diff options
Diffstat (limited to 'testenv/certs')
| -rw-r--r-- | testenv/certs/README | 87 | ||||
| -rw-r--r-- | testenv/certs/ca-cert.pem | 19 | ||||
| -rw-r--r-- | testenv/certs/ca-key.pem | 144 | ||||
| -rw-r--r-- | testenv/certs/ca-template.cfg | 246 | ||||
| -rwxr-xr-x | testenv/certs/make_ca.sh | 23 | ||||
| -rw-r--r-- | testenv/certs/server-cert.pem | 21 | ||||
| -rw-r--r-- | testenv/certs/server-crl.pem | 12 | ||||
| -rw-r--r-- | testenv/certs/server-key.pem | 144 | ||||
| -rw-r--r-- | testenv/certs/server-pubkey-sha256.base64 | 1 | ||||
| -rw-r--r-- | testenv/certs/server-pubkey.der | bin | 0 -> 294 bytes | |||
| -rw-r--r-- | testenv/certs/server-pubkey.pem | 9 | ||||
| -rw-r--r-- | testenv/certs/server-template.cfg | 245 |
12 files changed, 951 insertions, 0 deletions
diff --git a/testenv/certs/README b/testenv/certs/README new file mode 100644 index 0000000..2aabd3f --- /dev/null +++ b/testenv/certs/README @@ -0,0 +1,87 @@ +To create the server RSA private key: +$ certtool --generate-privkey --outfile server-key.pem --rsa + + +To create a self signed CA certificate: +$ certtool --generate-privkey --outfile ca-key.pem +$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem +Common name: GNU Wget +UID: +Organizational unit name: Wget +Organization name: GNU +Locality name: +State or province name: +Country name (2 chars): +Enter the subject's domain component (DC): +This field should not be used in new certificates. +E-mail: +Enter the certificate's serial number in decimal (default: 6080487640893163573): + +Activation/Expiration time. +The certificate will expire in (days): -1 + +Extensions. +Does the certificate belong to an authority? (y/N): y +Path length constraint (decimal, -1 for no constraint): +Is this a TLS web client certificate? (y/N): +Will the certificate be used for IPsec IKE operations? (y/N): +Is this a TLS web server certificate? (y/N): +Enter a dnsName of the subject of the certificate: +Enter a URI of the subject of the certificate: +Enter the IP address of the subject of the certificate: +Enter the e-mail of the subject of the certificate: +Will the certificate be used to sign OCSP requests? (y/N): +Will the certificate be used to sign code? (y/N): +Will the certificate be used for time stamping? (y/N): +Will the certificate be used to sign other certificates? (y/N): y +Will the certificate be used to sign CRLs? (y/N): y +Enter the URI of the CRL distribution point: + + +To generate a server certificate using the private key only: +$ certtool --generate-certificate --load-privkey server-key.pem --outfile server-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem +Common name: 127.0.0.1 +UID: +Organizational unit name: Wget +Organization name: GNU +Locality name: +State or province name: +Country name (2 chars): +Enter the subject's domain component (DC): +This field should not be used in new certificates. +E-mail: +Enter the certificate's serial number in decimal (default: 