.pem | 27 +++ ...trator@addom2.samba.example.com-S07-private.p12 | Bin 0 -> 3941 bytes ...inistrator@addom2.samba.example.com-S07-req.pem | 19 ++ ...administrator@addom2.samba.example.com-cert.pem | 1 + ...trator@addom2.samba.example.com-private-key.pem | 1 + ...ER-administrator@samba.example.com-S01-cert.cer | Bin 0 -> 2305 bytes ...ER-administrator@samba.example.com-S01-cert.pem | 169 ++++++++++++++ ...SER-administrator@samba.example.com-S01-key.pem | 30 +++ ...administrator@samba.example.com-S01-openssl.cnf | 242 +++++++++++++++++++++ ...nistrator@samba.example.com-S01-private-key.pem | 27 +++ ...administrator@samba.example.com-S01-private.p12 | Bin 0 -> 3909 bytes ...SER-administrator@samba.example.com-S01-req.pem | 19 ++ .../USER-administrator@samba.example.com-cert.pem | 1 + ...administrator@samba.example.com-private-key.pem | 1 + ...SER-pkinit@addom.samba.example.com-S05-cert.cer | Bin 0 -> 2300 bytes ...SER-pkinit@addom.samba.example.com-S05-cert.pem | 168 ++++++++++++++ ...USER-pkinit@addom.samba.example.com-S05-key.pem | 30 +++ ...-pkinit@addom.samba.example.com-S05-openssl.cnf | 242 +++++++++++++++++++++ ...nit@addom.samba.example.com-S05-private-key.pem | 27 +++ ...-pkinit@addom.samba.example.com-S05-private.p12 | Bin 0 -> 3901 bytes ...USER-pkinit@addom.samba.example.com-S05-req.pem | 19 ++ .../USER-pkinit@addom.samba.example.com-cert.pem | 1 + ...-pkinit@addom.samba.example.com-private-key.pem | 1 + ...ER-pkinit@addom2.samba.example.com-S08-cert.cer | Bin 0 -> 2305 bytes ...ER-pkinit@addom2.samba.example.com-S08-cert.pem | 169 ++++++++++++++ ...SER-pkinit@addom2.samba.example.com-S08-key.pem | 30 +++ ...pkinit@addom2.samba.example.com-S08-openssl.cnf | 242 +++++++++++++++++++++ ...it@addom2.samba.example.com-S08-private-key.pem | 27 +++ ...pkinit@addom2.samba.example.com-S08-private.p12 | Bin 0 -> 3909 bytes ...SER-pkinit@addom2.samba.example.com-S08-req.pem | 19 ++ .../USER-pkinit@addom2.samba.example.com-cert.pem | 1 + ...pkinit@addom2.samba.example.com-private-key.pem | 1 + .../USER-pkinit@samba.example.com-S04-cert.cer | Bin 0 -> 2270 bytes .../USER-pkinit@samba.example.com-S04-cert.pem | 168 ++++++++++++++ .../USER-pkinit@samba.example.com-S04-key.pem | 30 +++ .../USER-pkinit@samba.example.com-S04-openssl.cnf | 242 +++++++++++++++++++++ ...ER-pkinit@samba.example.com-S04-private-key.pem | 27 +++ .../USER-pkinit@samba.example.com-S04-private.p12 | Bin 0 -> 3869 bytes .../USER-pkinit@samba.example.com-S04-req.pem | 18 ++ .../USER-pkinit@samba.example.com-cert.pem | 1 + .../USER-pkinit@samba.example.com-private-key.pem | 1 + 54 files changed, 2931 insertions(+) create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.cer create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-openssl.cnf create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private.p12 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-req.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-cert.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cer create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.cer create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-openssl.cnf create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private.p12 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-req.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-cert.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cer create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.cer create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-openssl.cnf create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private.p12 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-req.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-cert.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cer create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem (limited to 'selftest/manage-ca/CA-samba.example.com/Users') diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.cer new file mode 100644 index 0000000..9119678 Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.cer differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.pem new file mode 100644 index 0000000..7486a63 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.pem @@ -0,0 +1,169 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com + Validity + Not Before: Mar 16 23:29:41 2016 GMT + Not After : Mar 11 23:29:41 2036 GMT + Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@addom.samba.example.com/emailAddress=administrator@addom.samba.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:be:91:64:f2:1b:2b:ed:9b:40:bc:0d:46:23:49: + 77:32:74:fe:cb:9a:46:86:33:1e:56:bd:c8:da:dd: + e6:2a:07:34:61:1c:f0:b8:71:29:24:2b:90:f3:43: + 99:6f:69:f6:ff:8d:b9:b7:3f:f3:36:6a:99:90:90: + d6:95:63:4e:88:5a:d7:41:89:7f:73:13:64:49:c7: + de:42:65:08:5d:ca:04:b2:68:3a:40:7f:6a:05:df: + 56:30:2f:ac:1b:8b:0f:c3:15:3c:38:0f:90:50:44: + 00:bb:59:40:f6:d2:e8:5b:73:03:0d:f6:7d:38:5d: + 2f:99:c3:0d:13:0f:74:d0:9e:ef:1e:92:42:c4:46: + 7c:dc:85:7e:e9:af:91:4e:9d:5f:82:af:58:60:18: + a5:ac:91:6e:dd:cf:a7:32:3c:d2:f4:e9:81:be:80: + 9e:0c:ca:1f:1a:be:98:c4:fe:e6:25:c1:89:fe:16: + 0a:30:90:d3:d4:e5:af:89:24:64:12:d0:4f:19:e2: + 1b:86:fb:06:a9:63:d1:47:10:89:dc:2b:52:24:dc: + 66:a9:56:c2:cb:f4:ec:35:12:f4:ad:5e:fc:ff:86: + e9:b1:f9:1f:b3:ce:44:fb:be:04:af:8d:42:9b:56: + a5:02:7f:c5:cf:5f:23:41:1c:69:ee:33:97:7a:81: + 50:8b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + + Netscape Cert Type: + SSL Client, S/MIME + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Netscape Comment: + Smart Card Login Certificate for administrator@addom.samba.example.com + X509v3 Subject Key Identifier: + 30:10:6E:1F:7E:52:33:8C:C8:85:E5:92:74:5D:76:7E:E9:33:5B:36 + X509v3 Authority Key Identifier: + keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E + + X509v3 Subject Alternative Name: + email:administrator@addom.samba.example.com, othername: + X509v3 Issuer Alternative Name: + email:ca-samba.example.com@samba.example.com + Netscape CA Revocation Url: + http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + X509v3 Extended Key Usage: + TLS Web Client Authentication, scardLogin + Signature Algorithm: sha256WithRSAEncryption + 53:3e:51:d2:5d:2c:69:23:5b:dd:05:1a:23:ff:39:5d:54:63: + e5:da:e1:4b:60:8c:09:7c:4e:8e:da:8a:bb:63:5d:bc:2d:a0: + d4:ce:9e:d2:ce:38:d7:32:67:ba:4a:a6:d1:1d:c4:c7:50:e8: + 9a:9e:44:56:1a:9c:f4:8f:b9:8e:39:84:21:db:0f:60:8a:60: + b4:0f:4f:3c:35:a0:d2:37:3d:88:e8:0a:18:a7:a7:2d:19:e3: + aa:d3:8e:18:8f:35:ef:3e:4a:95:c4:d3:9b:f4:cf:89:c2:70: + b9:8c:5c:ef:8a:9e:7a:56:73:13:eb:8b:b7:d9:e1:88:5b:c4: + 62:47:42:45:8d:7b:2d:cf:71:83:1b:48:9d:84:8f:65:66:97: + 61:fc:f6:30:34:e8:88:2a:34:91:48:dc:7a:b7:65:bc:9c:98: + 00:4c:e7:49:fe:4d:a9:56:ea:87:d6:6c:46:39:f2:98:5b:56: + 14:82:f2:9e:b8:ad:fd:89:36:48:87:4e:5c:ef:3f:e0:35:ff: + 72:5f:5b:e1:c2:fd:d9:6e:40:2b:35:ad:50:08:74:94:87:89: + c4:cd:c7:ab:a7:19:4e:ba:f2:1d:83:0f:b0:cf:9c:e6:df:73: + 36:88:cf:42:9c:a3:72:27:0f:f7:bf:5b:cc:6b:e5:20:03:b5: + 4a:1c:f3:7d:ae:92:43:aa:bb:13:07:a4:3a:77:3d:34:01:00: + f1:89:aa:e8:1b:09:7b:b8:b0:e1:54:03:ff:3d:8d:be:35:b9: + 13:b2:59:58:32:48:93:f8:e7:d7:3d:49:70:01:44:e6:2b:21: + b3:75:49:ae:44:7a:50:15:b8:65:f3:c3:48:96:df:c8:d9:2a: + f7:c5:2a:7e:2c:68:77:af:2d:78:1b:fc:1a:d8:f4:8b:a6:86: + 35:d2:f0:87:e9:d6:30:0a:76:65:f8:71:e9:80:0d:1f:16:86: + 89:92:81:34:d9:be:9b:41:25:ec:65:a9:0a:56:b2:03:91:54: + 02:21:97:99:74:61:8c:4a:2e:f4:d0:b1:8b:f1:e6:26:52:bc: + f6:f2:e0:bd:96:66:22:c3:4e:51:2f:c3:c4:65:65:c7:97:b5: + 1b:29:23:7a:c0:7b:fb:49:33:a0:a9:6a:b7:2f:f3:44:6b:5b: + 0c:2c:0d:75:f2:50:d5:82:ba:9a:ab:e0:89:0a:b6:b5:8a:5e: + 1a:67:ab:d9:a7:21:22:75:61:1e:d7:21:36:15:6a:da:a8:39: + 4d:95:50:2b:e6:ac:c4:f6:38:74:c9:c5:ac:ce:2f:b3:c8:d4: + ad:18:a7:93:d4:1a:be:c2:be:9e:39:e6:a7:b1:0e:93:d0:9e: + cf:b0:ac:53:7d:08:1f:9d:a5:98:2b:4e:f6:80:e4:df:ea:43: + a2:f9:64:bf:84:b2:ff:1c:93:36:60:74:08:4e:5b:d6:24:9a: + f8:ac:c7:81:f9:2a:a9:00:28:44:15:6a:31:b9:b5:08:89:c8: + 31:15:1e:8f:9d:2c:d0:e3:a8:32:2c:68:42:41:19:6c:43:8e: + 69:c0:44:01:ba:1c:c4:ea:f4:ff:c8:57:03:ba:df:3f:5e:a5: + 03:da:75:31:2e:07:67:a7:5c:02:55:c3:6f:8f:11:f5:8c:56: + a1:f7:4b:bb:46:d0:e5:ff:68:c1:77:3d:0d:35:12:f5:40:af: + cd:05:5c:53:74:ff:54:e0:c0:c6:10:5c:e8:33:06:0a:50:47: + 7e:71:3a:36:66:aa:f8:de:97:2a:ae:bf:8d:6d:d4:39:c4:fd: + b3:03:1d:a5:9c:47:39:8c:c0:b3:73:f8:3a:d6:34:ac:49:4f: + b3:87:74:11:20:8f:c0:aa:24:a7:30:20:0c:c0:d9:1c:44:ee: + ae:c8:b8:13:63:e5:f8:5e:8f:b0:5a:46:c5:83:3d:41:62:06: + e4:62:a6:0a:40:cc:8e:59:ad:8a:36:4e:20:e6:f2:32:04:6e: + ee:4e:7d:97:88:dc:ea:74:90:c4:ab:a8:b5:bc:6c:81:b1:64: + 77:a6:93:34:44:e4:60:38:b1:0c:2b:29:3a:4a:f7:17:d7:3a: + c8:42:7e:db:4d:5f:09:92:ae:6c:90:e1:7d:9f:96:9c:1a:82: + bd:45:02:76:29:62:e5:b9:14:53:01:53:c0:5a:d5:34:53:7a: + 25:49:3e:3d:db:19:7e:29:57:80:78:67:ea:21:3e:3d:59:36: + e0:8b:da:75:57:9b:c8:9d:a1:18:18:e2:5c:35:35:9e:62:2c: + f5:0f:c0:8f:55:16:a5:d4:9e:cd:0e:78:87:9d:53:d3:01:e1: + 18:61:36:1c:06:c3:3a:43:f3:8a:13:e6:4e:52:32:fd:46:21: + cd:62:18:1f:ae:f5:f2:1a:ea:7a:01:3b:a1:3f:1d:16:00:91: + 5e:94:78:f4:60:33:54:a9:fc:1c:0a:75:f9:17:aa:dd:12:91: + 66:4b:f0:d1:60:25:d4:06:d1:99:9c:c5:64:01:4b:ba:d9:66: + ba:9c:f7:68:75:fd:11:3a:eb:6e:fb:8f:a6:17:8a:cd:bc:1a: + 59:f9:a9:cd:33:db:7d:71:26:7d:c7:be:de:eb:2e:c0:7e:db: + 29:08:0e:82:63:1e:8c:8f:e6:21:1c:b1:49:13:9e:df:78:3b: + 68:01:17:0f:df:97:96:58:32:48:1e:5c:ff:fa:db:90:b5:05: + 84:68:fd:7c:c0:a5:35:d9:75:1e:ea:cc:25:25:3f:6e +-----BEGIN CERTIFICATE----- +MIIJGzCCBQOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx +EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE +CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x +IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB +FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz +MTYyMzI5NDFaFw0zNjAzMTEyMzI5NDFaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UE +CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE +CwwFVXNlcnMxLjAsBgNVBAMMJWFkbWluaXN0cmF0b3JAYWRkb20uc2FtYmEuZXhh +bXBsZS5jb20xNDAyBgkqhkiG9w0BCQEWJWFkbWluaXN0cmF0b3JAYWRkb20uc2Ft +YmEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+ +kWTyGyvtm0C8DUYjSXcydP7LmkaGMx5Wvcja3eYqBzRhHPC4cSkkK5DzQ5lvafb/ +jbm3P/M2apmQkNaVY06IWtdBiX9zE2RJx95CZQhdygSyaDpAf2oF31YwL6wbiw/D +FTw4D5BQRAC7WUD20uhbcwMN9n04XS+Zww0TD3TQnu8ekkLERnzchX7pr5FOnV+C +r1hgGKWskW7dz6cyPNL06YG+gJ4Myh8avpjE/uYlwYn+FgowkNPU5a+JJGQS0E8Z +4huG+wapY9FHEIncK1Ik3GapVsLL9Ow1EvStXvz/humx+R+zzkT7vgSvjUKbVqUC +f8XPXyNBHGnuM5d6gVCLAgMBAAGjggIjMIICHzAJBgNVHRMEAjAAME8GA1UdHwRI +MEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1z +YW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNV +HQ8EBAMCBeAwVQYJYIZIAYb4QgENBEgWRlNtYXJ0IENhcmQgTG9naW4gQ2VydGlm +aWNhdGUgZm9yIGFkbWluaXN0cmF0b3JAYWRkb20uc2FtYmEuZXhhbXBsZS5jb20w +HQYDVR0OBBYEFDAQbh9+UjOMyIXlknRddn7pM1s2MB8GA1UdIwQYMBaAFKI+Aiqj +p005tAhNmcwMdTbqJ8M+MGcGA1UdEQRgMF6BJWFkbWluaXN0cmF0b3JAYWRkb20u +c2FtYmEuZXhhbXBsZS5jb22gNQYKKwYBBAGCNxQCA6AnDCVhZG1pbmlzdHJhdG9y +QGFkZG9tLnNhbWJhLmV4YW1wbGUuY29tMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4 +YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0GCWCGSAGG+EIBBARAFj5odHRw +Oi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5j +b20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcDAgYKKwYBBAGCNxQCAjANBgkq +hkiG9w0BAQsFAAOCBAEAUz5R0l0saSNb3QUaI/85XVRj5drhS2CMCXxOjtqKu2Nd +vC2g1M6e0s441zJnukqm0R3Ex1Domp5EVhqc9I+5jjmEIdsPYIpgtA9PPDWg0jc9 +iOgKGKenLRnjqtOOGI817z5KlcTTm/TPicJwuYxc74qeelZzE+uLt9nhiFvEYkdC +RY17Lc9xgxtInYSPZWaXYfz2MDToiCo0kUjcerdlvJyYAEznSf5NqVbqh9ZsRjny +mFtWFILynrit/Yk2SIdOXO8/4DX/cl9b4cL92W5AKzWtUAh0lIeJxM3Hq6cZTrry +HYMPsM+c5t9zNojPQpyjcicP979bzGvlIAO1Shzzfa6SQ6q7EwekOnc9NAEA8Ymq +6BsJe7iw4VQD/z2NvjW5E7JZWDJIk/jn1z1JcAFE5ishs3VJrkR6UBW4ZfPDSJbf +yNkq98Uqfixod68teBv8Gtj0i6aGNdLwh+nWMAp2Zfhx6YANHxaGiZKBNNm+m0El +7GWpClayA5FUAiGXmXRhjEou9NCxi/HmJlK89vLgvZZmIsNOUS/DxGVlx5e1Gykj +esB7+0kzoKlqty/zRGtbDCwNdfJQ1YK6mqvgiQq2tYpeGmer2achInVhHtchNhVq +2qg5TZVQK+asxPY4dMnFrM4vs8jUrRink9QavsK+njnmp7EOk9Cez7CsU30IH52l +mCtO9oDk3+pDovlkv4Sy/xyTNmB0CE5b1iSa+KzHgfkqqQAoRBVqMbm1CInIMRUe +j50s0OOoMixoQkEZbEOOacBEAbocxOr0/8hXA7rfP16lA9p1MS4HZ6dcAlXDb48R +9YxWofdLu0bQ5f9owXc9DTUS9UCvzQVcU3T/VODAxhBc6DMGClBHfnE6Nmaq+N6X +Kq6/jW3UOcT9swMdpZxHOYzAs3P4OtY0rElPs4d0ESCPwKokpzAgDMDZHETursi4 +E2Pl+F6PsFpGxYM9QWIG5GKmCkDMjlmtijZOIObyMgRu7k59l4jc6nSQxKuotbxs +gbFkd6aTNETkYDixDCspOkr3F9c6yEJ+201fCZKubJDhfZ+WnBqCvUUCdili5bkU +UwFTwFrVNFN6JUk+PdsZfilXgHhn6iE+PVk24IvadVebyJ2hGBjiXDU1nmIs9Q/A +j1UWpdSezQ54h51T0wHhGGE2HAbDOkPzihPmTlIy/UYhzWIYH6718hrqegE7oT8d +FgCRXpR49GAzVKn8HAp1+Req3RKRZkvw0WAl1AbRmZzFZAFLutlmupz3aHX9ETrr +bvuPpheKzbwaWfmpzTPbfXEmfce+3usuwH7bKQgOgmMejI/mIRyxSROe33g7aAEX +D9+XllgySB5c//rbkLUFhGj9fMClNdl1HurMJSU/bg== +-----END CERTIFICATE----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-key.pem new file mode 100644 index 0000000..0d33211 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-key.