6080488276853553635): + +Activation/Expiration time. +The certificate will expire in (days): -1 + +Extensions. +Does the certificate belong to an authority? (y/N): +Is this a TLS web client certificate? (y/N): +Will the certificate be used for IPsec IKE operations? (y/N): +Is this a TLS web server certificate? (y/N): y +Enter a dnsName of the subject of the certificate: 127.0.0.1 +Enter a dnsName of the subject of the certificate: localhost +Enter a dnsName of the subject of the certificate: +Enter a URI of the subject of the certificate: +Enter the IP address of the subject of the certificate: +Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): +Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): + + +To create a CRL for the server certificate: +$ certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca-cert.pem --load-certificate server-cert.pem --outfile server-crl.pem +Generating a signed CRL... +Update times. +The certificate will expire in (days): -1 +CRL Number (default: 6080006793650397145): + +To generate a public key in PEM format: +$ openssl x509 -noout -pubkey < server-cert.pem > server-pubkey.pem + +To generate a public key in DER format: +$ openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out server-pubkey.der + +To generate a sha256 hash of the public key: +$ openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst -sha256 -binary | openssl base64 +mHiEhWHvusnzP7COZk+SzSJ+Gl7nZT+ADx0PUnDD7mM= diff --git a/testenv/certs/ca-cert.pem b/testenv/certs/ca-cert.pem new file mode 100644 index 0000000..2c06476 --- /dev/null +++ b/testenv/certs/ca-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJzCCAg+gAwIBAgIIWRQ9uws3g5owDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE +AxMIR05VIFdnZXQxDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTAgFw0xNzA1 +MTExMDMyMzdaGA85OTk5MTIzMTIzNTk1OVowMDERMA8GA1UEAxMIR05VIFdnZXQx +DTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAL9iEdf4LGibJ/noLVRWzDDG4ryvnlcz2PMBF29n5aXvWipM +M/NuJ0kq1n0YoEJn/zg5DZStsfdZKaXz5lpApVEREAdyOHf7BxZ86gpBSpjcLVU+ +A7C+O1bpoGRemY0qk2EA9zAx91YRY9Yiq0TDP2gmV8J7Q/uu7CsOlD13xW31DkXn +KW+3wmT2RVRWErcYHBe3Mh/gwAy1+UAhI4i2B9XrOhV63cPsqYMAZfh7i5EP+IBN +CS0CuTwCkmHi8tCRAVD6L5DF0/q/Wj5EARf/Vg+rlD4mtBER2zCE9DMvOIQaxvXe +buYFz5x9WcSiK/IiTmAsnVY2J3Z9tc7NiBMcC+sCAwEAAaNDMEEwDwYDVR0TAQH/ +BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBTzPk44hEqpvsFvx2Gj +UNpuKYvrVDANBgkqhkiG9w0BAQsFAAOCAQEAAsAugT64gwFMMtwDJo5r3/f9sMPA +lWi1N7Nz8LjBa6Vqrk/3No3Fxxidb3IMO5RGecgZdGV/CL5lG7yjzgVB2ADx+68K +TmcNEO4CDja5vDyRpG7NPGmhtc48iiOsnEhhWCw084S2rUKf7hAX3+yKg63Uwuik +C0xHT6HwbrWcmWFQAQOqucPWEwzGRMjqn++3cHAG8XlNSL8tWIr7NmTKr7yufLPC +HcDAVgJsBHTOWgs/Casq4EovO83hgustD6rAWJOf89DP6bB2yOPEHKVq6cBsuGDM +F+V2Cr2ytyGPHrOCfH3IzCpQ45cxZX4TaJ7tgV9x7WlMLoNaZgo1ijsKOw== +-----END CERTIFICATE----- diff --git a/testenv/certs/ca-key.pem b/testenv/certs/ca-key.pem new file mode 100644 index 0000000..ac51f60 --- /dev/null +++ b/testenv/certs/ca-key.pem @@ -0,0 +1,144 @@ +Public Key Info: + Public Key Algorithm: RSA + Key Security Level: Medium (2048 bits) + +modulus: + 00:bf:62:11:d7:f8:2c:68:9b:27:f9:e8:2d:54:56: + cc:30:c6:e2:bc:af:9e:57:33:d8:f3:01:17:6f:67: + e5:a5:ef:5a:2a:4c:33:f3:6e:27:49:2a:d6:7d:18: + a0:42:67:ff:38:39:0d:94:ad:b1:f7:59:29:a5:f3: + e6:5a:40:a5:51:11:10:07:72:38:77:fb:07:16:7c: + ea:0a:41:4a:98:dc:2d:55:3e:03:b0:be:3b:56:e9: + a0:64:5e:99:8d:2a:93:61:00:f7:30:31:f7:56:11: + 63:d6:22:ab:44:c3:3f:68:26:57:c2:7b:43:fb:ae: + ec:2b:0e:94:3d:77:c5:6d:f5:0e:45:e7:29:6f:b7: + c2:64:f6:45:54:56:12:b7:18:1c:17:b7:32:1f:e0: + c0:0c:b5:f9:40:21:23:88:b6:07:d5:eb:3a:15:7a: + dd:c3:ec:a9:83:00:65:f8:7b:8b:91:0f:f8:80:4d: + 09:2d:02:b9:3c:02:92:61:e2:f2:d0:91:01:50:fa: + 2f:90:c5:d3:fa:bf:5a:3e:44:01:17:ff:56:0f:ab: + 94:3e:26:b4:11:11:db:30:84:f4:33:2f:38:84:1a: + c6:f5:de:6e:e6:05:cf:9c:7d:59:c4:a2:2b:f2:22: + 4e:60:2c:9d:56:36:27:76:7d:b5:ce:cd:88:13:1c: + 0b:eb: + +public exponent: + 01:00:01: + +private exponent: + 45:0c:7f:fd:98:a7:85:12:3d:a9:17:90:8b:36:49: + b3:6b:7e:50:af:58:04:84:4b:48:d9:62:f8:29:d7: + 1c:38:30:22:c4:9d:95:bd:6f:65:21:94:83:4b:c8: + 3e:4d:41:32:aa:ba:f0:a2:7e:6c:0c:7a:4f:4a:a1: + 18:7c:ec:68:44:2c:b1:53:0f:76:92:56:2b:51:e4: + 2a:d1:05:b6:02:f2:44:27:fc:b2:de:df:8f:ea:f8: + 98:5d:dd:2e:a6:66:c7:ff:ce:2f:50:47:b9:80:ca: + b1:6e:8e:b6:5f:6f:58:07:45:70:80:82:b5:a2:95: + c8:af:18:e2:d8:7c:9d:bf:c5:a9:da:4f:af:08:37: + 92:27:94:12:c0:94:70:90:ff:e4:05:8b:ed:18:a9: + 19:3c:47:3a:7c:fe:4f:9c:15:ab:f6:7e:48:2a:58: + d7:14:67:96:bd:e6:fa:9f:3a:51:0c:63:49:14:d5: + 9d:e9:a8:24:19:2a:83:e4:fe:e2:ec:db:f9:13:33: + a6:d3:62:d2:6b:7e:a9:5b:93:73:f5:c9:d0:ad:58: + 11:cb:77:d3:13:3c:bf:37:f9:64:95:c7:4c:69:f2: + 6e:b8:36:69:57:93:4a:03:06:58:8a:51:3d:d6:97: + 61:2f:7c:76:33:14:88:51:45:68:4e:29:fe:12:43: + 69: + +prime1: + 00:e0:e6:81:38:18:3e:c8:98:51:71:2d:5f:22:8c: + 93:95:37:17:47:00:4f:6a:87:98:73:8d:f3:c3:02: + f7:e1:9d:a0:5c:a5:10:a6:0d:88:5d:e0:72:10:93: + 24:af:6e:a4:0e:55:5c:03:37:5f:1d:90:41:c2:d6: + e3:a6:ba:20:08:0b:01:31:eb:fc:7e:97:66:3c:fe: + b5:ab:4c:0b:2f:18:16:f3:28:47:70:41:dc:cf:04: + 9c:7e:28:78:3b:3f:31:cf:b1:77:2c:6d:c9:bf:ad: + 19:ff:03:1f:c6:98:9a:60:47:a5:1d:c4:52:c5:9e: + 77:5a:cc:a4:e3:96:81:d4:4d: + +prime2: + 00:d9:d9:0c:6e:81:bb:0e:5d:c6:92:cc:48:70:b8: + da:60:e8:56:e7:2a:20:da:29:0f:c9:f0:9f:b8:9f: + df:d9:a1:68:7e:ce:3e:7c:f2:00:66:68:79:c4:01: + fa:b9:71:3e:73:06:3f:85:5c:83:33:ee:58:77:50: + 89:aa:90:33:d0:6c:aa:6f:34:b2:30:8b:e9:a9:82: + df:e2:7f:04:09:9f:14:9a:db:c7:cb:e5:85:46:b2: + 42:d0:a7:fe:7a:e3:ff:1e:84:9c:36:50:e3:de:fb: + 11:1c:34:09:fe:46:db:45:c3:50:19:f1:25:c0:e3: + 5c:d5:0d:88:13:e1:9a:5d:17: + +coefficient: + 00:ca:79:cb:79:87:91:9f:9a:99:0b:5d:c5:78:21: + a7:60:c6:8a:2d:a5:b5:87:a2:d6:df:b0:17:5f:bf: + e1:ce:f0:ca:89:18:0e:e0:4a:7f:00:e5:41:2d:04: + 5b:05:51:e5:08:89:dd:80:82:c7:94:94:1c:f4:0f: + 1b:9a:d0:72:83:bb:e9:ca:d5:09:0d:4b:c0:b7:6a: + a7:b4:c3:df:4e:f1:7f:0f:57:ad:25:ff:e4:d3:ef: + 05:95:31:ca:00:54:97:4b:2d:56:aa:1a:89:d8:a0: + d6:dc:64:88:88:36:26:92:39:57:8b:da:18:23:77: + c3:e3:39:0e:95:f7:3c:77:fe: + +exp1: + 00:99:f2:8f:4f:93:a1:1e:74:cd:82:f8:78:df:d0: + 74:91:b6:a5:53:6f:cd:ec:f1:26:95:2a:fd:4a:67: + 34:c1:16:c2:17:c8:d1:ed:a8:e3:c8:c7:03:ad:7e: + db:a4:ce:ca:b4:19:10:24:0f:7a:27:65:80:ee:5b: + 64:77:d3:7e:6b:a3:04:cd:64:69:71:4a:37:ac:d6: + fa:0a:68:c2:5b:19:55:54:5b:25:13:9d:b2:05:6f: + 75:a4:12:15:c3:10:8e:0b:4a:c2:76:02:2d:10:ec: + f0:17:94:ce:e2:85:c1:5e:d8:8c:19:25:33:37:9d: + 32:bc:4f:cb:2b:12:f2:8a:1d: + +exp2: + 3e:53:68:c9:1c:f8:a5:6d:92:e8:60:e5:c0:ca:42: + 40:43:78:c9:7e:36:13:f4:77:7d:f1:07:e1:4c:6c: + 40:d9:7b:09:fc:7b:c8:47:7c:71:d0:26:36:3b:d2: + bd:c7:76:74:76:2f:2a:3a:83:97:11:f3:e1:7e:fb: + 43:ff:29:b3:d1:c3:19:39:dc:59:23:4e:60:9e:fe: + ea:d0:28:19:90:97:d6:8e:56:a5:31:2f:66:40:8d: + f9:20:77:20:35:a6:c1:d6:72:d2:df:65:b2:5f:e6: + 4f:49:5c:2a:91:9f:1e:60:78:c4:53:47:d7:dd:b4: + ab:87:c9:8c:d6:98:d1:55: + + +Public Key ID: F3:3E:4E:38:84:4A:A9:BE:C1:6F:C7:61:A3:50:DA:6E:29:8B:EB:54 +Public key's random art: ++--[ RSA 2048]----+ +| | +| | +| | +| .. . | +| Eo . S | +| .+o..+. + | +| .+o.= oo o | +|.o.o* o +. | +|+o+*.. .o. | ++-----------------+ + +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAv2IR1/gsaJsn+egtVFbMMMbivK+eVzPY8wEXb2flpe9aKkwz +824nSSrWfRigQmf/ODkNlK2x91kppfPmWkClUREQB3I4d/sHFnzqCkFKmNwtVT4D +sL47VumgZF6ZjSqTYQD3MDH3VhFj1iKrRMM/aCZXwntD+67sKw6UPXfFbfUORecp +b7fCZPZFVFYStxgcF7cyH+DADLX5QCEjiLYH1es6FXrdw+ypgwBl+HuLkQ/4gE0J +LQK5PAKSYeLy0JEBUPovkMXT+r9aPkQBF/9WD6uUPia0ERHbMIT0My84hBrG9d5u +5gXPnH1ZxKIr8iJOYCydVjYndn21zs2IExwL6wIDAQABAoIBAEUMf/2Yp4USPakX +kIs2SbNrflCvWASES0jZYvgp1xw4MCLEnZW9b2UhlINLyD5NQTKquvCifmwMek9K +oRh87GhELLFTD3aSVitR5CrRBbYC8kQn/LLe34/q+Jhd3S6mZsf/zi9QR7mAyrFu +jrZfb1gHRXCAgrWilcivGOLYfJ2/xanaT68IN5InlBLAlHCQ/+QFi+0YqRk8Rzp8 +/k+cFav2fkgqWNcUZ5a95vqfOlEMY0kU1Z3pqCQZKoPk/uLs2/kTM6bTYtJrfqlb +k3P1ydCtWBHLd9MTPL83+WSVx0xp8m64NmlXk0oDBliKUT3Wl2EvfHYzFIhRRWhO +Kf4SQ2kCgYEA4OaBOBg+yJhRcS1fIoyTlTcXRwBPaoeYc43zwwL34Z2gXKUQpg2I +XeByEJMkr26kDlVcAzdfHZBBwtbjprogCAsBMev8fpdmPP61q0wLLxgW8yhHcEHc +zwScfih4Oz8xz7F3LG3Jv60Z/wMfxpiaYEelHcRSxZ53Wsyk45aB1E0CgYEA2dkM +boG7Dl3GksxIcLjaYOhW5yog2ikPyfCfuJ/f2aFofs4+fPIAZmh5xAH6uXE+cwY/ +hVyDM+5Yd1CJqpAz0GyqbzSyMIvpqYLf4n8ECZ8UmtvHy+WFRrJC0Kf+euP/HoSc +NlDj3vsRHDQJ/kbbRcNQGfElwONc1Q2IE+GaXRcCgYEAmfKPT5OhHnTNgvh439B0 +kbalU2/N7PEmlSr9Smc0wRbCF8jR7ajjyMcDrX7bpM7KtBkQJA96J2WA7ltkd9N+ +a6MEzWRpcUo3rNb6CmjCWxlVVFslE52yBW91pBIVwxCOC0rCdgItEOzwF5TO4oXB +XtiMGSUzN50yvE/LKxLyih0CgYA+U2jJHPilbZLoYOXAykJAQ3jJfjYT9Hd98Qfh +TGxA2XsJ/HvIR3xx0CY2O9K9x3Z0di8qOoOXEfPhfvtD/ymz0cMZOdxZI05gnv7q +0CgZkJfWjlalMS9mQI35IHcgNabB1nLS32WyX+ZPSVwqkZ8eYHjEU0fX3bSrh8mM +1pjRVQKBgQDKect5h5GfmpkLXcV4IadgxootpbWHotbfsBdfv+HO8MqJGA7gSn8A +5UEtBFsFUeUIid2AgseUlBz0Dxua0HKDu+nK1QkNS8C3aqe0w99O8X8PV60l/+TT +7wWVMcoAVJdLLVaqGonYoNbcZIiINiaSOVeL2hgjd8PjOQ6V9zx3/g== +-----END RSA PRIVATE KEY----- diff --git a/testenv/certs/ca-template.cfg b/testenv/certs/ca-template.cfg new file mode 100644 