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI06+E0Qn55PYCAggA +MBQGCCqGSIb3DQMHBAgRIdE1BfEflgSCBMgjWcKNk0gmS+OepxYA2tMjMir2YwFb +ht/PFx0llj4Zt2U2TgvSFhm7JcsNPXqqqElIvEeNrY5BTB6Jbkd5pt1EpKcBlgHQ +cPtjslAxo5C5FgvLuzaFd1tRhHm7UWygTRcI+79zRmypOm0v57ZdS6Z218sJc0gk +re7tBT+lF+S5uCRAUmWBgdVjEFjW+1r0dhVJWYftB8JoE4zW+B0wEz6PIv0cTt7K +cnjHVMFKWPJStAbJ98RWchF0KWeu+cuWAWt/rJ2QrM+q1bBP4Mgn6XfRnKbcJofk +BG5v4oo8B/TSe3woBMtf2BheaeXDa96D7lxF7gELTkdodNfJd9s66GLSRKCk6amk +eJKO8fLZbXpiT0/TGeFvrihWa/ZpVG4I94KDn2a+U8Agq+B1WA6MqCt6txK6GFIN +okCRyRUYb6TFDI2JA+jeEX+0tStVGp+qNyk4PT4tZOG2BJ2dq5F6+KF0VzE8I7V0 +zIFWQvvwO8N+osvmJgQgxI6JOq0ubiHEEiSrd4lKVO7NJ223I9GXao/z+0l5ywYn +SL0LEsw2adblRDgzBnsLCqWEeC3Oczg790AaNkqWPolGKBEpOXlCPCjILJfG/7Ii +GGvuAQaXOOM3fnxb2oTOpFMn6BQDmX77hiCKGTB4VCgTIhwBOpwLDeDxjyUjCp2C +PPtped8Dne+kK9iGuHyu45sXrVtxfigfKh9+ncCsFVQfpmcYXDiUhn/RUP4qezco +jkKeC+S4lM9mG/KzWeDUtMlYkEqFA6yxs05VzpxR3h7sizV0YAE2evSxn3w4aYWY +GGKtVG4h30f7YbxI1N9+2iBTToAejF5gF5/WDPn8N+voohQCIQ6iAZ48vUDuQGme +mzi73xu774u7M/BnmgtTr1ZG9gvT+F6q6rnJFAqj3k8j+mv2w4XCqytZJ4OGTijo +j/s/eZDWmo4t/WXUMjePDzXl96hjBq4bZOpqNwKDLsqbVwQrhFzXTkGLhGQAyKb4 +wZywUkYfTdWa9f+A2NmWqry9Ef5KcOJTSHt6FeY5kwcY56iZT+cD4V2pgxTqQBGt +YUy/j0V35l41OTKZ6x5P3ZSk45w6RPY3/BqcnfvhSFxON3jFivg1DKIcB8WaWjss +40vP+TthOR2X4FQ/OHKwjs+tC6JpwDuSNCVwj9VBGSgjeXK/aV9BG1A0m4R7qxTV +aT4tjSSfPfkOf16hTW2ncHTr9rvY3XcYm8eC5E/IEQ7gxpG/JI0+xK2tel0bochs +aSBP+qGP85Sib3pcnepG6Zhkx4KgTvhbWRAfNS5rB1jLGSpeWQkMZmun91tTuVLK +fRyfQZ2gkr2ixX/zlPb1bhIXHUBgnoUyUHwZ2lNCDp/dm+nGYqXeeg9lZfD3dYpQ +Yd1zdR7Faj8aOsC9T4DRUDzgUIUCdvd2wdmnXF1YB43VgXjsAkfZkEVve1ltv4iG +OAtp0n9aUz+4yS4kBLWEQfNsK7Tz5zjN2BJmm5qQWARxVbR/shhYKqXuY9HbmB95 +sGc1d37pK+n4HvXqQ701zEuvtwyP/P4gg7HjBI2pauuKfT+eVK+xpTBx4W8imY7j +8IhJ4IBBUWzoMoADD132fVW7f3vpp1XGjvbq5fgDlU6beVsWS9KXBD2Wsl7FDkJ5 +49U= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-openssl.cnf new file mode 100644 index 0000000..da136b8 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-openssl.cnf @@ -0,0 +1,242 @@ +# +# Based on the OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl] +CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential +scardLogin=1.3.6.1.4.1.311.20.2.2 +# Used in a smart card login certificate's subject alternative name +msUPN=1.3.6.1.4.1.311.20.2.3 +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller +msKDC=1.3.6.1.5.2.3.5 +# Identifies the AD GUID +msADGUID=1.3.6.1.4.1.311.25.1 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = CA-samba.example.com # Where everything is kept +certs = $dir/_none_certs # Where the issued certs are kept +crl_dir = $dir/_none_crl # Where the issued crl are kept +database = $dir/Private/CA-samba.example.com-index.txt # database index file. +unique_subject = yes # Set to 'no' to allow creation of + # several certificates with same subject. +new_certs_dir = $dir/NewCerts # default place for new certs. + +certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate +serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number +crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number + # must be commented out to leave a V1 CRL + +#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL +crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL +private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key +RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file + +#x509_extensions = # The extensions to add to the cert +x509_extensions = template_x509_extensions + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +crl_extensions = crl_ext + +default_days = 7300 # how long to certify for +default_crl_days= 7300 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = match +stateOrProvinceName = match +localityName = match +organizationName = match +organizationalUnitName = match +commonName = supplied +emailAddress = supplied + +#################################################################### +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = SambaState + +localityName = Locality Name (eg, city) +localityName_default = SambaCity + +organizationName = Organization Name (eg, company) +organizationName_default = SambaSelfTesting + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Users + +commonName = Common Name (eg, YOUR name) +commonName_default = administrator@addom.samba.example.com +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = administrator@addom.samba.example.com +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 4 +#challengePassword_max = 20 +# +#unstructuredName = An optional company name + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +# Extensions for a typical CA +# PKIX recommendation. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. +keyUsage = cRLSign, keyCertSign + +crlDistributionPoints=URI:$CRLDISTPT + +# Some might want this also +nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +subjectAltName=email:copy +# Copy issuer details +issuerAltName=issuer:copy + +[ crl_ext ] +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +#[ usr_cert_scarduser ] +[ template_x509_extensions ] + +# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE +crlDistributionPoints=URI:$CRLDISTPT + +# For normal client use this is typical +nsCertType = client, email + +# This is typical in keyUsage for a client certificate. +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Smart Card Login Certificate for administrator@addom.samba.example.com" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. + +subjectAltName=email:copy,otherName:msUPN;UTF8:administrator@addom.samba.example.com + +# Copy subject details +issuerAltName=issuer:copy + +nsCaRevocationUrl = $CRLDISTPT +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +#Extended Key requirements for client certs +extendedKeyUsage = clientAuth,scardLogin + diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private-key.pem new file mode 100644 index 0000000..1510760 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAvpFk8hsr7ZtAvA1GI0l3MnT+y5pGhjMeVr3I2t3mKgc0YRzw +uHEpJCuQ80OZb2n2/425tz/zNmqZkJDWlWNOiFrXQYl/cxNkScfeQmUIXcoEsmg6 +QH9qBd9WMC+sG4sPwxU8OA+QUEQAu1lA9tLoW3MDDfZ9OF0vmcMNEw900J7vHpJC +xEZ83IV+6a+RTp1fgq9YYBilrJFu3c+nMjzS9OmBvoCeDMofGr6YxP7mJcGJ/hYK +MJDT1OWviSRkEtBPGeIbhvsGqWPRRxCJ3CtSJNxmqVbCy/TsNRL0rV78/4bpsfkf +s85E+74Er41Cm1alAn/Fz18jQRxp7jOXeoFQiwIDAQABAoIBADkGUvmrrdJ1IcLk +CffnNPbxUYllifMAevSj5+WufwBWlZL10QawPgpnywEwWkqfn9zK8SbnyQSgk4FS +BhQ/2jEtVbpzxaKOy/TUDSs7BmziVdN5Iu1H81b8hNL4gPzg+P98bD+uUJXkM3/c +bnctl4A+A0z7VG84W1Ucq93nQyJl18E64i57JMb3tI+423FM3sJBk2FUj64Mwg8r +0p88gccSieB3GusffHazlJDKrlHdFyClLBnW3OQHegv42JOKZErIMHwlaV8fhF21 +GAARx/pDgnvIYUaGhLrf2pCyIkOZIdUedA84rLwAZT9akOtxpNCAxlVUn4xcpAC1 +EAKzGbECgYEA99Hzh3vDNGINYJjqsw01E71DelNTeUmBOuJKqdOG0YLHiG0tERcx +9KLv+7Uo/qtuRzpkMHao7+zC4spQBk1yYkjVtPkXhWdgVUOztkkza72jlwtVu0eK +VYfB7eubOMnSsPtVeYyyM6DFKBRUxo0VKsvvjD/84WdCGsgy+jDRDUkCgYEAxNur +XMStYOnxdebOGFs5U8jc+/HNNuaCpSkk98uQ0/VfWp8TXA508FYnT6/BcoH+3hHy +7W/7aMv//0IWgNQk8m1w33svDdq7jRJXrIpyb7QaX2OW8IfTfIMKVXOgxPvD/4IK +lvmvf8T7K0W7rDYdcfy9bsDb0RQcH0Z3cp4lUzMCgYEAmLjmX6RB1FJo9BLI8Lc+ +8n88ynH3i1NlNKioYqhc+VijJsxBbbrhqmWPh4tJTEjRmUu+2q8FxXYfVCxhzMCF +sVQ5f2HSwP/IOkOSyM+rxMYFvtvZZaTc94DGXp1H92NJWJBLSLEQUQjO97gv1nyz +gsBTTBdS/IXqEx81a0ISUyECgYA80saClj4fmIjDbfm1qtHuojwtGAvY76XkE+9Z +JKtt4f2BSW843TqiW2wwAdTaZXHy+Ua+t//M5GMHYksDqQh1Yv0h/7SNKk0SjF1M +cUZkXxha6rFjRgRBD1ftCRneYw+u7WYKOcFQz/Lu7s/KqLm2U2nQQ4RneDgsLaCQ +aG6N4wKBgArI0d3MlNFXLU7bT+q/2BaZ5VBwaF/6DlI4m1hDT8dKtOTja+y6vAm/ +aH82uJyoom8R/w2H/ICe3NuwYgTo/7Vy6xMt1TnskGOc0yjTZBMMU1nN8zrxlgD1 +1Xr8TzGOf//mK4H54B/POSq6WZ0PSXDVGToVWMdif+2Rq16+CcKp +-----END RSA PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private.p12 new file mode 100644 index 0000000..94d39b5 Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private.p12 differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-req.pem new file mode 100644 index 0000000..fbaf0fc --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-req.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDDTCCAfUCAQAwgccxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl +MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx +DjAMBgNVBAsMBVVzZXJzMS4wLAYDVQQDDCVhZG1pbmlzdHJhdG9yQGFkZG9tLnNh +bWJhLmV4YW1wbGUuY29tMTQwMgYJKoZIhvcNAQkBFiVhZG1pbmlzdHJhdG9yQGFk +ZG9tLnNhbWJhLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAvpFk8hsr7ZtAvA1GI0l3MnT+y5pGhjMeVr3I2t3mKgc0YRzwuHEpJCuQ +80OZb2n2/425tz/zNmqZkJDWlWNOiFrXQYl/cxNkScfeQmUIXcoEsmg6QH9qBd9W +MC+sG4sPwxU8OA+QUEQAu1lA9tLoW3MDDfZ9OF0vmcMNEw900J7vHpJCxEZ83IV+ +6a+RTp1fgq9YYBilrJFu3c+nMjzS9OmBvoCeDMofGr6YxP7mJcGJ/hYKMJDT1OWv +iSRkEtBPGeIbhvsGqWPRRxCJ3CtSJNxmqVbCy/TsNRL0rV78/4bpsfkfs85E+74E +r41Cm1alAn/Fz18jQRxp7jOXeoFQiwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB +ALQr9rGYIkhd/AXeVoFHs/66rwaq3GccdnJpi023/5LhOlRmMa2BWTuQm3jW/3Oc +HgQOx9G0GTDpaBtAjOCGDCygw/k23oekVTQtDPiGigMnpuY2vnrjAeUFJo3us5pA +9eVPzKTzJf5ftc/aoVC39t/1Uks103M8t5vJCcexBTYQONe56XC1krY50PHZNI/u +stjOmleHZclLBU/BplId43nRlvvdkXihPiEbdV4XvhHRs/6w52DkQst6NH6jzeWk +anYEP2Oo1ROX5v201414ZaWm7oDxtNuL8NzDt+DUGISwC/9ZcqadzlaoI9XVhOb2 +AfbQMY1Q/3OeR8uRROpnHjE= +-----END CERTIFICATE REQUEST----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-cert.pem new file mode 120000 index 0000000..a2eb210 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-cert.pem @@ -0,0 +1 @@ +USER-administrator@addom.samba.example.com-S03-cert.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-private-key.pem new file mode 120000 index 0000000..afbf12e --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-private-key.pem @@ -0,0 +1 @@ +USER-administrator@addom.samba.example.com-S03-private-key.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cer new file mode 100644 index 0000000..918ddc1 Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cer differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem new file mode 100644 index 0000000..2d0735a --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem @@ -0,0 +1,169 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7 (0x7) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com + Validity + Not Before: Feb 28 13:31:01 2020 GMT + Not After : Feb 23 13:31:01 2040 GMT + Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@addom2.samba.example.com/emailAddress=administrator@addom2.samba.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:eb:0e:b0:1d:53:4f:3c:0f:f8:90:d6:33:64:68: + 7e:ed:7c:46:96:c6:77:9c:0a:07:ed:8c:13:da:e7: + bb:b3:79:63:4b:ec:5a:2a:59:57:7c:38:69:50:c0: + a1:b4:ba:f8:1d:56:78:77:95:b3:44:13:12:83:df: + 20:95:12:01:e5:1e:1a:5b:38:69:48:86:e8:a6:0a: + 32:f4:38:36:f8:84:bd:5b:a9:70:48:c5:49:25:79: + 70:98:23:a7:58:3e:09:97:6d:67:b1:95:fa:08:86: + 2d:d6:b7:c5:d2:06:aa:5b:b8:f5:93:e6:c5:20:9a: + 9b:0c:90:2b:c7:2e:20:2f:e8:07:45:03:f3:4d:2c: + d9:eb:9c:91:d2:68:cc:fe:57:78:5c:2e:57:5b:a6: + 0e:10:6a:b8:05:ce:ab:12:31:49:e8:34:7c:3f:91: + 63:ce:3e:a6:ff:c0:7b:1b:95:b7:9b:99:a9:c7:ec: + d6:45:b7:9e:24:ee:c0:2b:a3:4c:a2:f9:04:5b:18: + 2f:0e:8b:2b:16:89:5d:cc:92:fa:49:dd:09:92:72: + 14:ba:8f:48:bd:6e:9b:88:14:98:6f:bc:0c:e3:bb: + a9:d1:0a:a8:93:6b:75:70:98:f9:a8:d8:0f:c5:e6: + a9:a4:e5:b3:72:81:76:07:73:c9:3e:d2:43:62:fe: + 1a:3b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + + Netscape Cert Type: + SSL Client, S/MIME + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Netscape Comment: + Smart Card Login Certificate for administrator@addom2.samba.example.com + X509v3 Subject Key Identifier: + 54:FB:DA:B4:F9:26:58:9A:8F:C2:D2:0A:95:B0:95:F6:D2:F6:1B:AE + X509v3 Authority Key Identifier: + keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E + + X509v3 Subject Alternative Name: + email:administrator@addom2.samba.example.com, othername: + X509v3 Issuer Alternative Name: + email:ca-samba.example.com@samba.example.com + Netscape CA Revocation Url: + http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + X509v3 Extended Key Usage: + TLS Web Client Authentication, scardLogin + Signature Algorithm: sha256WithRSAEncryption + a3:8d:f9:4e:77:ba:67:28:63:6e:3e:70:91:64:3f:51:b3:69: + ab:ff:10:04:e4:39:d1:98:bf:7e:c7:da:d3:4e:d5:29:f7:ae: + ca:e2:b1:f7:ea:67:38:7e:bb:a8:55:33:c1:de:79:6a:49:56: + 6a:48:8c:3b:43:8b:03:f4:30:11:ac:ee:88:28:ed:11:6c:37: + 33:13:7f:25:aa:d6:71:99:d2:f8:fb:4f:7a:44:c7:20:78:b2: + 22:44:17:d8:56:10:a2:4c:48:1c:3a:ad:bf:82:d7:e5:e0:66: + e9:ac:a1:11:23:b3:f8:f7:a7:84:5f:b7:d2:30:89:b7:bc:3f: + 9c:61:d8:12:bb:a4:fe:af:53:f9:f7:26:8e:be:9a:79:53:47: + b6:2b:d3:31:60:e1:39:11:11:c3:32:b8:32:d2:e2:6d:8a:05: + ae:f5:7e:f7:03:33:1c:6c:07:8e:81:a4:26:f2:0d:22:af:fe: + 48:12:48:a8:09:e2:98:4e:b9:c5:07:16:5d:a3:b2:73:7c:4c: + a7:3e:24:e9:d8:cc:72:a3:87:dd:c7:69:8d:58:dd:2e:27:69: + 72:b4:fb:62:cf:66:c4:7a:8b:8b:c4:03:16:b6:9d:7f:7b:f5: + 44:c2:04:a7:17:80:9c:f7:32:ba:3a:05:e1:71:28:16:88:6a: + 9c:f8:0e:5e:c9:0b:81:eb:2c:05:3c:4c:ff:ba:72:10:da:99: + 95:e1:ef:d2:dd:95:7d:d0:24:f6:8f:e0:1c:75:25:64:80:0e: + 16:9f:c1:d7:76:7e:45:85:27:a8:85:80:c3:62:40:58:1b:75: + c3:8e:40:0c:d9:f1:5b:a0:6b:1e:47:99:4f:00:11:68:19:93: + 77:4b:1b:56:94:79:95:f6:b8:92:49:14:e0:8f:2b:40:4c:82: + 4c:5b:a0:e2:0f:d4:f3:d1:3c:f3:e6:4c:c4:3d:2a:4c:e8:ca: + 10:c0:39:81:64:db:68:80:12:07:3f:92:7c:e0:09:aa:42:77: + 51:1e:ee:ad:33:c8:8f:f4:f2:35:2b:c7:b7:57:7c:2e:c8:27: + 71:c8:5b:1a:f2:83:fa:4f:85:13:ea:ce:0b:2f:b7:76:86:77: + 00:82:46:2f:bf:1c:b2:de:5d:52:40:64:41:54:0b:9f:8c:84: + d9:dd:08:02:51:d0:06:d0:07:6f:a1:ef:74:f4:d9:f5:30:9c: + 15:c3:d6:89:b7:f5:81:5a:c0:44:3d:99:54:e8:25:56:1f:63: + be:5c:f7:be:f1:9c:24:e0:55:46:c4:a5:7e:3f:82:20:b9:4a: + d6:14:82:45:14:d8:91:75:33:c5:df:86:9c:19:17:a4:31:4a: + 37:a2:9e:b9:11:84:ab:df:bc:21:2b:9b:96:83:b7:1b:13:78: + 07:b2:c5:5f:97:48:3b:7e:43:10:34:68:e8:25:bd:51:a0:ae: + 17:52:62:47:3c:c9:f0:b5:55:95:cd:68:d3:5f:aa:85:be:ea: + fb:2a:8a:e4:50:3d:96:5b:b3:a9:e5:45:e4:2d:da:da:8d:f0: + ae:c0:98:47:8e:ca:46:c2:21:68:a6:f9:17:41:a2:c6:21:b9: + bc:73:a7:c3:84:a9:31:b7:54:04:33:2a:fb:57:32:47:93:e1: + b2:ff:58:5b:f3:19:66:bc:65:8e:00:29:9d:56:60:7d:28:b2: + 6d:a5:a9:eb:04:7c:d3:e7:d7:af:2d:fe:df:1e:9c:3b:a9:bb: + a0:14:e4:02:7f:e6:e7:0a:b2:37:bd:fd:67:32:82:4f:c0:41: + 89:96:9a:f2:9a:04:eb:82:ee:81:8a:00:15:5e:b2:d0:e1:72: + 74:47:2f:97:fb:33:f1:8c:b9:25:8f:02:71:75:b7:21:10:74: + 4f:5f:5f:61:51:4a:69:d1:03:6b:7a:51:e4:08:03:1f:c2:a7: + 2c:c2:10:b8:27:9f:aa:01:15:61:71:72:d6:ca:23:7f:d7:60: + b8:65:51:ca:65:8e:ef:74:2e:fc:89:23:0b:55:b5:83:d7:0b: + 8c:16:ab:1a:be:3a:79:62:b3:6e:64:d1:c2:48:af:81:0e:d4: + 1f:2e:2f:c7:47:16:79:a9:b9:cc:08:29:2e:da:d5:75:96:53: + b1:be:2c:5a:5a:9c:6b:40:16:e5:92:63:49:64:99:44:c1:bc: + 2a:40:fc:3c:50:c3:dd:07:31:ee:1d:46:38:1b:c8:12:a0:16: + 9d:1c:f6:0e:a7:66:8a:b0:2f:11:19:03:1d:66:6f:fe:cc:3a: + 6c:99:ce:60:b7:f1:e9:56:40:4d:fc:ac:eb:a5:04:de:85:7c: + 19:c7:16:c1:e1:26:43:03:da:f3:50:25:16:99:e0:fa:cd:59: + c7:8b:52:cf:fc:20:d0:68:50:b9:83:36:bb:44:7b:1f:92:5f: + f6:19:5b:91:de:33:2c:f9:80:25:b9:30:4c:fa:92:5b:6d:c2: + 65:10:98:1c:c6:61:51:9e:d0:c9:49:1b:c5:c5:8a:89:72:d0: + b7:ff:db:03:f9:95:f2:a0:de:d9:dc:32:c6:20:02:e1:7c:89: + 2d:6e:72:12:12:c3:97:56:eb:7c:58:88:1f:9d:ad:4c:b4:6a: + 97:4b:0c:87:f3:41:bb:2a:ff:a6:bf:90:70:91:9b:b7:b1:e1: + cc:0f:c6:33:a5:05:03:db:f9:fb:79:5c:20:78:f9:1c:88:d4: + 84:bd:2f:9b:12:30:02:36:cd:8a:f3:42:4a:9c:dc:c3 +-----BEGIN CERTIFICATE----- +MIIJIDCCBQigAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx +EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE +CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x +IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB +FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0yMDAy +MjgxMzMxMDFaFw00MDAyMjMxMzMxMDFaMIG1MQswCQYDVQQGEwJVUzETMBEGA1UE +CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE +CwwFVXNlcnMxLzAtBgNVBAMMJmFkbWluaXN0cmF0b3JAYWRkb20yLnNhbWJhLmV4 +YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZhZG1pbmlzdHJhdG9yQGFkZG9tMi5z +YW1iYS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AOsOsB1TTzwP+JDWM2Rofu18RpbGd5wKB+2ME9rnu7N5Y0vsWipZV3w4aVDAobS6 ++B1WeHeVs0QTEoPfIJUSAeUeGls4aUiG6KYKMvQ4NviEvVupcEjFSSV5cJgjp1g+ +CZdtZ7GV+giGLda3xdIGqlu49ZPmxSCamwyQK8cuIC/oB0UD800s2euckdJozP5X +eFwuV1umDhBquAXOqxIxSeg0fD+RY84+pv/AexuVt5uZqcfs1kW3niTuwCujTKL5 +BFsYLw6LKxaJXcyS+kndCZJyFLqPSL1um4gUmG+8DOO7qdEKqJNrdXCY+ajYD8Xm +qaTls3KBdgdzyT7SQ2L+GjsCAwEAAaOCAiYwggIiMAkGA1UdEwQCMAAwTwYDVR0f +BEgwRjBEoEKgQIY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNvbS9jcmxzL0NB +LXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwEQYJYIZIAYb4QgEBBAQDAgWgMAsG +A1UdDwQEAwIF4DBWBglghkgBhvhCAQ0ESRZHU21hcnQgQ2FyZCBMb2dpbiBDZXJ0 +aWZpY2F0ZSBmb3IgYWRtaW5pc3RyYXRvckBhZGRvbTIuc2FtYmEuZXhhbXBsZS5j +b20wHQYDVR0OBBYEFFT72rT5Jliaj8LSCpWwlfbS9huuMB8GA1UdIwQYMBaAFKI+ +Aiqjp005tAhNmcwMdTbqJ8M+MGkGA1UdEQRiMGCBJmFkbWluaXN0cmF0b3JAYWRk +b20yLnNhbWJhLmV4YW1wbGUuY29toDYGCisGAQQBgjcUAgOgKAwmYWRtaW5pc3Ry +YXRvckBhZGRvbTIuc2FtYmEuZXhhbXBsZS5jb20wMQYDVR0SBCowKIEmY2Etc2Ft +YmEuZXhhbXBsZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20wTQYJYIZIAYb4QgEEBEAW +Pmh0dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFt +cGxlLmNvbS1jcmwuY3JsMB8GA1UdJQQYMBYGCCsGAQUFBwMCBgorBgEEAYI3FAIC +MA0GCSqGSIb3DQEBCwUAA4IEAQCjjflOd7pnKGNuPnCRZD9Rs2mr/xAE5DnRmL9+ +x9rTTtUp967K4rH36mc4fruoVTPB3nlqSVZqSIw7Q4sD9DARrO6IKO0RbDczE38l +qtZxmdL4+096RMcgeLIiRBfYVhCiTEgcOq2/gtfl4GbprKERI7P496eEX7fSMIm3 +vD+cYdgSu6T+r1P59yaOvpp5U0e2K9MxYOE5ERHDMrgy0uJtigWu9X73AzMcbAeO +gaQm8g0ir/5IEkioCeKYTrnFBxZdo7JzfEynPiTp2Mxyo4fdx2mNWN0uJ2lytPti +z2bEeouLxAMWtp1/e/VEwgSnF4Cc9zK6OgXhcSgWiGqc+A5eyQuB6ywFPEz/unIQ +2pmV4e/S3ZV90CT2j+AcdSVkgA4Wn8HXdn5FhSeohYDDYkBYG3XDjkAM2fFboGse +R5lPABFoGZN3SxtWlHmV9riSSRTgjytATIJMW6DiD9Tz0Tzz5kzEPSpM6MoQwDmB +ZNtogBIHP5J84AmqQndRHu6tM8iP9PI1K8e3V3wuyCdxyFsa8oP6T4UT6s4LL7d2 +hncAgkYvvxyy3l1SQGRBVAufjITZ3QgCUdAG0Advoe909Nn1MJwVw9aJt/WBWsBE +PZlU6CVWH2O+XPe+8Zwk4FVGxKV+P4IguUrWFIJFFNiRdTPF34acGRekMUo3op65 +EYSr37whK5uWg7cbE3gHssVfl0g7fkMQNGjoJb1RoK4XUmJHPMnwtVWVzWjTX6qF +vur7KorkUD2WW7Op5UXkLdrajfCuwJhHjspGwiFopvkXQaLGIbm8c6fDhKkxt1QE +Myr7VzJHk+Gy/1hb8xlmvGWOACmdVmB9KLJtpanrBHzT59evLf7fHpw7qbugFOQC +f+bnCrI3vf1nMoJPwEGJlprymgTrgu6BigAVXrLQ4XJ0Ry+X+zPxjLkljwJxdbch +EHRPX19hUUpp0QNrelHkCAMfwqcswhC4J5+qARVhcXLWyiN/12C4ZVHKZY7vdC78 +iSMLVbWD1wuMFqsavjp5YrNuZNHCSK+BDtQfLi/HRxZ5qbnMCCku2tV1llOxvixa +WpxrQBblkmNJZJlEwbwqQPw8UMPdBzHuHUY4G8gSoBadHPYOp2aKsC8RGQMdZm/+ +zDpsmc5gt/HpVkBN/KzrpQTehXwZxxbB4SZDA9rzUCUWmeD6zVnHi1LP/CDQaFC5 +gza7RHsfkl/2GVuR3jMs+YAluTBM+pJbbcJlEJgcxmFRntDJSRvFxYqJctC3/9sD ++ZXyoN7Z3DLGIALhfIktbnISEsOXVut8WIgfna1MtGqXSwyH80G7Kv+mv5BwkZu3 +seHMD8YzpQUD2/n7eVwgePkciNSEvS+bEjACNs2K80JKnNzD +-----END CERTIFICATE----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem new file mode 100644 index 0000000..a02f6ed --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIxaygDRmw72ICAggA +MBQGCCqGSIb3DQMHBAgu9NwWonUgGwSCBMjCCAaRQSglNmeXddY1GpRd9s7mCp0a +vUHtfHk4qSiPpw/qURTJfeMtZU0XTFeMd9ZSIDIuV9CVUPaaCqASlUwbmJRaGPdS +1O3xP+0V3VaB3k1c6rCdpERXf/moNSwEnnL2i6twOkW7I9+N7jIqFpeh8RHG1iEJ +ys8jm6ojtvGRQpF0aT5eboydb5f4d3vq59HXvm/h55LlzC5uao7Kuk03oU5uUeZm +CDWBwHkgBvsbD/fVaIjHrdMqsCeXQ7AMd8caJsm3GZqorCw/IzrVWXRz30Ianv/u +WzajtVtYBA69gRHPiiZ9jHbf7DR2TDRA8azpCWFpBBcp37je5RkigBAsZQDhLuN0 +oe9rk/RkIEYEhteSFnkr6AaG/44ln3EEEM3QUKuGQMi5yTQ1qHXcqHRaivR6mO9A +IOTxQ2dFdz+lbZwqas6TIEVarm1uBbeJUWtC3XRd1T1zOKmBHShUcOAyPC01Tbwc +qjFDlx1DC3c+mCNHrBgKZ71KDld6GGOPjIbAuEn6Clvo618bFlofgRa9qHTJ08KG +dxNpjpVkRCBmanTrZj5V0DFW2iEpNCoAi/eCirm82hvet4zofoS46wdoN2DBabCy +WqqrP6VHq1YRC8K6z9jimhoNmamuVYsLDBr6uDcNqX8dkgMU/AGZH0iefuJgN9iZ +sDaOU9RLTdFOlUGJ1VD5+VJVaikTQacEfsmgfz+sh8hshXGU5y1yHLC3wzXZ0ESc +ZStyFbI/a+Loul7eTulnAnDLkmHJIBXQZ/ARiY1G07iydHGLY0NZjPfPEJ42d2aM +C3DBN6AvZvZx9dAFMVLxIIfsdSiHRfiDLARO5N/frkSp8+5TFswBNLcz+1J/mVdw +VGubugfKyqJLYPhCNhk46c77Fj/OaCOOaJZBW7hmyUZY67p/K/XUFK0zsrrnGRp8 +igPM8KEOHsdcZsgDXI1gXOc33lBcOa0u9gIT7Ec8TtBo/5sqOBdPKuYniOKiO9Oy +dPeyPUqIikzgp5n/SbdHA5V35hvE1Nf8RwiR1xrFkeHOnLHlmDXNOuw/oKr2P6jw +KsvooGxZT4yT8g8D58jVs2yIn/dFjfk380hxB7aMaxyYf+4MjCYT/zYnP2/bEdcz +/k86GfmHUqT322n6SiHw4QH1blJRkOPNUehMBt3Sr5G1Mq0cCWsFuaBfmy3CcCqW +jx7DSYLaHRZxnELFceXWrJe8qCyLoFKETIMKw8g6lsvKMmAePD6DN284tJPxzXs9 +1FfRTeDgpBsbx19/vv5CgIzvcUqcFkGHHtlo2LYYYLYzflWcYtdYrfsHeNGjjk6Z +SfQcHDuQ4NeS8cgt8AyOyj5pWaD4Xiz0anrM1sry1NT82aQzEU+bIiMSnBxHGVhX +1hHDR4JATfbU7PDGpy648MIN6Ox7cHW+maRLH/MyLtavnrkFSnvf6aFt58IfKga3 +GwsCzUoXWLdSEicGPPcgW0+S9NL/C8xu67n//oijIe/9eHuw9R9J7u6hhjmWTk/S +Osq7ilvRc6ueKkFjysR+HBtQgfwXoTHXb2X5tpCBUKVJkOlin6JJW0CIfdeBKgjQ +R4hEhQ4aXHCG+IZ29IAXRvAPyrdw5Zv7lBZl5hKXk+KKMshAkR0nLBkiRJw45fR5 +SJk= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf new file mode 100644 index 0000000..35a120e --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf @@ -0,0 +1,242 @@ +# +# Based on the OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl] +CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential +scardLogin=1.3.6.1.4.1.311.20.2.2 +# Used in a smart card login certificate's subject alternative name +msUPN=1.3.6.1.4.1.311.20.2.3 +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller +msKDC=1.3.6.1.5.2.3.5 +# Identifies the AD GUID +msADGUID=1.3.6.1.4.1.311.25.1 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = CA-samba.example.com # Where everything is kept +certs = $dir/_none_certs # Where the issued certs are kept +crl_dir = $dir/_none_crl # Where the issued crl are kept +database = $dir/Private/CA-samba.example.com-index.txt # database index file. +unique_subject = yes # Set to 'no' to allow creation of + # several certificates with same subject. +new_certs_dir = $dir/NewCerts # default place for new certs. + +certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate +serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number +crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number + # must be commented out to leave a V1 CRL + +#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL +crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL +private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key +RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file + +#x509_extensions = # The extensions to add to the cert +x509_extensions = template_x509_extensions + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +crl_extensions = crl_ext + +default_days = 7300 # how long to certify for +default_crl_days= 7300 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = match +stateOrProvinceName = match +localityName = match +organizationName = match +organizationalUnitName = match +commonName = supplied +emailAddress = supplied + +#################################################################### +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = SambaState + +localityName = Locality Name (eg, city) +localityName_default = SambaCity + +organizationName = Organization Name (eg, company) +organizationName_default = SambaSelfTesting + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Users + +commonName = Common Name (eg, YOUR name) +commonName_default = administrator@addom2.samba.example.com +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = administrator@addom2.samba.example.com +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 4 +#challengePassword_max = 20 +# +#unstructuredName = An optional company name + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +# Extensions for a typical CA +# PKIX recommendation. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. +keyUsage = cRLSign, keyCertSign + +crlDistributionPoints=URI:$CRLDISTPT + +# Some might want this also +nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +subjectAltName=email:copy +# Copy issuer details +issuerAltName=issuer:copy + +[ crl_ext ] +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +#[ usr_cert_scarduser ] +[ template_x509_extensions ] + +# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE +crlDistributionPoints=URI:$CRLDISTPT + +# For normal client use this is typical +nsCertType = client, email + +# This is typical in keyUsage for a client certificate. +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Smart Card Login Certificate for administrator@addom2.samba.example.com" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. + +subjectAltName=email:copy,otherName:msUPN;UTF8:administrator@addom2.samba.example.com + +# Copy subject details +issuerAltName=issuer:copy + +nsCaRevocationUrl = $CRLDISTPT +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +#Extended Key requirements for client certs +extendedKeyUsage = clientAuth,scardLogin + diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem new file mode 100644 index 0000000..bfd9bf6 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA6w6wHVNPPA/4kNYzZGh+7XxGlsZ3nAoH7YwT2ue7s3ljS+xa +KllXfDhpUMChtLr4HVZ4d5WzRBMSg98glRIB5R4aWzhpSIbopgoy9Dg2+IS9W6lw +SMVJJXlwmCOnWD4Jl21nsZX6CIYt1rfF0gaqW7j1k+bFIJqbDJArxy4gL+gHRQPz +TSzZ65yR0mjM/ld4XC5XW6YOEGq4Bc6rEjFJ6DR8P5Fjzj6m/8B7G5W3m5mpx+zW +RbeeJO7AK6NMovkEWxgvDosrFoldzJL6Sd0JknIUuo9IvW6biBSYb7wM47up0Qqo +k2t1cJj5qNgPxeappOWzcoF2B3PJPtJDYv4aOwIDAQABAoIBAGEgSJVVf0AKOWNf +nwy2QPxQhbp3d6T6YBw/7VRevKiEWAtfNkKZeBTUGnBLqIXNXAiDWnPPX6uZVeU3 +pXbzYeUSc0GOJbLaS/eP704KjGxULQpbERKAsqDRdTzoPpWvzLbNdjNjDVXIW9iF +RzBpoKsV2iOrD3lRaQ/f4rcC0Dn6k3ViM14twahAZI9TU/LcUQhmjI4xkmEOZtxi +yocK+aibj4NYiOPfDFOVmNUJnKzsBiMFH++1YlzC1BlWL+ILwA/paBxGMz7/dMPO +3kHJttV9IAZ9EoxDCRxREXOFjKEIdo/mVAIoh+IlELo9z5SDsgL/5ny/8+X3+cK+ +a9BCQcECgYEA/NHSgTC/Bf/REb+nqYhF2QLe0EUIbJAaVy9QZEkWouwdjpV4GFZ+ +cnDYP2V2NP0D3jrWr9Nfhr3vb2liraFZaMcHLJ11Ke+vUEsSLut5qTpp+L66OhDO +m7kHk1ilH2Y5GbgfV4w7QgWKXymk+OT+1G5M22Ssc79vGo+qfd/A+oUCgYEA7gOq +EJ+Ok4FKqSRNGDW1BGspqr1khsefow+6VdFyX7WhejDxUsMTnvENx0udt39ExNRM +C3o8Fu2kLQXq7F8QpryWy3t2gpPOS31ihhZkDRXR6F8VVMTF6eIDSPXl/r8usgz/ +2a7P6Etl2c3KZz+2PCeuKCzuCRuDNc4pONuDvb8CgYA70xrQ30wUi1hZrtRp1YlR +tNAs0GkR53eUMeoAERt+KglEeDIW8ECzq+g/+C5kk4qax6mNqaLtK3zBDFsBYzDZ +Dl+wOwJCjikaAummmKoNVXlGFzvSCbAaQUp9n3hTWckhQOSJvvE2ykDYC+6xxt5W +PlOJhuUX7rDHxD8/0fbEUQKBgQChZDyyTu8n2DjfHm1kaC6Zk2zKiOgceEooEKci +QAaVHZ0kNQG+Q+cPFJdqNzz3y0W/TdFOyxDp3zQ/D08v/npVBXYe/lXqzvzItXnU +QGSRduVB8w+Mzm0BXa8qjwroxYyNUUE/w0jZVB75JJEFl+8jNSjjtyulY1GCb4wG +MNtREwKBgCxPG7IYC5YTubvUE6AH9ZVm1e1QxEKF8v8YYlVwLTlmZQYVBNEQw0+M +WPScm27j3qUJG7AHG9R+nSSj3A9IeUY0trD5KCMTNuQQcXK1e0kdOlR2uGd2YUL5 +hZ9g7PjNolIpCV5Ifi6Lb8JbAOyvbcgEljGse9hN1gppmbnNndU1 +-----END RSA PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12 new file mode 100644 index 0000000..8c5f769 Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12 differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem new file mode 100644 index 0000000..db7f078 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDDzCCAfcCAQAwgckxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl +MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx +DjAMBgNVBAsMBVVzZXJzMS8wLQYDVQQDDCZhZG1pbmlzdHJhdG9yQGFkZG9tMi5z +YW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJARYmYWRtaW5pc3RyYXRvckBh +ZGRvbTIuc2FtYmEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDrDrAdU088D/iQ1jNkaH7tfEaWxnecCgftjBPa57uzeWNL7FoqWVd8 +OGlQwKG0uvgdVnh3lbNEExKD3yCVEgHlHhpbOGlIhuimCjL0ODb4hL1bqXBIxUkl +eXCYI6dYPgmXbWexlfoIhi3Wt8XSBqpbuPWT5sUgmpsMkCvHLiAv6AdFA/NNLNnr +nJHSaMz+V3hcLldbpg4QargFzqsSMUnoNHw/kWPOPqb/wHsblbebmanH7NZFt54k +7sAro0yi+QRbGC8OiysWiV3MkvpJ3QmSchS6j0i9bpuIFJhvvAzju6nRCqiTa3Vw +mPmo2A/F5qmk5bNygXYHc8k+0kNi/ho7AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC +AQEAJndP6nZGzsmKplQ/4elWObJD5ye2mN64G9+Tcd+A1Y1j9XpizETi+IrikScJ +T1BDqUhCVT5fjCy3qgKBD5zeHmakZltcRki8HJT7eWWZFXhEB+buQ9KBgrrS/dX+ +6wflVgrSfe3x+506Dx6y8UDWDVy2P1r/X64uqcxOLUdrG+p8T8OYalNYcO5qQ4Dn +b5ei4bIAeE9UebUvPxfdN5UT/S/fL33fVCr8OTT60/QL4ez0KjFCLeeEv94qVaqW +Hxe9ykS7S446RhANWvH6VAeSY2Bhm+WPu9urtRe4m8qR6JC27cOAubHID9szA0ID +eHTbyblfQdALQ08lUDpNuJDVCQ== +-----END CERTIFICATE REQUEST----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem new file mode 120000 index 0000000..0e23e5b --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem @@ -0,0 +1 @@ +USER-administrator@addom2.samba.example.com-S07-cert.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem new file mode 120000 index 0000000..5a874f3 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem @@ -0,0 +1 @@ +USER-administrator@addom2.samba.example.com-S07-private-key.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.cer new file mode 100644 index 0000000..8f6b393 Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.cer differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.pem new file mode 100644 index 0000000..4ab5d5a --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.pem @@ -0,0 +1,169 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com + Validity + Not Before: Mar 16 23:29:04 2016 GMT + Not After : Mar 11 23:29:04 2036 GMT + Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@samba.example.com/emailAddress=administrator@samba.