index 0000000..087cd70 --- /dev/null +++ b/testenv/certs/ca-template.cfg @@ -0,0 +1,246 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "GNU" + +# The organizational unit of the subject. +unit = "Wget" + +# The locality of the subject. +# locality = + +# The state of the certificate owner. +# state = "" + +# The country of the subject. Two letter code. +# country = GR + +# The common name of the certificate owner. +cn = "GNU Wget" + +# A user id of the certificate owner. +#uid = "" + +# Set domain components +#dc = "name" +#dc = "domain" + +# If the supported DN OIDs are not adequate you can set +# any OID here. +# For example set the X.520 Title and the X.520 Pseudonym +# by using OID and string pairs. +#dn_oid = 2.5.4.12 Dr. +#dn_oid = 2.5.4.65 jackal + +# This is deprecated and should not be used in new +# certificates. +# pkcs9_email = "bug-wget@gnu.org" + +# An alternative way to set the certificate's distinguished name directly +# is with the "dn" option. The attribute names allowed are: +# C (country), street, O (organization), OU (unit), title, CN (common name), +# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship, +# countryOfResidence, serialNumber, telephoneNumber, surName, initials, +# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name, +# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName, +# jurisdictionOfIncorporationStateOrProvinceName, +# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs. + +#dn = "cn = Nikos,st = New Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias" + +# The serial number of the certificate +# Comment the field for a time-based serial number. +# serial = 007 + +# In how many days, counting from today, this certificate will expire. +# Use -1 if there is no expiration date. +expiration_days = -1 + +# Alternatively you may set concrete dates and time. The GNU date string +# formats are accepted. See: +# http://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html + +#activation_date = "2004-02-29 16:21:42" +#expiration_date = "2025-02-29 16:24:41" + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +#dns_name = "www.none.org" +#dns_name = "www.morethanone.org" + +# A subject alternative name URI +#uri = "http://www.example.com" + +# An IP address in case of a server. +#ip_address = "192.168.1.1" + +# An email in case of a person +# email = "none@none.org" + +# Challenge password used in certificate requests +challenge_password = 123456 + +# Password when encrypting a private key +#password = secret + +# An URL that has CRLs (certificate revocation lists) +# available. Needed in CA certificates. +#crl_dist_points = "http://www.getcrl.crl/getcrl/" + +# Whether this is a CA certificate or not +ca + +# Subject Unique ID (in hex) +#subject_unique_id = 00153224 + +# Issuer Unique ID (in hex) +#issuer_unique_id = 00153225 + +#### Key usage + +# The following key usage flags are used by CAs and end certificates + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). This