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:af:87:9e:1e:7f:c0:ab:da:47:22:74:d0:df:01: + f1:67:6c:ac:c4:b7:d9:18:97:e5:7a:62:76:33:b6: + 52:f2:92:90:75:ac:a3:94:7e:0c:29:75:c9:83:2f: + 19:66:60:84:45:ff:d5:a9:bd:c5:3a:a2:d8:25:cf: + 15:8a:23:3e:09:73:2f:99:1d:24:1f:e6:96:7e:7b: + c4:1e:8d:55:5b:c1:18:69:cd:1d:b4:22:d5:7b:db: + 5e:7c:91:f2:8e:c1:03:30:ee:63:46:5a:54:d5:40: + ac:79:55:00:71:07:8d:3e:0e:ed:ff:93:6c:f1:2d: + 84:c1:51:a3:7c:49:cf:ff:85:7b:c0:64:c1:ba:c8: + 66:7a:ff:17:2a:74:ea:16:6a:1d:97:c0:27:57:10: + be:76:f5:9a:63:56:c7:25:c6:fc:a7:5e:00:a6:1a: + 3d:21:bd:7a:f9:e3:03:60:ce:df:16:06:fc:05:bc: + d1:c8:5d:e7:33:ed:52:8b:60:5b:60:c5:70:13:1d: + c1:b3:08:13:09:3b:05:e8:02:40:12:45:89:af:87: + 1f:6a:8f:62:ce:1e:17:13:34:82:81:86:e9:bb:85: + 5b:75:1d:f4:3a:02:b4:a6:58:23:fe:c3:3a:35:09: + 95:bb:f7:79:bc:e3:97:e6:6d:77:24:aa:2d:51:50: + 37:69 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + + Netscape Cert Type: + SSL Client, S/MIME + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Netscape Comment: + Smart Card Login Certificate for administrator@samba.example.com + X509v3 Subject Key Identifier: + 45:DA:4B:8D:05:9C:62:4E:62:C3:D7:5C:5F:D3:D9:85:B4:9B:F2:2C + X509v3 Authority Key Identifier: + keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E + + X509v3 Subject Alternative Name: + email:administrator@samba.example.com, othername: + X509v3 Issuer Alternative Name: + email:ca-samba.example.com@samba.example.com + Netscape CA Revocation Url: + http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + X509v3 Extended Key Usage: + TLS Web Client Authentication, scardLogin + Signature Algorithm: sha256WithRSAEncryption + a2:bb:e6:97:67:3c:b6:6e:6e:dd:34:99:16:c6:80:91:08:bf: + 91:ba:51:62:5d:76:2f:e5:53:91:3d:99:03:18:a9:84:69:73: + 76:66:c3:eb:56:d7:c5:40:91:15:da:de:b2:76:48:7d:8a:8c: + 80:79:3c:e6:da:0e:a6:c3:53:d6:74:ee:5f:29:b7:03:46:de: + 89:32:14:22:03:30:68:2e:7e:06:d4:ac:9e:82:c0:02:16:7f: + 81:ba:ee:7a:e7:8b:f7:fb:99:7f:8c:eb:78:54:97:4e:28:44: + da:f4:e2:1b:f8:3e:ac:ca:cc:e3:e3:71:90:91:47:9c:78:ed: + 6f:bc:b7:98:12:ea:75:e5:15:f7:26:56:a7:5c:d6:74:a8:13: + 7b:23:35:4e:6a:01:f6:a9:f5:5b:9b:d0:ea:ba:0f:c3:c4:1a: + e0:b9:a3:ed:5d:28:cb:7f:1d:3e:8a:9a:af:4c:88:00:3c:10: + f0:49:85:24:60:e6:cb:d6:9e:00:46:78:4d:90:22:68:4f:10: + 39:84:3b:e2:7c:3d:ed:23:41:19:7e:6f:45:59:89:a9:9f:26: + c1:f9:7d:4d:0a:b4:10:f9:31:7d:cc:87:d0:4b:62:14:70:86: + c8:7d:14:ff:e4:68:e2:de:42:ca:01:c7:aa:2d:5a:a5:72:64: + f1:4c:fa:6e:60:15:22:08:68:e6:c6:6a:75:63:24:b5:54:76: + d1:97:4f:e0:e8:bc:eb:d0:62:84:4a:b4:3a:07:38:5f:b9:a6: + 6a:31:14:47:33:81:bd:d0:a4:a2:da:2b:92:0d:dc:42:c4:0f: + 28:0d:b6:1b:33:b5:88:df:1b:a8:d8:90:9a:11:ce:df:d4:14: + e9:ac:94:94:95:bb:bc:6e:f1:be:85:29:3f:17:ab:41:14:d8: + 20:ba:e0:a2:a3:d3:d4:8b:1e:4b:32:22:8d:0d:c1:e6:39:1a: + ce:cd:f3:1d:f1:82:85:d5:e7:80:34:90:a4:0e:d4:af:32:c8: + 79:4e:25:32:b6:1e:06:3a:26:42:38:47:1a:32:96:71:5b:fe: + 5b:b0:ef:7d:fe:58:ca:eb:b5:c9:4b:2f:12:cb:89:36:22:7c: + a6:39:ab:20:c1:2d:cd:6b:34:e1:cd:bc:ed:45:45:12:4a:65: + 4b:ab:45:f2:6d:7a:9d:f8:b5:52:78:1b:da:2f:e0:ce:f7:e2: + b0:fa:6f:40:3d:dd:e9:39:c3:63:68:ab:77:53:be:3b:dd:9a: + bc:d7:d7:fa:6a:bf:bf:74:f7:11:80:87:f9:d3:45:eb:1e:8e: + d1:a9:a0:2e:66:e7:20:67:1c:4c:22:43:77:85:ff:1a:23:37: + cc:49:de:51:ee:f2:04:2f:a8:98:88:0f:b6:18:53:eb:e2:49: + 15:5e:02:8b:1e:7b:e6:c5:d1:0c:df:84:4e:d9:bd:fe:21:48: + d4:a4:11:01:27:57:51:d6:c1:b2:a1:1c:11:9a:a7:d1:ab:f0: + 99:16:b2:c8:3f:74:25:68:0b:1a:cf:58:0d:cd:cc:1a:6d:8b: + ec:1f:70:82:02:40:97:0f:75:2c:53:87:c1:42:5c:d1:7e:19: + 78:2c:2c:88:73:33:81:63:38:84:07:0f:16:bb:7c:54:59:03: + 94:e7:b8:85:d7:f8:5e:53:35:65:2e:e5:27:65:be:f0:89:65: + f6:ab:3f:6e:a5:bd:c1:1a:9e:31:30:68:6e:50:af:54:4c:33: + f8:73:2f:41:60:4f:4c:85:1b:ad:7d:db:62:42:dc:87:96:b4: + cf:ce:12:50:ed:6c:01:5f:e2:f9:03:f5:f7:4c:6c:8f:2b:5b: + 7a:64:7d:19:e8:20:f2:e9:10:58:f3:71:0e:1e:58:68:f2:59: + 3c:06:53:7a:f3:60:62:5b:c7:b7:83:58:1d:3d:a6:17:db:33: + cc:91:14:af:d6:b9:08:bf:60:af:ac:3e:fe:8b:74:71:20:c7: + e7:31:5e:26:6c:28:52:67:12:1e:c3:9b:89:23:5d:88:ee:b0: + 6b:db:cc:94:8b:9b:1b:40:b7:66:bc:7d:1d:e1:08:00:20:ba: + 41:cd:17:d6:4c:7b:c4:5a:fd:cf:6b:20:e2:b8:86:9c:31:17: + c2:d7:7f:1c:3a:d0:fc:1d:f5:7f:c9:96:04:27:de:b8:ef:8d: + 38:9a:b3:56:60:ac:c2:07:38:64:19:39:9e:73:6f:ba:59:15: + ac:45:42:4d:bb:79:60:7f:ae:c3:8d:63:4a:27:16:0a:ca:92: + 7f:f7:a2:02:76:f5:e6:7c:ec:ba:ea:18:cd:9c:3b:ee:37:2c: + 9d:78:4e:c9:40:6d:94:cc:ce:ca:f4:33:fc:a4:dd:05:62:d6: + 0f:1e:19:63:af:10:c3:ff:02:1a:0a:48:fd:af:f2:a4:0e:64: + dd:90:f4:4f:14:1b:90:1f:9e:29:b0:0b:94:a4:d1:2a:87:b9: + 3a:76:c2:b6:af:c3:d4:84:6e:85:1c:64:73:46:d0:df:72:c0: + 3c:42:91:c4:30:10:11:18:36:bc:e5:17:36:22:5f:c2:3f:ac: + 1d:2e:9d:87:11:be:a7:ac:b2:62:35:74:b9:27:27:95:bc:c1: + 11:44:f8:64:36:60:74:06:a2:e7:e9:76:be:a7:86:5e:18:1e: + bd:dc:b0:aa:ae:92:d6:dd:d6:25:80:d6:c1:be:c1:21:1c:01: + 6f:83:20:ae:b7:54:4f:3d:2d:12:fc:a2:cc:49:fd:59 +-----BEGIN CERTIFICATE----- +MIII/TCCBOWgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx +EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE +CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x +IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB +FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz +MTYyMzI5MDRaFw0zNjAzMTEyMzI5MDRaMIGnMQswCQYDVQQGEwJVUzETMBEGA1UE +CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE +CwwFVXNlcnMxKDAmBgNVBAMMH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5j +b20xLjAsBgkqhkiG9w0BCQEWH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvh54ef8Cr2kcidNDf +AfFnbKzEt9kYl+V6YnYztlLykpB1rKOUfgwpdcmDLxlmYIRF/9WpvcU6otglzxWK +Iz4Jcy+ZHSQf5pZ+e8QejVVbwRhpzR20ItV72158kfKOwQMw7mNGWlTVQKx5VQBx +B40+Du3/k2zxLYTBUaN8Sc//hXvAZMG6yGZ6/xcqdOoWah2XwCdXEL529ZpjVscl +xvynXgCmGj0hvXr54wNgzt8WBvwFvNHIXecz7VKLYFtgxXATHcGzCBMJOwXoAkAS +RYmvhx9qj2LOHhcTNIKBhum7hVt1HfQ6ArSmWCP+wzo1CZW793m845fmbXckqi1R +UDdpAgMBAAGjggIRMIICDTAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0 +dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxl +LmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwTwYJ +YIZIAYb4QgENBEIWQFNtYXJ0IENhcmQgTG9naW4gQ2VydGlmaWNhdGUgZm9yIGFk +bWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFEXaS40FnGJO +YsPXXF/T2YW0m/IsMB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFsG +A1UdEQRUMFKBH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5jb22gLwYKKwYB +BAGCNxQCA6AhDB9hZG1pbmlzdHJhdG9yQHNhbWJhLmV4YW1wbGUuY29tMDEGA1Ud +EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G +CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv +Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcD +AgYKKwYBBAGCNxQCAjANBgkqhkiG9w0BAQsFAAOCBAEAorvml2c8tm5u3TSZFsaA +kQi/kbpRYl12L+VTkT2ZAxiphGlzdmbD61bXxUCRFdresnZIfYqMgHk85toOpsNT +1nTuXym3A0beiTIUIgMwaC5+BtSsnoLAAhZ/gbrueueL9/uZf4zreFSXTihE2vTi +G/g+rMrM4+NxkJFHnHjtb7y3mBLqdeUV9yZWp1zWdKgTeyM1TmoB9qn1W5vQ6roP +w8Qa4Lmj7V0oy38dPoqar0yIADwQ8EmFJGDmy9aeAEZ4TZAiaE8QOYQ74nw97SNB +GX5vRVmJqZ8mwfl9TQq0EPkxfcyH0EtiFHCGyH0U/+Ro4t5CygHHqi1apXJk8Uz6 +bmAVIgho5sZqdWMktVR20ZdP4Oi869BihEq0Ogc4X7mmajEURzOBvdCkotorkg3c +QsQPKA22GzO1iN8bqNiQmhHO39QU6ayUlJW7vG7xvoUpPxerQRTYILrgoqPT1Ise +SzIijQ3B5jkazs3zHfGChdXngDSQpA7UrzLIeU4lMrYeBjomQjhHGjKWcVv+W7Dv +ff5Yyuu1yUsvEsuJNiJ8pjmrIMEtzWs04c287UVFEkplS6tF8m16nfi1Ungb2i/g +zvfisPpvQD3d6TnDY2ird1O+O92avNfX+mq/v3T3EYCH+dNF6x6O0amgLmbnIGcc +TCJDd4X/GiM3zEneUe7yBC+omIgPthhT6+JJFV4Cix575sXRDN+ETtm9/iFI1KQR +ASdXUdbBsqEcEZqn0avwmRayyD90JWgLGs9YDc3MGm2L7B9wggJAlw91LFOHwUJc +0X4ZeCwsiHMzgWM4hAcPFrt8VFkDlOe4hdf4XlM1ZS7lJ2W+8Ill9qs/bqW9wRqe +MTBoblCvVEwz+HMvQWBPTIUbrX3bYkLch5a0z84SUO1sAV/i+QP190xsjytbemR9 +Gegg8ukQWPNxDh5YaPJZPAZTevNgYlvHt4NYHT2mF9szzJEUr9a5CL9gr6w+/ot0 +cSDH5zFeJmwoUmcSHsObiSNdiO6wa9vMlIubG0C3Zrx9HeEIACC6Qc0X1kx7xFr9 +z2sg4riGnDEXwtd/HDrQ/B31f8mWBCfeuO+NOJqzVmCswgc4ZBk5nnNvulkVrEVC +Tbt5YH+uw41jSicWCsqSf/eiAnb15nzsuuoYzZw77jcsnXhOyUBtlMzOyvQz/KTd +BWLWDx4ZY68Qw/8CGgpI/a/ypA5k3ZD0TxQbkB+eKbALlKTRKoe5OnbCtq/D1IRu +hRxkc0bQ33LAPEKRxDAQERg2vOUXNiJfwj+sHS6dhxG+p6yyYjV0uScnlbzBEUT4 +ZDZgdAai5+l2vqeGXhgevdywqq6S1t3WJYDWwb7BIRwBb4MgrrdUTz0tEvyizEn9 +WQ== +-----END CERTIFICATE----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-key.pem new file mode 100644 index 0000000..652e3bd --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-key.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI7Afo/WihRO4CAggA +MBQGCCqGSIb3DQMHBAiyzMez8ikVKgSCBMikJkx4Qhm0cLRQXJfIPsHX0YQfinoJ +qLGWMQ5KWTpwFZHoeqarmCVLJwReF75E8nD5tJdKt5J+lN0gBQMbppAzlSOJvMne +1E5sDoBHY3jYUViF3p+ZZt4YoDxaGFYxcGL9M6Uo/Yb1791riMisQjgn7inpRe0i +JuHngJH9Dblg0+vGM3JkMKdizWHSW4RyeYXa8d3rh62Y5RD7exUHKkz3pPucSsyy +dnkhvbhdXSYzPxcUarrjx3pNMzWhamLWP3V6UwupCB8dygLm4QV+Fc3Jw7wR3Efj +cewWjmXHuHzAGfDhr1r6yeWaAQCYezSp18UwMRv9AWgiTAayxDI+IroBigvU3PfA +KE0RlWBnvoy2ggNEsCvk2QXYpQiIJMTS9u1oi2aOdvXaaVxuKBPJGgzAFGSnM44k +gE1Pe+snVxzRuzHCNXnWoCxSa9xAvRt/dnQ9n1p2m3lwlt+kP0kO4ieMhT+SnBNh +QY/WRfJ8E5ldYyfJ0y2eRd1hCu+42tj72rAuQkhPEUJzWuU6N1xzChXPwXVnhIh4 +HS4bpd9uL1wA5sNw2zfXdanagmSrXC5EFVdj4rJzHWzkalg0GTMhYd4QsbqI5d8O +lO5ECnZUJwIcYa5Hy7OVDymRh3BxPMDGYqiO1+6QHUrqRm/XiSDUSaBfLat9ckHY +0JT5nbBMg0TJ3VIhUbsZaQ4fwZNr9zgeS+yoFuLcPYPCHBz2fDNq6MFb0BqbHcYY +qmf++nxF/jW21UKTryBeiLdkq1TjExOEXdmjSL4vwmUjyx+ycM4w8GvdU4xkdkQl +1jNlx20WSocZ0hzreCMXglUb1q7tzZvaVJrSS9TX2PV38Fcz6jpmOeKtnkRBMUis +Ge20QO7D8zCJM0jL+mNAnuZCA7zHc8aenbR6hK8i3Kd8G0XhWLNVWI5KfFtgrRaW +UCM8mSdEIvWZfPrdvxo/kYEXBBA8i+3oO0nSUTyHpqmsIH3nYvaWnVmibnKMigO3 ++3d+6Db5R117EbXDdRWm85jiN7PQ1SdNVxtKN4Wu188r/KfchXAeBQcBy9Kh1vVY +qYTqP4Mp7dbm864iiZQZwTLJeq346+xUze5NY7nFHWl0ps7ujk+i9WA9I+M2TAj9 +Zmywy4Xvjwpj7PO5zA9O5TRxnnBbz7VrTcxBLK+6T/2yZZceJ29Bv7wy61eK9LNk +AYy+MFXlY64L6HauTk9Ne/VnNnTvYYqrqPNy6CehQc0+LKvmYLCHUZabhWi7P1rj +gUkkypfBH0j8k1lDnjnYu5bml32GK7eBix9C+5kNDadnvCEVDiYFT59SDyKCUHMZ +19EKywqkWVPu5ez+60zSEJACpvIqDxlamusN3O9tQZD/t2c2lJiBeBPszXgj8Gin +++tuCwkz/3KNy+u3SCZg9SUk5+XVZDOQOMh9EmUT5oqoPUTm9pblU2B8lRZaw/wl +B97E4q4TUOtXZXHJdCkU8Sxr8/l8fOFYqIeiFx8PhSHaFgpEKgs89G9AefIb+l1u +Z36bqMs0y4rIiSHR++0ZO5NJIi33zhPHvifmPzBTDXRn9cWdfqwetq1ts9ZD27oE +4UhJyRU0gprmtpQWoVnd6ghiM1zk7lZmRQEDDXy4+puztzgZNLKJbSeXbufe49nX +DcU= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-openssl.cnf new file mode 100644 index 0000000..db72360 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-openssl.cnf @@ -0,0 +1,242 @@ +# +# Based on the OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl] +CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential +scardLogin=1.3.6.1.4.1.311.20.2.2 +# Used in a smart card login certificate's subject alternative name +msUPN=1.3.6.1.4.1.311.20.2.3 +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller +msKDC=1.3.6.1.5.2.3.5 +# Identifies the AD GUID +msADGUID=1.3.6.1.4.1.311.25.1 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = CA-samba.example.com # Where everything is kept +certs = $dir/_none_certs # Where the issued certs are kept +crl_dir = $dir/_none_crl # Where the issued crl are kept +database = $dir/Private/CA-samba.example.com-index.txt # database index file. +unique_subject = yes # Set to 'no' to allow creation of + # several certificates with same subject. +new_certs_dir = $dir/NewCerts # default place for new certs. + +certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate +serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number +crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number + # must be commented out to leave a V1 CRL + +#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL +crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL +private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key +RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file + +#x509_extensions = # The extensions to add to the cert +x509_extensions = template_x509_extensions + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +crl_extensions = crl_ext + +default_days = 7300 # how long to certify for +default_crl_days= 7300 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = match +stateOrProvinceName = match +localityName = match +organizationName = match +organizationalUnitName = match +commonName = supplied +emailAddress = supplied + +#################################################################### +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = SambaState + +localityName = Locality Name (eg, city) +localityName_default = SambaCity + +organizationName = Organization Name (eg, company) +organizationName_default = SambaSelfTesting + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Users + +commonName = Common Name (eg, YOUR name) +commonName_default = administrator@samba.example.com +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = administrator@samba.example.com +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 4 +#challengePassword_max = 20 +# +#unstructuredName = An optional company name + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +# Extensions for a typical CA +# PKIX recommendation. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. +keyUsage = cRLSign, keyCertSign + +crlDistributionPoints=URI:$CRLDISTPT + +# Some might want this also +nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +subjectAltName=email:copy +# Copy issuer details +issuerAltName=issuer:copy + +[ crl_ext ] +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +#[ usr_cert_scarduser ] +[ template_x509_extensions ] + +# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE +crlDistributionPoints=URI:$CRLDISTPT + +# For normal client use this is typical +nsCertType = client, email + +# This is typical in keyUsage for a client certificate. +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Smart Card Login Certificate for administrator@samba.example.com" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. + +subjectAltName=email:copy,otherName:msUPN;UTF8:administrator@samba.example.com + +# Copy subject details +issuerAltName=issuer:copy + +nsCaRevocationUrl = $CRLDISTPT +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +#Extended Key requirements for client certs +extendedKeyUsage = clientAuth,scardLogin + diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private-key.pem new file mode 100644 index 0000000..cc8f150 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAr4eeHn/Aq9pHInTQ3wHxZ2ysxLfZGJflemJ2M7ZS8pKQdayj +lH4MKXXJgy8ZZmCERf/Vqb3FOqLYJc8ViiM+CXMvmR0kH+aWfnvEHo1VW8EYac0d +tCLVe9tefJHyjsEDMO5jRlpU1UCseVUAcQeNPg7t/5Ns8S2EwVGjfEnP/4V7wGTB +ushmev8XKnTqFmodl8AnVxC+dvWaY1bHJcb8p14Apho9Ib16+eMDYM7fFgb8BbzR +yF3nM+1Si2BbYMVwEx3BswgTCTsF6AJAEkWJr4cfao9izh4XEzSCgYbpu4VbdR30 +OgK0plgj/sM6NQmVu/d5vOOX5m13JKotUVA3aQIDAQABAoIBAQCEj7E0a1rA7ooG +VZ5grQD5ELOxpP7Jef2OXcnS6ADgvRtoI0cun7rjnNbgwbM3A/EhRELCfFT1IYKH +m0szFcaGMH1j7wQXK3fAcgv83tP2BXBAhu3F2wDLFzLWdQpwEQgt7fr/aLzkiIE4 +6J76va9HjNLkzxvZUH0P2m3TMZNp7s2NLjxNQwivNXSgKXcT9fPX7IaBd063W41I +iYQZ7M8Q3C1vk34uC9V1LxjFxOAe42G/ITkjt3CJbg0CjMXG3P3TKIXG94ufpFQO +mkEzUSGxTCkwlqHKcxsa+7f72TocuhLuwpFBSeRmiIsa5ZHxJiC6XOkz2CAboNkI +UMSVjoxZAoGBAOlOGjiF7ChheDLhtj3/VcxfyHkcNoUFAtKuoT/FD8JMQiEUTifr +V7eA8pfAQubVVRNLmZEA40gsJsTPbCRQymwcYDFRATlTd6nZ1s53z99E/v/1QjIa +ZpQXRD+Nt1xmID/MuX34qpIA6ZEE2zTFoMo1STeNf4eC9mESW9DkA05rAoGBAMCa +wrvLa5whtXbhdoWfCMYKtSQuGTEKslb4Ec97sKIdZXloGnH0eyiwnynCDhX2wPJt +gnQtVxNXb9+MFxh+6bnX5rMyB+myXszpPNBCbLO0FU3+vfIEmOoULqU1Xn7Eu97m +LGoR6G9cN7p8RuX7zp5ROKGfDg77oW8XhVah2x57AoGAY1BmBQ2tW/sx6ab/pyCc +a2WSt0t1QebCLuE7ryO586H2vJIiOwgJzQnNOyAS2qSRlKcn9fwExGJXFoydok/p ++1+Q6y1qcfbAB8O9lyKVkJuUWW0UArQOWpgU62DuXxzyOXZyt9c09PYCd0Mz9SDz +s2A/jLBlS1BKhUQFZcTKS4UCgYBaT7cD66x3t26pYar7mMi6ZAbwAhWZ41QgZ42i +ZnM6cOJF/UR5LpQZTkgzgmSsc9mhUywaYbA0x4kTn1KtD8V0eQIaAFmpgRPmrW7w +kFT8JnLe8ZYLR5CUIgaFPPMkKgeVywQEcIU2wlz3OpLcACiwH5GYZ0ZmTCM0Pikt +qBNgxQKBgEVgpIHZi2xdfvwtCrEfomnlImj94HySKIFenCRoc/d34+KO4jKho1zN +dqbSDqz/lB/7GWFjRszTMZMVJkl8TbE050UEe8EDPt93BSeGHNCUXUesZQVddGhn +iH8OLIkoW3xIlNgflwi4+7gLjWrAHHPwEG3Iys83DVCA5D/4C02m +-----END RSA PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private.p12 new file mode 100644 index 0000000..c2c70e3 Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private.p12 differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-req.pem new file mode 100644 index 0000000..72cd979 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-req.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDATCCAekCAQAwgbsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl +MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx +DjAMBgNVBAsMBVVzZXJzMSgwJgYDVQQDDB9hZG1pbmlzdHJhdG9yQHNhbWJhLmV4 +YW1wbGUuY29tMS4wLAYJKoZIhvcNAQkBFh9hZG1pbmlzdHJhdG9yQHNhbWJhLmV4 +YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr4eeHn/A +q9pHInTQ3wHxZ2ysxLfZGJflemJ2M7ZS8pKQdayjlH4MKXXJgy8ZZmCERf/Vqb3F +OqLYJc8ViiM+CXMvmR0kH+aWfnvEHo1VW8EYac0dtCLVe9tefJHyjsEDMO5jRlpU +1UCseVUAcQeNPg7t/5Ns8S2EwVGjfEnP/4V7wGTBushmev8XKnTqFmodl8AnVxC+ +dvWaY1bHJcb8p14Apho9Ib16+eMDYM7fFgb8BbzRyF3nM+1Si2BbYMVwEx3BswgT +CTsF6AJAEkWJr4cfao9izh4XEzSCgYbpu4VbdR30OgK0plgj/sM6NQmVu/d5vOOX +5m13JKotUVA3aQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAGrgBV0TkeQ3fHEJ +vTabQG/aKSgzkkzaiBdY5GBX3FGtmKl0E9DNImc3bcw4QBC8GDObGoqct31QpHnT +H51MN/Vix3YAUsKbGtvopGygn22sLtm21Iy1lOS2QsEikPxrDedmKjGzsyi8fWFF +fWOEW1+mhS7L6oiNDm18MbAaYN6wdgkPVW0Uc+P/ftRZ1y2T2mli+99IgNQQW9Rb +7ZrHBTyCq9IK73UniVCA3yEN2ibHxaZQsvl3DpUfkKdPV1FOsvj33nTMtcubY7/P +c4n3w2M0HVSu6Ch+cJj0dy3FzYU76eInzT6B+hs2lGCIm6H4pUH8Vjx9dNMjcC4d +vctx/Mw= +-----END CERTIFICATE REQUEST----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-cert.pem new file mode 120000 index 0000000..3b134b6 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-cert.pem @@ -0,0 +1 @@ +USER-administrator@samba.example.com-S01-cert.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-private-key.pem new file mode 120000 index 0000000..964892e --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-private-key.pem @@ -0,0 +1 @@ +USER-administrator@samba.example.com-S01-private-key.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cer new file mode 100644 index 0000000..85773b0 Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cer differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem new file mode 100644 index 0000000..997dfd3 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem @@ -0,0 +1,168 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5 (0x5) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com + Validity + Not Before: Jun 3 19:30:47 2016 GMT + Not After : May 29 19:30:47 2036 GMT + Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@addom.samba.example.com/emailAddress=pkinit@addom.samba.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b3:a4:e8:bd:c8:4f:6a:71:c6:15:a8:dd:00:d6: + 61:74:00:e4:8f:b5:c4:0e:98:d9:51:aa:aa:4f:c7: + 8c:f9:6c:37:5c:60:55:da:7c:55:9c:d3:cd:e2:f1: + ed:51:39:25:d5:fa:69:7e:a7:67:9c:a9:61:1b:5c: + 73:50:d0:6f:ba:ce:3a:df:fe:ae:95:95:8e:97:ab: + c6:bb:6a:c3:60:0b:ca:c2:9c:31:ff:c6:2f:52:bb: + cb:2f:f6:2c:4d:be:20:e1:16:49:d3:22:36:66:4f: + 5c:c4:30:12:07:34:8b:00:4e:5b:51:7d:40:35:81: + dc:5c:0e:af:be:78:63:80:69:67:87:53:97:d0:3f: + d7:66:8d:26:8a:0a:24:95:f9:db:dd:93:0e:48:54: + c8:30:e4:77:0d:65:ef:a4:6a:de:29:91:77:97:40: + 5c:2e:ed:35:5e:b9:0f:37:ad:d9:70:76:99:77:45: + 8c:4a:65:63:13:72:d5:c4:53:37:57:85:0a:6d:74: + 30:8c:69:7f:83:f0:7f:f5:67:05:79:80:27:d4:38: + 6d:49:2f:8d:2a:97:2e:33:1f:d0:e0:c1:76:1b:bf: + bf:b1:75:8a:c9:b1:3f:3f:f2:4e:c5:b0:68:5e:76: + 8a:7e:9c:57:b2:ec:3d:18:83:e2:65:d5:30:5e:b5: + f4:c7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + + Netscape Cert Type: + SSL Client, S/MIME + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Netscape Comment: + Smart Card Login Certificate for pkinit@addom.samba.example.com + X509v3 Subject Key Identifier: + 3E:81:65:A1:E3:7E:18:BE:80:FE:15:93:CC:20:15:FD:08:D4:A4:3D + X509v3 Authority Key Identifier: + keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E + + X509v3 Subject Alternative Name: + email:pkinit@addom.samba.example.com, othername: + X509v3 Issuer Alternative Name: + email:ca-samba.example.com@samba.example.com + Netscape CA Revocation Url: + http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + X509v3 Extended Key Usage: + TLS Web Client Authentication, scardLogin + Signature Algorithm: sha256WithRSAEncryption + 7b:47:4c:55:7c:77:8b:8f:ca:23:3e:51:6a:51:c1:49:44:0d: + 72:56:27:79:f7:54:48:ef:74:37:5e:2a:33:68:dc:04:8a:de: + b2:8e:7b:26:6f:67:f5:bc:0a:e1:ec:74:12:86:5a:6b:56:7d: + 75:24:d0:df:c7:1e:c4:28:e8:a5:c0:e5:3a:a0:74:f8:95:70: + 61:44:a1:9c:e3:54:d8:cf:1b:e2:2f:35:d3:ca:1a:5f:07:e9: + ce:fe:79:e1:20:ac:9e:94:74:a5:80:2e:38:75:bc:bc:d7:2d: + e0:54:c1:17:9a:8e:07:42:7e:5f:2e:17:93:63:ab:ae:ed:c6: + 29:0f:91:c8:8a:99:ad:21:5b:52:a7:dd:0c:2f:32:dc:0d:36: + 9c:98:02:aa:eb:8f:2d:3a:86:1a:cf:f8:f5:da:0b:70:7e:14: + 9c:79:bc:8a:6c:c7:06:8d:3e:3b:26:2a:50:a1:05:ca:47:79: + d1:ba:55:06:cd:d2:3a:10:27:8d:cb:ee:b4:f7:90:ff:f2:fb: + 67:f0:73:0b:4f:51:5e:0b:8d:e4:94:cb:da:56:2d:18:91:b8: + 51:0f:ee:48:99:cc:ae:8b:6b:ac:d8:38:1e:5e:5e:d9:1a:29: + 52:04:52:49:49:30:60:3b:fa:4e:c9:0c:a0:67:20:e1:4a:9f: + 84:44:c8:ca:35:d5:28:a6:06:7e:dc:c3:81:8d:40:12:3d:ae: + 0d:51:42:5a:16:92:78:2e:70:0b:ba:7f:8e:52:b7:2e:a8:f1: + 72:32:ba:6f:30:92:1e:40:0f:bf:09:14:5b:63:c6:1d:b3:ac: + eb:e7:69:f0:1b:3c:b8:4a:ec:a2:22:e2:58:ad:ef:22:77:9c: + e2:51:ec:38:bf:47:d8:1e:43:77:61:3d:60:54:c7:ba:6a:be: + 87:ea:f7:9e:46:74:90:70:c3:d9:74:21:be:90:78:12:2f:30: + d2:56:3b:9a:24:27:17:1b:d0:8c:49:e7:65:a8:d2:d9:0f:f8: + e9:5e:51:8c:97:cf:90:37:e5:ad:dc:88:ac:c1:54:57:7a:9a: + f4:5a:80:25:85:7c:d0:b7:17:03:8c:b3:43:20:59:c7:f3:68: + 72:f5:53:75:df:a0:00:12:f0:28:d5:dc:70:ec:9e:c2:33:bd: + 73:e9:8c:62:b8:2f:0d:55:a3:3d:d2:21:59:4f:3a:d7:50:aa: + 43:72:25:05:a0:2f:e0:f1:79:59:2a:57:e6:b9:91:21:b9:9f: + 07:f9:49:fc:d7:97:f7:be:a7:81:69:ac:6c:9a:7c:25:5e:6b: + 48:37:90:89:ac:37:02:b5:be:41:01:56:93:71:f4:e9:75:3c: + aa:0a:9b:d6:a3:09:64:51:30:d7:2c:1a:dd:bc:83:2e:45:b5: + 90:a5:ad:16:ba:18:56:1c:88:73:b5:ee:77:6d:65:3e:11:dc: + 36:45:6a:08:99:5d:24:86:93:da:45:95:2a:de:80:96:2e:db: + d7:87:b3:f1:70:3c:b5:56:eb:ca:62:dc:3c:49:84:3c:f8:6d: + d9:44:e0:81:33:5e:f7:22:27:8b:09:05:12:a6:c1:79:56:c7: + 7f:e2:80:d6:ab:4d:e5:1a:ff:ae:9a:fd:3b:7b:aa:15:ca:10: + c2:6a:98:c4:70:63:6e:7d:94:8e:87:0a:24:bd:b1:59:85:67: + 5b:e8:2e:ff:d7:43:8c:46:06:1a:a8:ba:72:e7:0d:ef:5f:6c: + 2d:5c:14:56:ad:5d:56:a5:21:09:7b:16:44:4a:74:9d:1a:03: + aa:1a:41:29:e5:78:e4:7c:9e:53:18:61:d8:5a:d1:e8:a8:0e: + f4:d3:40:d6:6b:cd:c9:e4:a3:3d:51:54:c3:d6:09:4c:48:9e: + 34:2a:23:ad:83:ab:9a:99:c2:bf:7b:85:98:d7:b6:21:fc:c4: + 17:6c:56:46:95:98:da:e8:6c:f3:67:4e:33:fc:68:b8:af:86: + 07:8b:8e:f3:16:2c:ec:82:e7:b8:47:64:5c:f5:bd:37:75:b5: + 94:d3:09:3c:3d:6a:6d:47:81:e0:1b:df:5e:d7:6c:92:7d:23: + 91:3e:29:06:21:5b:52:62:47:87:e8:7e:20:ab:fa:cb:3f:9e: + ab:7e:55:7e:d2:76:7d:3e:ce:49:f5:ad:a1:f8:13:ba:9a:d6: + 54:bb:e9:f0:e0:a6:77:27:95:33:84:48:ff:29:87:fc:65:94: + d4:56:44:88:fc:40:0a:64:32:15:13:36:bf:fb:10:65:35:94: + 66:ad:d7:e4:16:08:c5:8b:2f:c7:a1:14:99:60:69:66:39:3f: + 8d:f3:d3:46:ae:c9:ad:85:94:9b:06:6f:7e:f9:84:b4:e7:fb: + 7c:79:1b:75:00:f7:10:19:86:57:48:ea:d5:24:eb:f5:d6:42: + 43:73:36:db:9a:15:73:01:75:db:e5:4f:d0:68:3a:3b:35:ce: + 19:ab:08:e8:75:c4:7d:b0:d8:c9:64:f9:de:e4:ae:df:a5:24: + 19:dd:b8:d1:88:40:48:2a:13:6c:ad:72:23:46:45:2c:78:0c: + d4:68:15:11:7f:e2:47:2d:ce:d0:ce:ae:43:8b:08:af:42:12: + 85:6f:4d:8b:39:e0:a1:d9:65:08:b1:dc:00:e2:e8:f0:e1:f6: + 8f:21:8e:81:cd:de:8a:d0:92:58:22:d0:b0:29:fa:f8:98:6f: + c6:e0:68:37:b4:57:90:c2:c4:7c:38:64:51:d7:61:5a +-----BEGIN CERTIFICATE----- +MIII+DCCBOCgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx +EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE +CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x +IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB +FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjA2 +MDMxOTMwNDdaFw0zNjA1MjkxOTMwNDdaMIGlMQswCQYDVQQGEwJVUzETMBEGA1UE +CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE +CwwFVXNlcnMxJzAlBgNVBAMMHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNv +bTEtMCsGCSqGSIb3DQEJARYecGtpbml0QGFkZG9tLnNhbWJhLmV4YW1wbGUuY29t +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs6TovchPanHGFajdANZh +dADkj7XEDpjZUaqqT8eM+Ww3XGBV2nxVnNPN4vHtUTkl1fppfqdnnKlhG1xzUNBv +us463/6ulZWOl6vGu2rDYAvKwpwx/8YvUrvLL/YsTb4g4RZJ0yI2Zk9cxDASBzSL +AE5bUX1ANYHcXA6vvnhjgGlnh1OX0D/XZo0migoklfnb3ZMOSFTIMOR3DWXvpGre +KZF3l0BcLu01XrkPN63ZcHaZd0WMSmVjE3LVxFM3V4UKbXQwjGl/g/B/9WcFeYAn +1DhtSS+NKpcuMx/Q4MF2G7+/sXWKybE/P/JOxbBoXnaKfpxXsuw9GIPiZdUwXrX0 +xwIDAQABo4ICDjCCAgowCQYDVR0TBAIwADBPBgNVHR8ESDBGMESgQqBAhj5odHRw +Oi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5j +b20tY3JsLmNybDARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgME4GCWCG +SAGG+EIBDQRBFj9TbWFydCBDYXJkIExvZ2luIENlcnRpZmljYXRlIGZvciBwa2lu +aXRAYWRkb20uc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFD6BZaHjfhi+gP4V +k8wgFf0I1KQ9MB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFkGA1Ud +EQRSMFCBHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNvbaAuBgorBgEEAYI3 +FAIDoCAMHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNvbTAxBgNVHRIEKjAo +gSZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTBNBglghkgB +hvhCAQQEQBY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNvbS9jcmxzL0NBLXNh +bWJhLmV4YW1wbGUuY29tLWNybC5jcmwwHwYDVR0lBBgwFgYIKwYBBQUHAwIGCisG +AQQBgjcUAgIwDQYJKoZIhvcNAQELBQADggQBAHtHTFV8d4uPyiM+UWpRwUlEDXJW +J3n3VEjvdDdeKjNo3ASK3rKOeyZvZ/W8CuHsdBKGWmtWfXUk0N/HHsQo6KXA5Tqg +dPiVcGFEoZzjVNjPG+IvNdPKGl8H6c7+eeEgrJ6UdKWALjh1vLzXLeBUwReajgdC +fl8uF5Njq67txikPkciKma0hW1Kn3QwvMtwNNpyYAqrrjy06hhrP+PXaC3B+FJx5 +vIpsxwaNPjsmKlChBcpHedG6VQbN0joQJ43L7rT3kP/y+2fwcwtPUV4LjeSUy9pW +LRiRuFEP7kiZzK6La6zYOB5eXtkaKVIEUklJMGA7+k7JDKBnIOFKn4REyMo11Sim +Bn7cw4GNQBI9rg1RQloWkngucAu6f45Sty6o8XIyum8wkh5AD78JFFtjxh2zrOvn +afAbPLhK7KIi4lit7yJ3nOJR7Di/R9geQ3dhPWBUx7pqvofq955GdJBww9l0Ib6Q +eBIvMNJWO5okJxcb0IxJ52Wo0tkP+OleUYyXz5A35a3ciKzBVFd6mvRagCWFfNC3 +FwOMs0MgWcfzaHL1U3XfoAAS8CjV3HDsnsIzvXPpjGK4Lw1Voz3SIVlPOtdQqkNy +JQWgL+DxeVkqV+a5kSG5nwf5SfzXl/e+p4FprGyafCVea0g3kImsNwK1vkEBVpNx +9Ol1PKoKm9ajCWRRMNcsGt28gy5FtZClrRa6GFYciHO17ndtZT4R3DZFagiZXSSG +k9pFlSregJYu29eHs/FwPLVW68pi3DxJhDz4bdlE4IEzXvciJ4sJBRKmwXlWx3/i +gNarTeUa/66a/Tt7qhXKEMJqmMRwY259lI6HCiS9sVmFZ1voLv/XQ4xGBhqounLn +De9fbC1cFFatXValIQl7FkRKdJ0aA6oaQSnleOR8nlMYYdha0eioDvTTQNZrzcnk +oz1RVMPWCUxInjQqI62Dq5qZwr97hZjXtiH8xBdsVkaVmNrobPNnTjP8aLivhgeL +jvMWLOyC57hHZFz1vTd1tZTTCTw9am1HgeAb317XbJJ9I5E+KQYhW1JiR4fofiCr ++ss/nqt+VX7Sdn0+zkn1raH4E7qa1lS76fDgpncnlTOESP8ph/xllNRWRIj8QApk +MhUTNr/7EGU1lGat1+QWCMWLL8ehFJlgaWY5P43z00auya2FlJsGb375hLTn+3x5 +G3UA9xAZhldI6tUk6/XWQkNzNtuaFXMBddvlT9BoOjs1zhmrCOh1xH2w2Mlk+d7k +rt+lJBnduNGIQEgqE2ytciNGRSx4DNRoFRF/4kctztDOrkOLCK9CEoVvTYs54KHZ +ZQix3ADi6PDh9o8hjoHN3orQklgi0LAp+viYb8bgaDe0V5DCxHw4ZFHXYVo= +-----END CERTIFICATE----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem new file mode 100644 index 0000000..542cd3d --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEaGZ7BvOYu4CAggA +MBQGCCqGSIb3DQMHBAhSIfRjeKrXNgSCBMh+g3dZyu/ZZ1DgB1U3qiUMIIA/hurX +2FjSuDIrn5+g7uPIxtBjQgz2+2f4kUsiqx/UBOodAwtSzjpP3HX91zyRoMke4jA1 +cx3PlsaSCwXXBmbLhI8+IAiQZ7zo4r5C91nNXVBUC+Z4bDydjXRnZHBAiGo674mB +ZbpixlAjDQWiJCZJvqDy7uqjIK9un12fU/hBWc6mLJZ8MSTWaJ9/ONGTImhbI7f7 +jtM04HihoDsh8ExeVSSWYt+vM3VIjXlbZqTi0d2ijgb4MnGsIuVVZtnvLbMSe7Ow +lGLNsbkUq3y8JsF2rkZWHE+7J33Ko9fgUr9kVaIVJpChWnOSsxVUuRydrCUS4g3L +1wmVPEW59t0jFwMt7qcQS7K1ivkjmNplyld5pBssLX4BuzKMxEsGG6c8MwSLGqcJ +g70xbraCWzn0ggKCROGvbFmIn9o7GXCnYLj3e4LfHbV0XgINiw7ufCUgRTTHEn+L +PAaGd13BxdYlquIzbSLhdijDzU+41tXI/g1bw4tAlxcKHPh9XmKRYf8DusVWRKB1 +uyouHQxEVYyJw5atQJZLlzTUWpZ0V4q2UVckN2LSFMtwTu8ZL9iNSL4l75iRaMdI ++V9a+QaAifd7qF8eujvfVgpzuiMuEonQ9iRJOErJ6/BaCO9WaZ+jE0ojZtllWjLQ +rXGRcxkROFcE36GC7YSWzKDq9WlgQKne9EDp0WevcSNTc698cz09D1/z8N1pkk1K +Ako3BKs9FUSmynSuTz52CEJ+XOd9FESsJkcu8FqUfmXM5Ubq9jhSU91skmuJHG8r +BlzkuO2va91T1Muu/RHaFhBYmaomkw2kvJ57oay7wZ/9Fm+j6PjdgAH81w3RfS+G +m+Vivp6wRmE438yy2QDgywjvk7anjZMX1R2PhXWgmKTSL1EosAFx6AZytd+xTDFa +tEIkfwVkr6fKLI1FFq2artDZAYqSpkFCmRFOMNoqc6UAzuET88y5oPDjY9RS3Ikd +Ru9VvuT2LcaWjCj3ofqV0ATYgkbGSsj6n66kZFoPBEv7dpD33mN9A0R7U8nzeXUT +0ImG4xsXv4vfumrfgG6sr17Ylsm/ntmUtcFy+ZbJCLypL2UnZya1+EC6a20kVt7X +DDpFH/qct3iBeRJnTdoTxWGbQKHRQ5Ro/GnZ02fCN0DBEyb4WHbP6T+Gy3DHF6TA +rBlC5nVNQD49d5brbPyBnBG4585mzPZI57npo3MpgEHv9+LC48LfJZaX5w7uevg+ +RnkjjIwrEIUZMrUvFxeNYKtdp9IggRGjDCPz8Y8TNBnvWuet0xRODhZTVs6zFeQw +s+NZirzyN6XSu9Wpc+CGbFx55eMOGog8t2e2HjBbeNCvri9wKP1t1CdCD+CTqJ6E +BaoP0Wippj8VGOB87djnT+7X2bJLjnYkmspk/Mhlz1EKh+j6SXh5VFCSoO3o1JbW +iyAI2vpT3+Bt4RXrUDTYV9OHpWSQXM/TYhHnVBdeq53h5UkBYsK+vSjHyjF9Jspt +ORWsCUBiaVBy3X9AMEubsITKCVAjlCacFDOraO6h7Y6LkOyuNvJ2aDo02L3sfDPY +sa43P1ERP5C4OOUzhLmavkwhJnzAHVAVCfNMCDzYe7UsSrweQ+OVfcp70uAdKfK5 +jzQ= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf new file mode 100644 index 0000000..8bb8714 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf @@ -0,0 +1,242 @@ +# +# Based on the OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl] +CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential +scardLogin=1.3.6.1.4.1.311.20.2.2 +# Used in a smart card login certificate's subject alternative name +msUPN=1.3.6.1.4.1.311.20.2.3 +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller +msKDC=1.3.6.1.5.2.3.5 +# Identifies the AD GUID +msADGUID=1.3.6.1.4.1.311.25.1 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = CA-samba.example.com # Where everything is kept +certs = $dir/_none_certs # Where the issued certs are kept +crl_dir = $dir/_none_crl # Where the issued crl are kept +database = $dir/Private/CA-samba.example.com-index.txt # database index file. +unique_subject = yes # Set to 'no' to allow creation of + # several certificates with same subject. +new_certs_dir = $dir/NewCerts # default place for new certs. + +certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate +serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number +crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number + # must be commented out to leave a V1 CRL + +#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL +crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL +private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key +RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file + +#x509_extensions = # The extensions to add to the cert +x509_extensions = template_x509_extensions + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +crl_extensions = crl_ext + +default_days = 7300 # how long to certify for +default_crl_days= 7300 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = match +stateOrProvinceName = match +localityName = match +organizationName = match +organizationalUnitName = match +commonName = supplied +emailAddress = supplied + +#################################################################### +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = SambaState + +localityName = Locality Name (eg, city) +localityName_default = SambaCity + +organizationName = Organization Name (eg, company) +organizationName_default = SambaSelfTesting + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Users + +commonName = Common Name (eg, YOUR name) +commonName_default = pkinit@addom.samba.example.com +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = pkinit@addom.samba.example.com +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 4 +#challengePassword_max = 20 +# +#unstructuredName = An optional company name + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +# Extensions for a typical CA +# PKIX recommendation. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. +keyUsage = cRLSign, keyCertSign + +crlDistributionPoints=URI:$CRLDISTPT + +# Some might want this also +nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +subjectAltName=email:copy +# Copy issuer details +issuerAltName=issuer:copy + +[ crl_ext ] +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +#[ usr_cert_scarduser ] +[ template_x509_extensions ] + +# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE +crlDistributionPoints=URI:$CRLDISTPT + +# For normal client use this is typical +nsCertType = client, email + +# This is typical in keyUsage for a client certificate. +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Smart Card Login Certificate for pkinit@addom.samba.example.com" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. + +subjectAltName=email:copy,otherName:msUPN;UTF8:pkinit@addom.samba.example.com + +# Copy subject details +issuerAltName=issuer:copy + +nsCaRevocationUrl = $CRLDISTPT +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +#Extended Key requirements for client certs +extendedKeyUsage = clientAuth,scardLogin + diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem new file mode 100644 index 0000000..8ab8683 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAs6TovchPanHGFajdANZhdADkj7XEDpjZUaqqT8eM+Ww3XGBV +2nxVnNPN4vHtUTkl1fppfqdnnKlhG1xzUNBvus463/6ulZWOl6vGu2rDYAvKwpwx +/8YvUrvLL/YsTb4g4RZJ0yI2Zk9cxDASBzSLAE5bUX1ANYHcXA6vvnhjgGlnh1OX +0D/XZo0migoklfnb3ZMOSFTIMOR3DWXvpGreKZF3l0BcLu01XrkPN63ZcHaZd0WM +SmVjE3LVxFM3V4UKbXQwjGl/g/B/9WcFeYAn1DhtSS+NKpcuMx/Q4MF2G7+/sXWK +ybE/P/JOxbBoXnaKfpxXsuw9GIPiZdUwXrX0xwIDAQABAoIBAB3OjPeAVvz4Z7+M +Ry8uYvkWdNYLeL5bSiOsx5l5KMDx3bWsHlKkMqhU1GKFdbT2YHrCk+J58E0kJYKe +sluEWiWKtmYYIeub5w7vZ4gNTOGQ01G7DOi9f3igxDPvCqbTly0Bv7oSgSg0ntXG +jBc59p5UYf6BY7f9Fg0IOszFuOzDSSHoX8Ld/8rO+2d7k0cvS2xG3FViqMifqAN+ +b1GVm9MtPB5B4iM9dAsgy7NK8kKoY3xUFeYwC8yzBCeG35F+Bq6x+vTUoNfESwwg +/qvJwRNgChlJgLVbrcR/F0wDuvINwELUeDipP1Ca8dmaQgYLlYqrbYJlJEfsHX9w +IkuW1CECgYEA5Sn1mTKK4RnHGWE84kqAayiCEifap/FcPpA5M5AZ8t0HxDUGZ/aO +glhFOsA0bKpmK+U7Hv+uZtD7YDI2syzwk3RnLn3sHaNSMKYkogGOds4U8wYalLYe +AhTGPhukip+6SAZEJicRZDYxy4xczOLmwmGeTMFPQ7mWljbYTVvo7dkCgYEAyK5p +ZZu8Jor0VKuUjQwtzsr0P7AP8h84uf38+Llfn51/sDGihR7oHA7ER0HgaOwL238f +a990+QpShlH1LLik8LeWXNEl6A9MvWJH1OCahGh48ui8T1ptI6OgcNfIDOt0ZE2e +RoV90FpzABR057SvSog6iuCZqYl7ddEoEd3oM58CgYBqrJSJ4rApRqGam9wGjp2m +xC2AHBM5uC2zZdlqujqKBf+2guRfgrMl08cuKQh+SPfUmRljPavGaqOJTPaPg2zd +hwL87lr6FOuOf9hvnX/ep+GymvXGodvoJhl+EcoPSXkiS+BvTiJXXq7hTI5qRXkb +pOtWWWn3Ya3KcO9RW2ZbSQKBgFnRVfLYJPnLL1fGA5KtZMMtKuxmTHy9ZJI6D0Lz +FM1HnKKrVGXoU1JbeZW68kmDfDsdRl7tgFkGObFMdUMy0P+761xXb3PRhTMuDaBF +dmLUr21opP+PJVHSJjjbGvpNV6ac5r4BeTILiXT7sucRg3METc9ifuPWWJ9+oUR9 +4TNZAoGBAMH9sFqsXKXgLjnPEtdy2GJV51oytQRBxWtB/E2minj+U1b8F336vnUp +JEmY08KXj8weSSs+BUXKqxRWxLo2aWKXcvtpyHttdvJvHroG4Rb5xuvZWNtOFyhV +IHA/pdwvhgvUWoM12U2DZfznKHTDrUNpo6bs7lkPqVOSemlDucpU +-----END RSA PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12 new file mode 100644 index 0000000..4b77b58 Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12 differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem new file mode 100644 index 0000000..dc60d63 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC/zCCAecCAQAwgbkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl +MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx +DjAMBgNVBAsMBVVzZXJzMScwJQYDVQQDDB5wa2luaXRAYWRkb20uc2FtYmEuZXhh +bXBsZS5jb20xLTArBgkqhkiG9w0BCQEWHnBraW5pdEBhZGRvbS5zYW1iYS5leGFt +cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOk6L3IT2px +xhWo3QDWYXQA5I+1xA6Y2VGqqk/HjPlsN1xgVdp8VZzTzeLx7VE5JdX6aX6nZ5yp +YRtcc1DQb7rOOt/+rpWVjperxrtqw2ALysKcMf/GL1K7yy/2LE2+IOEWSdMiNmZP +XMQwEgc0iwBOW1F9QDWB3FwOr754Y4BpZ4dTl9A/12aNJooKJJX5292TDkhUyDDk +dw1l76Rq3imRd5dAXC7tNV65Dzet2XB2mXdFjEplYxNy1cRTN1eFCm10MIxpf4Pw +f/VnBXmAJ9Q4bUkvjSqXLjMf0ODBdhu/v7F1ismxPz/yTsWwaF52in6cV7LsPRiD +4mXVMF619McCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBQjwN3+bsWLHsr7k9K +bfranU8U1dKD05siA3w+Dop43G1eLzBjBrQvSUB4AMzd8a0KKD8dt0xm2s504wxU +SAyGgUcE+a1nPazZUPw5tJVRt41S808Gzd7zU+12UZiUjpE0Y8NayAyn+n/IhNPN +UHOFnZfgBJqWUOEO6+JyJXxYuqaXzmrYg5Kr4vr2tr9d6+hLsp3g3nJKoefPR1RS +2PMk1zubbbjsi9VF/yK6W4QNkfcZN74tMm+kNPAhid422L4FdZSupmfGts45uFWw +zHOOyKOGLkZ4pxNlMRKIL1aYtoyR4UetudX2CUkQsBs/w04DLehk6rjbtQPO4nTI +QYxm +-----END CERTIFICATE REQUEST----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem new file mode 120000 index 0000000..e8d6f50 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem @@ -0,0 +1 @@ +USER-pkinit@addom.samba.example.com-S05-cert.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem new file mode 120000 index 0000000..aac9cfc --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem @@ -0,0 +1 @@ +USER-pkinit@addom.samba.example.com-S05-private-key.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.cer new file mode 100644 index 0000000..857f73d Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.cer differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.pem new file mode 100644 index 0000000..794f9c2 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.pem @@ -0,0 +1,169 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8 (0x8) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com + Validity + Not Before: Feb 28 13:31:30 2020 GMT + Not After : Feb 23 13:31:30 2040 GMT + Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@addom2.samba.example.com/emailAddress=pkinit@addom2.samba.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:dc:33:db:43:5e:d5:91:27:95:35:d2:86:b2:e5: + 70:ac:b8:cf:74:01:2c:60:4d:67:b2:2c:2d:ef:c4: + 04:53:4d:08:9b:ce:55:ca:7a:ab:02:29:5d:3d:27: + ee:3e:a3:23:2e:3e:36:8d:f1:ca:8f:a7:4b:8b:a9: + 39:d3:33:39:d0:b9:f4:9b:c4:14:2c:41:67:be:6a: + 32:b6:86:0d:70:0e:eb:6c:b1:d1:ef:92:70:ec:70: + 70:2d:5f:4f:ea:6c:3e:9f:ee:9a:11:32:93:5f:b0: + e3:51:24:e2:33:08:22:ee:69:07:c6:10:a2:3f:43: + 67:3c:0b:48:b6:d1:92:99:22:de:fe:da:28:e9:12: + ba:a7:d6:54:76:c4:3c:56:a7:c9:e4:28:18:fd:89: + 8a:eb:02:42:88:27:59:61:f5:bd:5f:0d:eb:ce:80: + 4a:84:29:e5:38:93:1d:d9:0a:50:e3:eb:72:ec:b2: + 73:16:ab:75:33:3a:74:fd:6c:b8:a9:b9:09:c0:30: + 0a:74:d4:01:3e:00:0e:89:cf:87:aa:19:f5:7b:c4: + 0d:4f:b1:f1:40:59:54:67:28:aa:ca:18:75:7d:96: + d4:4d:99:e3:b1:84:bc:e7:65:80:ea:f6:dd:30:ce: + cf:14:67:b5:27:09:5f:83:a5:8c:87:62:8f:5a:22: + d5:75 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + + Netscape Cert Type: + SSL Client, S/MIME + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Netscape Comment: + Smart Card Login Certificate for pkinit@addom2.samba.example.com + X509v3 Subject Key Identifier: + 6A:36:04:8E:C5:C3:2C:C9:17:BA:52:66:D3:AB:0D:C3:F2:25:1A:CD + X509v3 Authority Key Identifier: + keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E + + X509v3 Subject Alternative Name: + email:pkinit@addom2.samba.example.com, othername: + X509v3 Issuer Alternative Name: + email:ca-samba.example.com@samba.example.com + Netscape CA Revocation Url: + http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + X509v3 Extended Key Usage: + TLS Web Client Authentication, scardLogin + Signature Algorithm: sha256WithRSAEncryption + 4d:5b:aa:28:b6:e0:a4:61:63:ed:09:7a:0e:2b:b2:c9:83:73: + f5:28:17:2b:d5:4e:c7:7b:01:99:5d:b9:c5:93:b3:a5:e2:64: + 33:96:38:55:c4:a4:84:9a:d1:dc:40:56:ec:da:a7:a5:3b:7c: + 91:c7:8d:03:44:44:9d:a5:0a:9e:de:6a:9d:c2:80:49:93:db: + 4d:74:fa:3c:fd:54:de:99:9c:f8:82:63:ba:5e:81:9e:4d:ae: + a2:a1:09:dd:81:5a:3e:81:31:8b:ff:85:32:ae:30:9e:1a:d6: + 04:d9:1c:bd:a5:0e:83:29:86:f4:be:0f:81:9a:84:f4:42:42: + 6d:20:18:16:ef:21:ac:51:b3:34:bd:0f:b5:2c:7e:c5:21:3d: + f7:77:95:1e:8f:45:3e:f8:79:93:ad:35:dd:cd:97:95:fe:b6: + 5f:88:e7:b8:38:54:15:29:61:2f:17:91:99:74:0c:66:9a:55: + 5c:dd:22:19:a1:8e:c1:a5:23:45:a4:85:f2:b2:98:3b:2c:85: + d8:2a:8e:9c:4d:6c:9e:9e:ef:80:24:2f:57:f3:a1:1f:09:c4: + 44:4d:11:d2:84:87:2a:57:f0:cc:9e:38:2c:3a:68:ee:0b:be: + e9:48:67:ff:87:2b:29:03:25:22:8e:00:33:f8:2a:7c:11:91: + 17:42:fc:6c:d1:94:c6:f0:7f:ad:c3:97:cf:9f:cc:a5:be:25: + 33:af:d4:c4:06:17:a7:be:11:bf:51:5e:6e:b8:26:56:1e:d5: + d6:ce:85:05:62:02:62:92:63:48:d9:d2:0b:e4:f9:2c:a2:53: + 4f:5e:3d:31:07:4d:5b:c4:48:bc:d5:f0:66:98:fd:85:45:26: + 4b:98:4f:a2:ac:05:a0:df:ee:4e:c9:9c:2f:3c:ee:74:9d:54: + 83:03:d8:42:a1:ba:57:a1:d4:43:93:a0:94:e3:0c:3b:cb:eb: + e6:05:73:60:18:32:81:25:21:55:14:99:2b:9d:0e:b2:72:31: + 63:73:5a:94:b2:30:e7:16:16:4c:33:68:cb:e6:87:aa:20:c6: + 9c:f1:26:3b:f5:76:7a:9b:07:f7:d9:c0:6c:50:04:d6:14:06: + 37:e5:fc:58:18:d5:a7:c8:29:56:9e:3c:fd:03:96:e8:4e:1a: + 7e:6e:e3:c9:aa:e6:3f:5d:1a:cd:86:f3:17:82:3b:ff:4c:8e: + 6b:d2:11:84:ce:36:cc:c8:fe:31:80:43:23:fa:fe:3c:8c:57: + a0:a1:1e:b9:08:c1:03:af:8f:3b:6b:cb:12:e4:6a:31:94:86: + 7a:17:c5:9f:80:bc:bc:e0:42:7b:5a:57:ef:b7:d3:0c:5f:98: + 71:aa:4e:cf:b4:c7:25:33:96:54:7b:ca:90:79:6f:f8:f0:c3: + e7:9d:e7:d0:67:4d:7b:20:7b:9d:d0:91:4f:ab:a3:a2:99:fa: + 9a:74:37:33:64:0c:bf:b6:94:3f:62:5f:a5:76:1e:60:54:e6: + bf:3a:11:5b:f0:ba:62:12:2e:9b:99:a2:37:9f:4c:b9:e8:8e: + d2:81:1f:0f:26:23:3b:9a:3b:69:70:09:e4:ae:05:65:04:3e: + 55:06:43:1f:5e:fb:2d:e6:03:b6:c4:ca:47:66:f0:d3:2b:a0: + 79:e8:45:a4:df:8f:31:fd:7e:67:ca:50:e0:b0:99:9d:2c:6a: + 16:f0:39:01:da:7f:d7:66:15:d1:99:3b:d7:7c:8a:bf:b7:d4: + b1:d3:fb:e2:fc:75:82:47:fc:96:42:57:ce:4a:d5:12:07:99: + 5b:ae:1a:c2:98:f1:fa:3d:a7:19:88:75:c8:fa:81:60:1f:19: + 21:0c:25:84:a1:c3:88:30:a7:80:da:85:85:e1:42:98:76:37: + ab:48:75:60:2d:1d:f9:05:6e:04:e2:2b:ce:37:75:17:27:0d: + 87:11:d6:2b:fa:37:bf:b7:e3:d2:96:b9:d8:92:18:4a:00:45: + 6d:9d:c6:20:d0:6b:2c:ed:33:06:08:d7:0f:56:44:5e:68:9f: + 9f:20:fc:57:a8:27:68:c9:f5:f5:2e:4d:0b:3c:a9:2e:92:2b: + d3:88:a9:18:27:24:0f:33:90:23:b3:41:99:5b:ec:bd:ef:ba: + 5b:4a:b6:a9:6c:b5:a5:d4:47:1e:9c:e7:32:0c:72:98:e7:8c: + a4:aa:72:8f:2b:90:5f:2d:23:bf:99:62:75:47:2f:9a:79:5e: + 4b:8a:8c:f2:28:df:30:59:6b:62:45:4b:b6:e5:39:ab:77:f0: + 51:4b:b7:6f:42:0a:81:a7:c0:c9:8a:c6:09:2a:e8:35:36:53: + c9:5b:93:dc:a5:1e:17:b1:cc:b4:13:b5:bb:b0:df:b8:cd:68: + 8a:10:18:8c:de:07:33:31:68:6b:f4:6a:dc:d0:17:10:c4:2d: + ec:66:51:c3:01:b3:2a:f0:0e:b9:c2:4d:7c:8d:d8:ab:c0:76: + 79:ca:e6:ff:a4:36:da:c1:8d:2e:13:7d:15:21:72:86:ad:4b: + 1b:73:4f:46:2f:fa:1e:ae:e8:8f:dd:79:6c:46:57:0a:05:ef: + 11:04:ae:a0:c5:13:86:6a:a3:cc:9c:b7:80:ef:18:5f:67:f7: + 43:ef:e2:94:4f:85:06:2f:d1:7a:97:07:ed:89:7d:aa:1e:e0: + cf:52:63:b9:28:95:aa:6d:ca:f2:20:c2:f3:07:83:c5:f4:a2: + ee:20:61:88:34:12:62:05:67:8d:f2:83:25:0b:9a:89 +-----BEGIN CERTIFICATE----- +MIII/TCCBOWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx +EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE +CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x +IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB +FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0yMDAy +MjgxMzMxMzBaFw00MDAyMjMxMzMxMzBaMIGnMQswCQYDVQQGEwJVUzETMBEGA1UE +CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE +CwwFVXNlcnMxKDAmBgNVBAMMH3BraW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5j +b20xLjAsBgkqhkiG9w0BCQEWH3BraW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcM9tDXtWRJ5U10oay +5XCsuM90ASxgTWeyLC3vxARTTQibzlXKeqsCKV09J+4+oyMuPjaN8cqPp0uLqTnT +MznQufSbxBQsQWe+ajK2hg1wDutssdHvknDscHAtX0/qbD6f7poRMpNfsONRJOIz +CCLuaQfGEKI/Q2c8C0i20ZKZIt7+2ijpErqn1lR2xDxWp8nkKBj9iYrrAkKIJ1lh +9b1fDevOgEqEKeU4kx3ZClDj63LssnMWq3UzOnT9bLipuQnAMAp01AE+AA6Jz4eq +GfV7xA1PsfFAWVRnKKrKGHV9ltRNmeOxhLznZYDq9t0wzs8UZ7UnCV+DpYyHYo9a +ItV1AgMBAAGjggIRMIICDTAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0 +dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxl +LmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwTwYJ +YIZIAYb4QgENBEIWQFNtYXJ0IENhcmQgTG9naW4gQ2VydGlmaWNhdGUgZm9yIHBr +aW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFGo2BI7FwyzJ +F7pSZtOrDcPyJRrNMB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFsG +A1UdEQRUMFKBH3BraW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5jb22gLwYKKwYB +BAGCNxQCA6AhDB9wa2luaXRAYWRkb20yLnNhbWJhLmV4YW1wbGUuY29tMDEGA1Ud +EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G +CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv +Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcD +AgYKKwYBBAGCNxQCAjANBgkqhkiG9w0BAQsFAAOCBAEATVuqKLbgpGFj7Ql6Diuy +yYNz9SgXK9VOx3sBmV25xZOzpeJkM5Y4VcSkhJrR3EBW7NqnpTt8kceNA0REnaUK +nt5qncKASZPbTXT6PP1U3pmc+IJjul6Bnk2uoqEJ3YFaPoExi/+FMq4wnhrWBNkc +vaUOgymG9L4PgZqE9EJCbSAYFu8hrFGzNL0PtSx+xSE993eVHo9FPvh5k6013c2X +lf62X4jnuDhUFSlhLxeRmXQMZppVXN0iGaGOwaUjRaSF8rKYOyyF2CqOnE1snp7v +gCQvV/OhHwnERE0R0oSHKlfwzJ44LDpo7gu+6Uhn/4crKQMlIo4AM/gqfBGRF0L8 +bNGUxvB/rcOXz5/Mpb4lM6/UxAYXp74Rv1FebrgmVh7V1s6FBWICYpJjSNnSC+T5 +LKJTT149MQdNW8RIvNXwZpj9hUUmS5hPoqwFoN/uTsmcLzzudJ1UgwPYQqG6V6HU +Q5OglOMMO8vr5gVzYBgygSUhVRSZK50OsnIxY3NalLIw5xYWTDNoy+aHqiDGnPEm +O/V2epsH99nAbFAE1hQGN+X8WBjVp8gpVp48/QOW6E4afm7jyarmP10azYbzF4I7 +/0yOa9IRhM42zMj+MYBDI/r+PIxXoKEeuQjBA6+PO2vLEuRqMZSGehfFn4C8vOBC +e1pX77fTDF+YcapOz7THJTOWVHvKkHlv+PDD553n0GdNeyB7ndCRT6ujopn6mnQ3 +M2QMv7aUP2JfpXYeYFTmvzoRW/C6YhIum5miN59MueiO0oEfDyYjO5o7aXAJ5K4F +ZQQ+VQZDH177LeYDtsTKR2bw0yugeehFpN+PMf1+Z8pQ4LCZnSxqFvA5Adp/12YV +0Zk713yKv7fUsdP74vx1gkf8lkJXzkrVEgeZW64awpjx+j2nGYh1yPqBYB8ZIQwl +hKHDiDCngNqFheFCmHY3q0h1YC0d+QVuBOIrzjd1FycNhxHWK/o3v7fj0pa52JIY +SgBFbZ3GINBrLO0zBgjXD1ZEXmifnyD8V6gnaMn19S5NCzypLpIr04ipGCckDzOQ +I7NBmVvsve+6W0q2qWy1pdRHHpznMgxymOeMpKpyjyuQXy0jv5lidUcvmnleS4qM +8ijfMFlrYkVLtuU5q3fwUUu3b0IKgafAyYrGCSroNTZTyVuT3KUeF7HMtBO1u7Df +uM1oihAYjN4HMzFoa/Rq3NAXEMQt7GZRwwGzKvAOucJNfI3Yq8B2ecrm/6Q22sGN +LhN9FSFyhq1LG3NPRi/6Hq7oj915bEZXCgXvEQSuoMUThmqjzJy3gO8YX2f3Q+/i +lE+FBi/RepcH7Yl9qh7gz1JjuSiVqm3K8iDC8weDxfSi7iBhiDQSYgVnjfKDJQua +iQ== +-----END CERTIFICATE----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-key.pem new file mode 100644 index 0000000..1e61500 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-key.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIV6+MM3EXFiACAggA +MBQGCCqGSIb3DQMHBAjsohDWEPj6zgSCBMgedcAX42Jx6DI9zhBX9GTM5t734KMA +5QsAoALazfaMdUZ2oULJJeFon4s497Wc8amj661+TkvhIJNi1zRZA1ZC1xphQDsr +yjJx8elNBHUvaJDKEE9aN+EEJ2+TkExTX6BAYeewNN0VgjV9Kpwy0ejD8gZZKBa0 +oGtmqCQTMrGdmKTuPa2H463oexgr+6futCbR/qxp9k/lRBGy6z7+sM7FvS9NVLN5 +gRrXjwFGA01Rb4Ch4ZmbU04EyJh+0EvjXC5e2t76GLp3EtjVpOuNuaZOiHQ7t/ah +xaU5fHwoBWwuXjZc2diFvcuNNnJ0e7K9AMkfIuk/Bn4wEyo8jSAZPzEzatZf6gxg +DoGkXaoB7Yf2+Mb0qg8IiMf/1IICHF046liDxNmnbAHOsREXJtwtV2H6gUuh+zX1 ++B/jwhAXt62FUwnd4WdCHyo4NjOBwQADibiTTcgvdnkn+XKYzyNii6RGjA95mpbp +loA71aV2QoBZH4bQ18YrCNshAf1tanZvxByjB/61IeMxz4m0BlwZbIT06rrpNLqh +k6w7wmW2sdgN9kWb772+zUJFahNmJU4qfr8Kg/NIvqj63HMXwgCfuGLI7vUFmmhp +dkqfadcu32XxitWYHZkvJPtCFb3AKcIR7OzWc117VuHu+kWSVhfst70LROSOXiwa +TajBA0P83LccmR6z67/JWRvQwDc9uF+6xVM3tZga+odi/Fee/N0c2yYqxlrebmqU +Qlp6xzjIrpTpwCBEBXgJQsv+kcIQIpDPhG8+y44OHBcHoGaDFVYX8KNcO98b1EYC +EW6cy6PrmaE5AkC+jlPPQqcTRJvCVeq3MIUmJg2M3ivsTdlSqbCVfnJgYTnGD9sS +pAtc1I+7OqOfp5jqHgCmnK0pdbmFLDuKJNuzNb356nNFA+CUejWzZGPth6pVFGyq +9234oSwUCjP3kKG89JVSEflvTAEsySWHO3Vs4lyu0/1Dd1k1Bfc6YYgGH0JiXvtf +y2Ys7u51m9NL4BgpbMvLpNmKvZlztJhGqw9Og1g/GdcURhqgajK8HGNJz1hpgzq5 +frlMKP8NnCwhID7IZzaQbcBMA9OUQds6XrB6Fd60vmTx4UMg6fIBCzLOR1lSmxcn +64QUkepM9+jBKlWla9MlMECB2csxdlRCpSYIdguyd+i0ftEmq1ZG77+c5/9LNFSh +SMDUJ5qg6UsFBVCmJezG0yrkPcTEmTQxAAcWN+C37cMq/3htAw3njfOGaiJliYUn +vKc4+yZH9PQxaZB+l2pVOjJYmetcmEDnfrrUVst+xzusVzT/IyYEyC+DTi3U2Suh +AOUoAZP2QnAEYRWsN4dcClKJt/fSBcQIIqYeljAxzi+DmxOBALHkuUd7AhozpV7P +3F0hHD2lD3/9ncIHjHZ+DshiWVmxgvPcKFi2spbeb/CBpJ7YmkFww7C9YOctP5eq +vIsesf2ZsGaKNbogfBRKuQP1o0FkWGqUnzVe0Ww56uGerz5EU+I/LecLAmS0e5jt +FtAlVXcRKo7UtXMJHekQRnF70xk9gYV3qZIP7bXDh01gX/TVEL7PHeBZBkej5Mrk +debSOuvlVxnnAYyreZl1MtnneT8L7nwi+lKRkq5aps82iUa2sKPgoFQODZrLBAyM +HOE= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-openssl.cnf new file mode 100644 index 0000000..effde23 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-openssl.cnf @@ -0,0 +1,242 @@ +# +# Based on the OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl] +CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential +scardLogin=1.3.6.1.4.1.311.20.2.2 +# Used in a smart card login certificate's subject alternative name +msUPN=1.3.6.1.4.1.311.20.2.3 +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller +msKDC=1.3.6.1.5.2.3.5 +# Identifies the AD GUID +msADGUID=1.3.6.1.4.1.311.25.1 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = CA-samba.example.com # Where everything is kept +certs = $dir/_none_certs # Where the issued certs are kept +crl_dir = $dir/_none_crl # Where the issued crl are kept +database = $dir/Private/CA-samba.example.com-index.txt # database index file. +unique_subject = yes # Set to 'no' to allow creation of + # several certificates with same subject. +new_certs_dir = $dir/NewCerts # default place for new certs. + +certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate +serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number +crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number + # must be commented out to leave a V1 CRL + +#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL +crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL +private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key +RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file + +#x509_extensions = # The extensions to add to the cert +x509_extensions = template_x509_extensions + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +crl_extensions = crl_ext + +default_days = 7300 # how long to certify for +default_crl_days= 7300 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = match +stateOrProvinceName = match +localityName = match +organizationName = match +organizationalUnitName = match +commonName = supplied +emailAddress = supplied + +#################################################################### +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = SambaState + +localityName = Locality Name (eg, city) +localityName_default = SambaCity + +organizationName = Organization Name (eg, company) +organizationName_default = SambaSelfTesting + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Users + +commonName = Common Name (eg, YOUR name) +commonName_default = pkinit@addom2.samba.example.com +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = pkinit@addom2.samba.example.com +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 4 +#challengePassword_max = 20 +# +#unstructuredName = An optional company name + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +# Extensions for a typical CA +# PKIX recommendation. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. +keyUsage = cRLSign, keyCertSign + +crlDistributionPoints=URI:$CRLDISTPT + +# Some might want this also +nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +subjectAltName=email:copy +# Copy issuer details +issuerAltName=issuer:copy + +[ crl_ext ] +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +#[ usr_cert_scarduser ] +[ template_x509_extensions ] + +# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE +crlDistributionPoints=URI:$CRLDISTPT + +# For normal client use this is typical +nsCertType = client, email + +# This is typical in keyUsage for a client certificate. +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Smart Card Login Certificate for pkinit@addom2.samba.example.com" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. + +subjectAltName=email:copy,otherName:msUPN;UTF8:pkinit@addom2.samba.example.com + +# Copy subject details +issuerAltName=issuer:copy + +nsCaRevocationUrl = $CRLDISTPT +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +#Extended Key requirements for client certs +extendedKeyUsage = clientAuth,scardLogin + diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private-key.pem new file mode 100644 index 0000000..a0b894c --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA3DPbQ17VkSeVNdKGsuVwrLjPdAEsYE1nsiwt78QEU00Im85V +ynqrAildPSfuPqMjLj42jfHKj6dLi6k50zM50Ln0m8QULEFnvmoytoYNcA7rbLHR +75Jw7HBwLV9P6mw+n+6aETKTX7DjUSTiMwgi7mkHxhCiP0NnPAtIttGSmSLe/too +6RK6p9ZUdsQ8VqfJ5CgY/YmK6wJCiCdZYfW9Xw3rzoBKhCnlOJMd2QpQ4+ty7LJz +Fqt1Mzp0/Wy4qbkJwDAKdNQBPgAOic+Hqhn1e8QNT7HxQFlUZyiqyhh1fZbUTZnj +sYS852WA6vbdMM7PFGe1Jwlfg6WMh2KPWiLVdQIDAQABAoIBAHKz6HEtgx37enPw +2A10Cr9N/XI18kGv0GY1MTCF8KLbq7JNRs8UGuQjW9gxZp7mJ7s82PoTiypNQMLd +QavMMT+SveItvzxWTY4Yj5YYOgO3IdcawXqD06K15xkbXuuDuxNgHIz8xVvBLofk +KJfgkyGRQGVh4MIHgEz8q8HfZPezBGIxxfjXPkZ7NEJGcVUKyhSaEn0uJ2wcWkzf +eCx4ZNNp82MHR9OO7sMc87oJDKm38JbZPKnONU75L8Kjk+qBljCLNT71pqIFQfVD +QFUsGDLs2aBqsP/AZjeUX6+AinBV7CQ43EB4Y8t1U62k+AaNqocg+QjdspUGsTVd +V3XRxoECgYEA/6JFdxUnOtV0DRi/TGCN27nfASsa7JkVZLY+mJMBrPOKqK1IfXmC +isqykMY0NLKK5pgjQqWuoiri9uuzPNwK8OfNOvJUZAsElr4OlH15yz3vjG4Jr9Hx +EPIL1J95Nuo4mCtNx/DUHiDCWR5qvTXteKRa5Zb0FpT7BwSnzhC9KaUCgYEA3ISY +HOiXzWiEbG5cnklPGsnkfl5br77jFbFwu1HSO+pcDTRs4yRt9CSRvtv/f82yPVw1 +p7ZU4kqos2sSgdyqr/LYzRBXpcfK8yKZB0S1irNgS5G7FRgRj4MhnIfB8zwAmWAJ +TdIkiZHpP1LRs/A4EAveE3HbVkKR8CkgrMabE5ECgYEA9ONA5IkxIZ1mJT211LcS +bpGq3nWqv0kPQ4GKiaMakdJk3J3Tuc/zjH4Nfb9CN9FqWukXrjsGBnhLIPw+omix +WoLVCkknKwebB8VeNkXVrSvSFZc8VGAsLW2Sg8eZ2U+bk7q4Mne03H/JbpJC8qt8 +qHvaT+LCRffGWrzM/AzxCbkCgYEAu2wCsQdLBi0f59zA4VNjZVxU1Maz3KI79VMT +glHfgkcFJ7/4D/IFdeyi5vmqpWAZbqdxfvKsIIzd52hImZEIjXS0qU2LgP5XUuCD ++bZ/KbydSn046YvEWRpVtel4gZfs1m7WWYsSvM4D1Ws5ilrP+2tqu1IY3q7DxL/f +4pkGctECgYBa4TCPS3pxG6trEA5J2U4GaL5poK1MXXSd1CAkdij3npxYP2siRNz5 +SMA/TvJEA6wzhsbA6kqpESmPFim6IfywGdE6WbNu/dEA00EmLW+YeBGVBGVaUro4 +gz3ruHdztghRJFNrN4sjYGiPjKTG74U/aUNIGZXsxTJA8R8U0Y8KPw== +-----END RSA PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private.p12 new file mode 100644 index 0000000..ea4d241 Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private.p12 differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-req.pem new file mode 100644 index 0000000..7c0934a --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-req.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDATCCAekCAQAwgbsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl +MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx +DjAMBgNVBAsMBVVzZXJzMSgwJgYDVQQDDB9wa2luaXRAYWRkb20yLnNhbWJhLmV4 +YW1wbGUuY29tMS4wLAYJKoZIhvcNAQkBFh9wa2luaXRAYWRkb20yLnNhbWJhLmV4 +YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3DPbQ17V +kSeVNdKGsuVwrLjPdAEsYE1nsiwt78QEU00Im85VynqrAildPSfuPqMjLj42jfHK +j6dLi6k50zM50Ln0m8QULEFnvmoytoYNcA7rbLHR75Jw7HBwLV9P6mw+n+6aETKT +X7DjUSTiMwgi7mkHxhCiP0NnPAtIttGSmSLe/too6RK6p9ZUdsQ8VqfJ5CgY/YmK +6wJCiCdZYfW9Xw3rzoBKhCnlOJMd2QpQ4+ty7LJzFqt1Mzp0/Wy4qbkJwDAKdNQB +PgAOic+Hqhn1e8QNT7HxQFlUZyiqyhh1fZbUTZnjsYS852WA6vbdMM7PFGe1Jwlf +g6WMh2KPWiLVdQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAFdpb3Rsn94pfog0 +u423+MP/Y3Kt/mjLUV++hmGzIi8rAFLAjQTSlM+uGF3895+kIzH9k+y0d8nYiN2n +GPhsj4KKKurtiAsykKdE3+da0sQ/DdL7FXq7AvjzQOcoUpU3tRncNApW8mD91Yuk +YpOMysX1PhNbUK8+E+jzP8lngs6cu5yKbeK8JF/0GI74XoCB4+oVKO23SgjXOrmw +4lDKMYD7L9+N8/a6g29JEhwjxx+BTKjwjehQlkO0zT2ZRzEGk9LPoJY8CWiS31l0 +FHlUhO+drJygaFDqSd82hmo6oBSO81evk3Vow7po/E9UGVJY2X9nfGXS9+HlV/kW +IYOVlmQ= +-----END CERTIFICATE REQUEST----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-cert.pem new file mode 120000 index 0000000..aa6521d --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-cert.pem @@ -0,0 +1 @@ +USER-pkinit@addom2.samba.example.com-S08-cert.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-private-key.pem new file mode 120000 index 0000000..3784f3f --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-private-key.pem @@ -0,0 +1 @@ +USER-pkinit@addom2.samba.example.com-S08-private-key.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cer new file mode 100644 index 0000000..9a8d7ae Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cer differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem new file mode 100644 index 0000000..730b824 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem @@ -0,0 +1,168 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com + Validity + Not Before: Jun 3 19:30:29 2016 GMT + Not After : May 29 19:30:29 2036 GMT + Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@samba.example.com/emailAddress=pkinit@samba.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:dd:c4:48:44:a5:e9:6b:b4:41:03:6a:dc:34:1f: + d6:41:ce:f7:cb:b2:44:a7:a3:0e:89:16:ff:0d:62: + 23:e0:8b:24:db:82:82:68:29:22:1b:57:44:12:c6: + ea:10:2d:6f:3a:4b:75:b1:2e:76:62:01:62:ff:ba: + 3d:67:e1:39:0d:12:38:b0:fc:b3:e5:0e:dd:77:73: + 2b:99:25:86:d5:15:84:08:be:b0:8b:38:d7:64:9d: + d6:e7:dc:4d:9a:fb:ea:17:41:bb:d1:cf:1a:b9:5b: + 0b:8a:e5:8c:5a:b7:2d:ab:bd:f7:c3:91:ae:26:c2: + e3:97:27:ea:3f:be:c9:22:af:d6:76:35:45:b0:72: + 86:f2:bd:bf:e2:d3:e3:e3:68:52:26:db:f0:a6:6a: + 0e:63:05:9b:17:6d:13:ee:c4:15:41:96:27:06:90: + fd:10:b5:f9:6c:74:be:b0:a8:bb:70:f7:a2:25:da: + f7:f1:91:c2:69:6c:40:c4:63:e8:06:83:e0:1d:b7: + 2b:29:d3:75:d1:df:c1:d2:90:af:b9:81:47:78:f3: + f1:1a:c9:20:e3:1b:6f:e4:fd:2e:0b:65:a7:6f:b1: + b2:a0:d3:e3:d2:2f:2b:ef:fd:01:5b:27:e7:1b:c1: + 0e:bc:bd:f0:7b:b2:34:a9:9b:4d:2c:c8:65:33:c8: + 33:17 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 CRL Distribution Points: + + Full Name: + URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + + Netscape Cert Type: + SSL Client, S/MIME + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Netscape Comment: + Smart Card Login Certificate for pkinit@samba.example.com + X509v3 Subject Key Identifier: + E9:67:66:B8:3D:F1:39:AB:1A:4D:00:9D:EC:CE:FF:4B:50:D8:5D:A2 + X509v3 Authority Key Identifier: + keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E + + X509v3 Subject Alternative Name: + email:pkinit@samba.example.com, othername: + X509v3 Issuer Alternative Name: + email:ca-samba.example.com@samba.example.com + Netscape CA Revocation Url: + http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + X509v3 Extended Key Usage: + TLS Web Client Authentication, scardLogin + Signature Algorithm: sha256WithRSAEncryption + 88:3e:f3:98:08:ef:cd:53:3a:07:d5:1c:fd:26:7c:f1:96:2e: + b9:06:87:f2:5b:e2:be:d1:04:6e:38:59:14:49:9d:46:ef:7e: + 6c:08:02:3e:18:09:09:61:a8:1d:a9:da:59:40:58:5f:d2:ca: + 4f:76:0e:7e:01:db:05:03:fb:78:c7:89:86:aa:1b:dc:02:bb: + 86:a5:02:7c:01:54:dd:ad:e0:43:c5:d9:ec:86:c2:47:b5:5a: + 1c:8c:06:0e:fe:11:ad:a5:57:37:f5:0a:35:65:a4:f2:27:14: + 2f:bf:53:48:66:e1:da:b9:58:95:a2:d1:95:9c:ae:0a:ca:29: + a6:ef:7a:58:74:86:40:ea:2a:c6:18:9f:1a:d9:70:e2:a8:aa: + 8d:f1:22:bf:b6:e4:61:d4:21:ee:bf:17:e1:aa:d1:cf:0b:35: + 82:c7:3f:a1:be:d1:a5:bd:4e:04:0d:cf:11:2d:d6:0c:7e:47: + 5c:5e:84:d2:10:60:7e:97:d7:52:be:a1:cd:2d:85:da:b2:dd: + 68:88:12:a4:88:5f:16:0c:ae:6f:60:7f:da:58:5f:91:bd:8d: + 15:20:c2:74:94:0b:93:65:80:7c:77:15:a2:70:bb:98:be:41: + 1a:2e:c5:78:52:64:e7:44:03:3f:64:97:10:a9:1b:17:f3:79: + f9:51:0c:4c:58:e7:03:e7:bb:fd:34:ff:c0:4a:ad:b1:7a:ba: + 97:3c:f8:e0:9e:30:3d:e7:5f:be:ac:6a:b3:c1:1e:50:7c:cd: + ce:18:bd:96:73:fb:9c:90:e7:ae:e0:be:c5:65:29:9a:1c:da: + c3:64:2a:99:dc:93:61:32:9a:70:1a:45:83:72:38:0f:57:de: + 0d:f5:64:71:97:de:b5:64:99:43:30:6d:3f:25:82:b5:3e:a1: + ba:39:d2:fc:b8:df:7e:57:da:fc:be:c2:84:2e:99:41:52:a2: + 18:f4:99:c7:e2:b9:af:2a:84:32:5c:cb:ba:26:86:6b:8e:58: + 30:d8:4f:5b:60:34:fd:30:de:c5:a0:7a:8c:e7:34:2b:bc:81: + 6d:4c:a8:b5:ba:b5:52:b9:42:e5:d8:7e:be:31:a3:8e:b0:c3: + f6:16:28:92:e7:9d:3f:c8:cf:a0:4a:b0:3a:ae:75:59:ab:19: + 91:e4:2e:76:57:3f:58:88:5f:2e:7b:c5:8f:11:25:0f:cd:8f: + e3:91:80:2f:d4:7b:5a:80:c3:c9:7c:0a:aa:01:bf:5c:8c:0e: + 57:84:bf:72:ad:7b:0a:b9:95:27:0f:aa:9b:96:08:8e:bb:63: + 56:5a:1d:ad:0c:5b:1c:04:38:ae:2b:88:d4:d1:68:20:f2:a0: + 9b:77:9c:95:db:17:cb:cf:79:4a:13:66:c9:34:36:f6:c6:f9: + 8b:4b:92:5e:59:a3:5d:75:4e:fa:f2:fa:d5:d9:66:80:82:a4: + 8d:e2:d8:b6:ed:c5:a3:ca:a2:70:64:9c:b9:1c:49:b2:2f:46: + b3:13:3b:88:a7:5a:8e:22:b7:90:f5:74:27:21:06:a4:94:bb: + b1:cb:e7:e4:92:f0:e9:80:15:94:82:1a:97:34:d0:cf:aa:37: + b1:27:a5:38:39:7c:8d:ba:a1:12:dd:30:48:44:90:0c:35:0f: + cc:e6:13:e7:c9:06:36:1d:b0:c9:be:28:0f:47:1c:b0:47:a3: + 20:d1:bb:a1:85:1a:80:c2:9b:70:61:9f:a7:82:46:3c:80:28: + 0c:17:f6:fc:75:83:be:ff:5c:da:bc:be:2c:65:a6:c0:fc:c1: + 32:ae:9a:bf:d1:7c:fb:b3:26:3b:77:03:fe:a9:e9:ae:4c:72: + 58:a9:6e:ce:ad:c0:1f:30:b2:06:32:65:af:5f:db:3d:2b:ab: + c5:46:5c:0a:df:50:b5:7e:31:c8:b0:7e:50:e2:aa:d8:01:8e: + ea:e7:3c:8b:90:73:de:77:9f:47:ea:af:16:0d:a5:c0:89:6f: + 86:a4:84:f7:1f:03:fd:7d:f8:a8:7d:9c:9a:f1:13:c8:d5:5b: + 9c:2f:71:c1:c0:c2:17:89:39:6d:28:2d:20:31:ca:60:cf:7f: + 78:42:5c:a3:28:76:19:a8:ca:e6:07:22:6d:7f:04:b1:20:ab: + 70:40:33:e9:a3:fa:da:b5:7c:ee:70:0b:c6:a2:6a:90:1a:10: + fe:8a:9b:56:5c:44:85:f1:b4:41:67:0b:c1:a3:68:2f:ff:b1: + 48:f3:38:4b:28:4e:52:36:0c:9b:37:aa:7e:82:63:c3:61:33: + a9:05:b3:af:13:07:b3:9e:4d:4c:3c:c4:47:34:ce:f3:6e:55: + 69:d7:af:dc:e4:82:34:9b:fe:cc:d9:db:1f:08:3e:3c:3a:9b: + ac:a7:7e:61:3f:5f:01:0c:d8:f3:63:31:31:07:e2:05:84:30: + 65:f4:b0:a6:cc:ad:63:fe:06:db:d7:e9:2f:9d:db:2c:64:af: + d6:d1:cc:9e:c3:11:09:ad:7d:e2:06:6d:21:ad:a5:4f:a6:87: + 9b:ee:db:6c:e9:69:a7:6a:eb:93:67:e2:e9:6f:23:f8:2e:95: + 78:5f:a8:66:ae:7e:2c:5e:6b:07:3e:02:ad:20:af:61:9c:0e: + 1d:c6:7a:31:5a:33:bd:61:1a:67:5b:a9:42:3c:17:67:f8:dd: + 80:e3:ab:62:a0:42:53:33:1f:f7:79:ea:32:d1:26:dd:bb:c6: + 26:aa:2c:ac:16:7e:24:b4:ae:7d:ce:77:e8:5f:2d:97 +-----BEGIN CERTIFICATE----- +MIII2jCCBMKgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx +EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE +CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x +IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB +FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjA2 +MDMxOTMwMjlaFw0zNjA1MjkxOTMwMjlaMIGZMQswCQYDVQQGEwJVUzETMBEGA1UE +CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE +CwwFVXNlcnMxITAfBgNVBAMMGHBraW5pdEBzYW1iYS5leGFtcGxlLmNvbTEnMCUG +CSqGSIb3DQEJARYYcGtpbml0QHNhbWJhLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3cRIRKXpa7RBA2rcNB/WQc73y7JEp6MOiRb/ +DWIj4Isk24KCaCkiG1dEEsbqEC1vOkt1sS52YgFi/7o9Z+E5DRI4sPyz5Q7dd3Mr +mSWG1RWECL6wizjXZJ3W59xNmvvqF0G70c8auVsLiuWMWrctq733w5GuJsLjlyfq +P77JIq/WdjVFsHKG8r2/4tPj42hSJtvwpmoOYwWbF20T7sQVQZYnBpD9ELX5bHS+ +sKi7cPeiJdr38ZHCaWxAxGPoBoPgHbcrKdN10d/B0pCvuYFHePPxGskg4xtv5P0u +C2Wnb7GyoNPj0i8r7/0BWyfnG8EOvL3we7I0qZtNLMhlM8gzFwIDAQABo4IB/DCC +AfgwCQYDVR0TBAIwADBPBgNVHR8ESDBGMESgQqBAhj5odHRwOi8vd3d3LnNhbWJh +LmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAR +BglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMEgGCWCGSAGG+EIBDQQ7FjlT +bWFydCBDYXJkIExvZ2luIENlcnRpZmljYXRlIGZvciBwa2luaXRAc2FtYmEuZXhh +bXBsZS5jb20wHQYDVR0OBBYEFOlnZrg98TmrGk0AnezO/0tQ2F2iMB8GA1UdIwQY +MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+ME0GA1UdEQRGMESBGHBraW5pdEBzYW1i +YS5leGFtcGxlLmNvbaAoBgorBgEEAYI3FAIDoBoMGHBraW5pdEBzYW1iYS5leGFt +cGxlLmNvbTAxBgNVHRIEKjAogSZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5l +eGFtcGxlLmNvbTBNBglghkgBhvhCAQQEQBY+aHR0cDovL3d3dy5zYW1iYS5leGFt +cGxlLmNvbS9jcmxzL0NBLXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwHwYDVR0l +BBgwFgYIKwYBBQUHAwIGCisGAQQBgjcUAgIwDQYJKoZIhvcNAQELBQADggQBAIg+ +85gI781TOgfVHP0mfPGWLrkGh/Jb4r7RBG44WRRJnUbvfmwIAj4YCQlhqB2p2llA +WF/Syk92Dn4B2wUD+3jHiYaqG9wCu4alAnwBVN2t4EPF2eyGwke1WhyMBg7+Ea2l +Vzf1CjVlpPInFC+/U0hm4dq5WJWi0ZWcrgrKKabvelh0hkDqKsYYnxrZcOKoqo3x +Ir+25GHUIe6/F+Gq0c8LNYLHP6G+0aW9TgQNzxEt1gx+R1xehNIQYH6X11K+oc0t +hdqy3WiIEqSIXxYMrm9gf9pYX5G9jRUgwnSUC5NlgHx3FaJwu5i+QRouxXhSZOdE +Az9klxCpGxfzeflRDExY5wPnu/00/8BKrbF6upc8+OCeMD3nX76sarPBHlB8zc4Y +vZZz+5yQ567gvsVlKZoc2sNkKpnck2EymnAaRYNyOA9X3g31ZHGX3rVkmUMwbT8l +grU+obo50vy4335X2vy+woQumUFSohj0mcfiua8qhDJcy7omhmuOWDDYT1tgNP0w +3sWgeoznNCu8gW1MqLW6tVK5QuXYfr4xo46ww/YWKJLnnT/Iz6BKsDqudVmrGZHk +LnZXP1iIXy57xY8RJQ/Nj+ORgC/Ue1qAw8l8CqoBv1yMDleEv3Ktewq5lScPqpuW +CI67Y1ZaHa0MWxwEOK4riNTRaCDyoJt3nJXbF8vPeUoTZsk0NvbG+YtLkl5Zo111 +Tvry+tXZZoCCpI3i2LbtxaPKonBknLkcSbIvRrMTO4inWo4it5D1dCchBqSUu7HL +5+SS8OmAFZSCGpc00M+qN7EnpTg5fI26oRLdMEhEkAw1D8zmE+fJBjYdsMm+KA9H +HLBHoyDRu6GFGoDCm3Bhn6eCRjyAKAwX9vx1g77/XNq8vixlpsD8wTKumr/RfPuz +Jjt3A/6p6a5Mclipbs6twB8wsgYyZa9f2z0rq8VGXArfULV+MciwflDiqtgBjurn +PIuQc953n0fqrxYNpcCJb4akhPcfA/19+Kh9nJrxE8jVW5wvccHAwheJOW0oLSAx +ymDPf3hCXKModhmoyuYHIm1/BLEgq3BAM+mj+tq1fO5wC8aiapAaEP6Km1ZcRIXx +tEFnC8GjaC//sUjzOEsoTlI2DJs3qn6CY8NhM6kFs68TB7OeTUw8xEc0zvNuVWnX +r9zkgjSb/szZ2x8IPjw6m6ynfmE/XwEM2PNjMTEH4gWEMGX0sKbMrWP+BtvX6S+d +2yxkr9bRzJ7DEQmtfeIGbSGtpU+mh5vu22zpaadq65Nn4ulvI/gulXhfqGaufixe +awc+Aq0gr2GcDh3GejFaM71hGmdbqUI8F2f43YDjq2KgQlMzH/d56jLRJt27xiaq +LKwWfiS0rn3Od+hfLZc= +-----END CERTIFICATE----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem new file mode 100644 index 0000000..44f2dca --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI3lMKoRxwFl4CAggA +MBQGCCqGSIb3DQMHBAh3N+m1jtZvYgSCBMjc0ubJOkfSna22cqDmoGRkN/3T/nfk +zjaeXgq95J/FKJjrDL8t+ywAM/Xrs5CIRraaiJQ2ddYy6ViaKsoK00lVxx1zelFA +7HZke3gXQnmJEXxnb2cCJhYwX5ElT/QoSgxh9cLuLnw/4HVp4K0wCAjmCkYtCc32 +HvqCJJU2Gj97rVMr43jz/GISBKdFtzBSP059SRNgutczONs4zBV3YZNYMOO+GZWF +Gt46vy0rzEgEku9PdNSBG48j2VCidj6VzJSDzrS8gMcNVd65quzCoCLoaUZ+Xgf0 +T28rwElhRe0Khji1fW2KyeyMNwtivKZPVOzOkS4gdmRZq64WdZBSC0yL4VepXXML +wUtPORgYZ0VkkLZHJ5exLQJESQz68CX9kiryoZgDbZMcYzDBI4lkFwtqRTKRbmM+ +K4VPVxqWREAmnMPBfdDBRKi0yml2Y53Eq5PAhCqkhbFe5JiZ5OGlwGY+zPiFZ+65 +EYHTcjCW1NIY1GTKYp7AYQ0JX4tNqFQon+9GLmowODQeW0DkcCKabHNTNUnCwW0d +qxyzC+gUEMCas1ZjVlkxeTEzYm7820DierzEc2pdvWRm6p8EHlFOboD65HpxpG4h +wYbe2ctNoB0gpaFDgaEsECxJ6ZxkMk2x39UPlAawkVshGs9W8StIxHgSUv4H9T/S +9SAiQKQOGOpyj0V+zfq6IW/XXK+lbV5CRSYwSAmC1JuEeR8Hy6guPmjNC4Otp/5j +NjiYDHWtQKvnYJDZOZraW1QqHlrwB6SNt3EAWYHR+d/OOPedeUh/WvtT7brnPu1Z +fQPkQLJtKyvG6rkNvAJl3Zl67cz3D3G1J/MSpFXc4dUcTKfldR5uSQSpVqFEWqmw +hgBxsv7OI0c/NMFt1JmUpQTMxhFqLKCjwVI9LZgJfl+EFPI5PCJY7mHBMfhDgZek +epAS7V+zaVOXZw41unk8HGgTx+u64g5cM8QEfs23RSu8t2122p7q4n1qgZ9pWtQZ +hwxhqvI4I4fnFVqgBRih9xQ3Vg/jCCtRLEPtrtlYYHGhejZ+6oSNN11aacOoVoBj +15rdwA45ch/W62ktHwvjoE8welXUOmjLLYh3zZH0tqdwOMDv0MRAjC0k4tACYClC +TqHipCjqead5vZRM40hCzE70AB4pLm6utAseJb8C/EweqlbhBaYqqPFZo/GdqD8s +9hQ3NU29ynrtIeuj359y9gLQU4Tc+dU8f6bxTE5IKrTwk552695lODKb5R4J1rN9 +weY1fcXWCHPiVJhmFnWo11nNPt7vS+m0eUCVdAAOdPoZwBLswTD6wCxquXXLi7wR +1a4vA8inf/nV+8kHebyhrQdS3uekqQZbPbfE545csLXnJdb+N418q/Vxw9lIH+N0 +90GeOdWGM34fXRzrPFlDSW5IhKDSR8+4tU71Fq4kwI1Z1AFN4oJUgcRRNm/fdd3w +V1PLnYYpTIFpunuerCDqYtHiIh2uwtWUWzPgIK7mm/UV5VSDsWTYktPlkTxEAwzm +ktuharKIvzLA13p5PXBHpjv27wJjgs6kPuWgBpG1IosC4nDq2355lBLqFSgK1pUt +Px6tls4RkaOTk8+t6J6W2ZeaF4Nu7kG6qnTqUuBkshcqcS3A53i2m0O/ug7n3vfU +QHM= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf new file mode 100644 index 0000000..3ece25f --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf @@ -0,0 +1,242 @@ +# +# Based on the OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl] +CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential +scardLogin=1.3.6.1.4.1.311.20.2.2 +# Used in a smart card login certificate's subject alternative name +msUPN=1.3.6.1.4.1.311.20.2.3 +# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller +msKDC=1.3.6.1.5.2.3.5 +# Identifies the AD GUID +msADGUID=1.3.6.1.4.1.311.25.1 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = CA-samba.example.com # Where everything is kept +certs = $dir/_none_certs # Where the issued certs are kept +crl_dir = $dir/_none_crl # Where the issued crl are kept +database = $dir/Private/CA-samba.example.com-index.txt # database index file. +unique_subject = yes # Set to 'no' to allow creation of + # several certificates with same subject. +new_certs_dir = $dir/NewCerts # default place for new certs. + +certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate +serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number +crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number + # must be commented out to leave a V1 CRL + +#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL +crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL +private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key +RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file + +#x509_extensions = # The extensions to add to the cert +x509_extensions = template_x509_extensions + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +crl_extensions = crl_ext + +default_days = 7300 # how long to certify for +default_crl_days= 7300 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = match +stateOrProvinceName = match +localityName = match +organizationName = match +organizationalUnitName = match +commonName = supplied +emailAddress = supplied + +#################################################################### +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = SambaState + +localityName = Locality Name (eg, city) +localityName_default = SambaCity + +organizationName = Organization Name (eg, company) +organizationName_default = SambaSelfTesting + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Users + +commonName = Common Name (eg, YOUR name) +commonName_default = pkinit@samba.example.com +commonName_max = 64 + +emailAddress = Email Address +emailAddress_default = pkinit@samba.example.com +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 4 +#challengePassword_max = 20 +# +#unstructuredName = An optional company name + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +# Extensions for a typical CA +# PKIX recommendation. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. +keyUsage = cRLSign, keyCertSign + +crlDistributionPoints=URI:$CRLDISTPT + +# Some might want this also +nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +subjectAltName=email:copy +# Copy issuer details +issuerAltName=issuer:copy + +[ crl_ext ] +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +#[ usr_cert_scarduser ] +[ template_x509_extensions ] + +# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE +crlDistributionPoints=URI:$CRLDISTPT + +# For normal client use this is typical +nsCertType = client, email + +# This is typical in keyUsage for a client certificate. +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "Smart Card Login Certificate for pkinit@samba.example.com" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. + +subjectAltName=email:copy,otherName:msUPN;UTF8:pkinit@samba.example.com + +# Copy subject details +issuerAltName=issuer:copy + +nsCaRevocationUrl = $CRLDISTPT +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +#Extended Key requirements for client certs +extendedKeyUsage = clientAuth,scardLogin + diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem new file mode 100644 index 0000000..5492ba3 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA3cRIRKXpa7RBA2rcNB/WQc73y7JEp6MOiRb/DWIj4Isk24KC +aCkiG1dEEsbqEC1vOkt1sS52YgFi/7o9Z+E5DRI4sPyz5Q7dd3MrmSWG1RWECL6w +izjXZJ3W59xNmvvqF0G70c8auVsLiuWMWrctq733w5GuJsLjlyfqP77JIq/WdjVF +sHKG8r2/4tPj42hSJtvwpmoOYwWbF20T7sQVQZYnBpD9ELX5bHS+sKi7cPeiJdr3 +8ZHCaWxAxGPoBoPgHbcrKdN10d/B0pCvuYFHePPxGskg4xtv5P0uC2Wnb7GyoNPj +0i8r7/0BWyfnG8EOvL3we7I0qZtNLMhlM8gzFwIDAQABAoIBAQCgUBQuDAIBafzV +i5pD0//+8q8PAX+/74/Cam1WL2vgFrY+OMosog+V1C/RoxnxN+cALSyXOQ87KeV3 +GBrrzVSArnts9kDVhTlz8D3EJ+ygfT1FVRQqkJykj7WbRxaSwykmRs6PjTe0Zqyh +a+9aZLEPRfSl29oZCymbS697BWBBQaKT/KKbVct9ViJhr8LjXjRYu1HGJuBY/kl4 +NFJFnmgL9KDlbkh9kNxVdLU1P4Ln9Yur13aV2OnVKkbgeTxFSsQrQbnyRjjtEtpE +ePTimmtbE8Epvd8BM8Pq1geD7NlBH1+Nmi+1mD3r0YNqnvRcqCpEWDS9dL/Mgs4B +/OgjX90BAoGBAP1VQLWZBgy1aSu7AIUtdAFsxmU6ecjh4ISczoHOe7b6xITEWYtB +S3ai7gA0+g/iPiKzIAVmyI5/pWBa/h8UnMFm5UoZYSBtI2o8nRAxMnlXJ3Ny7OM5 +QBluT0uEKtj7N/KEpbe61hNH7sVoyq+RJgGCGq9bbxZjAdlqgdkN0w7ZAoGBAOAZ +9N+Aru0f1vU0b9U6Dh/XTvtgOFd9AJbrXyQZRqbYQguYgWB0aZfDH3TarGDRbIf/ +/Alhoo7gatIstDgjDxk8GuhOFvlimNrf8RC6oTXDvPLnwekdAL7/fMOyFsTegxWL +1J305SNa8FL3G0Fr2HxCUa0UoCk/wVau78atpvtvAoGAEYmqXigG1DBm5IEgqxeX +dVXLckyXC8IfYe7dGP1rcSJxImPZcxuFFuR2p4sDWMAn3w0ZhWY1MjBCCaai+xHZ +PEZcT0HsiGslzX/+u5U8UkwnTgXBwoU/G8OYN7khoj3aBK8MLekAUvti20XC6l6Z +C/eu0z74NMuL4DpQXO9pEhkCgYBNtfKKRo9iPvZFlWdqY3VeaUVEOjuPaxN3Qit9 +0x4C4V8Vsk666eNr8wfHd8Tq1fRyvLvjbO336a5hL4tXJCEqOQODpwCkfiJPU/S+ +PlmE0VmGSgOeGKaXlPToz6rBnf+KyzBxjeifd/t6aaIT75fkjwLPqCVZ6Hfc3VDc +bn9HFQKBgF8+kghkOG15fchOAaqRq+nqmfJNKQPf9VxGBF+LPaXJdK1XOjnfUIxd +wVkPpic5HfAbZfYCChSPYWV07s3V7Muqz5mJ/TxijMVjLwRZQqcXNqA9rufoaz7i +3lHgGTaPLBVnz06lPMHTuyXid+QK3xHsFeT+NQ2NSfRucTCTnSJ3 +-----END RSA PRIVATE KEY----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12 new file mode 100644 index 0000000..f83f831 Binary files /dev/null and b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12 differ diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem new file mode 100644 index 0000000..72e7383 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC8zCCAdsCAQAwga0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl +MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx +DjAMBgNVBAsMBVVzZXJzMSEwHwYDVQQDDBhwa2luaXRAc2FtYmEuZXhhbXBsZS5j +b20xJzAlBgkqhkiG9w0BCQEWGHBraW5pdEBzYW1iYS5leGFtcGxlLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3ESESl6Wu0QQNq3DQf1kHO98uy +RKejDokW/w1iI+CLJNuCgmgpIhtXRBLG6hAtbzpLdbEudmIBYv+6PWfhOQ0SOLD8 +s+UO3XdzK5klhtUVhAi+sIs412Sd1ufcTZr76hdBu9HPGrlbC4rljFq3Lau998OR +ribC45cn6j++ySKv1nY1RbByhvK9v+LT4+NoUibb8KZqDmMFmxdtE+7EFUGWJwaQ +/RC1+Wx0vrCou3D3oiXa9/GRwmlsQMRj6AaD4B23KynTddHfwdKQr7mBR3jz8RrJ +IOMbb+T9Lgtlp2+xsqDT49IvK+/9AVsn5xvBDry98HuyNKmbTSzIZTPIMxcCAwEA +AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAS1xXnu2962UGX+uGRd546a81d3UBr6fbe +0fFemBBdXqLcOS7dIksjrn0Nuf+L9RFBFX8J+j5W769GvbctoVriuyC6BUU6UmKd +WMUgg6DpqhqOUW9Ze7bnHJc7JKwsgUQCmK1lEveS2ZyA9eUMOB4Wt6w+Fa4aJ51u +vm590qbs5gmeWHMTE7svG0oxwoT0bhT95sKSlfbuMM5v9XS72ZNkkcmmg/i0/Kpw +XXevmng9bVtZS4ajyGyFMQ45u5OauJwYJDFOjOqzo+YyglCyyrj5XJBYy7aajRPz +Bre7Pub8WwLFJyw6Chc++8VSgqBXN57RS64eSY58ChNyQYcj8vB2 +-----END CERTIFICATE REQUEST----- diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem new file mode 120000 index 0000000..e8fe413 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem @@ -0,0 +1 @@ +USER-pkinit@samba.example.com-S04-cert.pem \ No newline at end of file diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem new file mode 120000 index 0000000..53e9e41 --- /dev/null +++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem @@ -0,0 +1 @@ +USER-pkinit@samba.example.com-S04-private-key.pem \ No newline at end of file -- cgit v1.2.3