is the digitalSignature flag +# in RFC5280 terminology. +# signing_key + +# Whether this certificate will be used to encrypt data (needed +# in TLS RSA ciphersuites). Note that it is preferred to use different +# keys for encryption and signing. This is the keyEncipherment flag +# in RFC5280 terminology. +# encryption_key + +# Whether this key will be used to sign other certificates. The +# keyCertSign flag in RFC5280 terminology. +cert_signing_key + +# Whether this key will be used to sign CRLs. The +# cRLSign flag in RFC5280 terminology. +crl_signing_key + +# The keyAgreement flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#key_agreement + +# The dataEncipherment flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#data_encipherment + +# The nonRepudiation flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#non_repudiation + +#### Extended key usage (key purposes) + +# The following extensions are used in an end certificate +# to clarify its purpose. Some CAs also use it to indicate +# the types of certificates they are purposed to sign. + +# Whether this certificate will be used for a TLS client; +# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of +# extended key usage. +#tls_www_client + +# Whether this certificate will be used for a TLS server; +# This sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of +# extended key usage. +#tls_www_server + +# Whether this key will be used to sign code. This sets the +# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage +# extension. +#code_signing_key + +# Whether this key will be used to sign OCSP data. This sets the +# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension. +#ocsp_signing_key + +# Whether this key will be used for time stamping. This sets the +# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension. +#time_stamping_key + +# Whether this key will be used for email protection. This sets the +# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension. +#email_protection_key + +# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17). +#ipsec_ike_key + +## adding custom key purpose OIDs + +# for microsoft smart card logon +# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2 + +# for email protection +# key_purpose_oid = 1.3.6.1.5.5.7.3.4 + +# for any purpose (must not be used in intermediate CA certificates) +# key_purpose_oid = 2.5.29.37.0 + +### end of key purpose OIDs + +# When generating a certificate from a certificate +# request, then honor the extensions stored in the request +# and store them in the real certificate. +honor_crq_extensions + +# Path length constraint. Sets the maximum number of +# certificates that can be used to certify this certificate. +# (i.e. the certificate chain length) +#path_len = -1 +#path_len = 2 + +# OCSP URI +# ocsp_uri = http://my.ocsp.server/ocsp + +# CA issuers URI +# ca_issuers_uri = http://my.ca.issuer + +# Certificate policies +#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0 +#policy1_txt = "This is a long policy to summarize" +#policy1_url = http://www.example.com/a-policy-to-read + +#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1 +#policy2_txt = "This is a short policy" +#policy2_url = http://www.example.com/another-policy-to-read + +# Name constraints + +# DNS +#nc_permit_dns = example.com +#nc_exclude_dns = test.example.com + +# EMAIL +#nc_permit_email = "nmav@ex.net" + +# Exclude subdomains of example.com +#nc_exclude_email = .example.com + +# Exclude all e-mail addresses of example.com +#nc_exclude_email = example.com + +# Options for proxy certificates +#proxy_policy_language = 1.3.6.1.5.5.7.21.1 + +# Options for generating a CRL + +# The number of days the next CRL update will be due. +# next CRL update will be in 43 days +#crl_next_update = 43 + +# this is the 5th CRL by this CA +# Comment the field for a time-based number. +#crl_number = 5 + +# Specify the update dates more precisely. +#crl_this_update_date = "2004-02-29 16:21:42" +#crl_next_update_date = "2025-02-29 16:24:41" + +# The date that the certificates will be made seen as +# being revoked. +#crl_revocation_date = "2025-02-29 16:24:41" diff --git a/testenv/certs/make_ca.sh b/testenv/certs/make_ca.sh new file mode 100755 index 0000000..f9b5676 --- /dev/null +++ b/testenv/certs/make_ca.sh @@ -0,0 +1,23 @@ +#!/bin/sh -e + +# create a self signed CA certificate +certtool --generate-privkey --outfile ca-key.pem +certtool --generate-self-signed --load-privkey ca-key.pem --template=ca-template.cfg --outfile ca-cert.pem + +# create the server RSA private key +certtool --generate-privkey --outfile server-key.pem --rsa + +# generate a server certificate using the private key only +certtool --generate-certificate --load-privkey server-key.pem --template=server-template.cfg --outfile server-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem + +# create a CRL for the server certificate +certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca-cert.pem --load-certificate server-cert.pem --outfile server-crl.pem --template=server-template.cfg + +# generate a public key in PEM format +openssl x509 -noout -pubkey < server-cert.pem > server-pubkey.pem + +# generate a public key in DER format +openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out server-pubkey.der + +# generate a sha256 hash of the public key +openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst -sha256 -binary | openssl base64 > server-pubkey-sha256.base64 diff --git a/testenv/certs/server-cert.pem b/testenv/certs/server-cert.pem new file mode 100644 index 0000000..c9f474a --- /dev/null +++ b/testenv/certs/server-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIMWWD1GB1UFkEICdQvMA0GCSqGSIb3DQEBCwUAMDAxETAP +BgNVBAMTCEdOVSBXZ2V0MQ0wCwYDVQQLEwRXZ2V0MQwwCgYDVQQKEwNHTlUwIBcN +MTcwNzA4MTUwNzA0WhgPOTk5OTEyMzEyMzU5NTlaMDExEjAQBgNVBAMTCTEyNy4w +LjAuMTENMAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAyMLca3nkR9K2XqYTfvX6kPf9ylHkwvGR1sGyzkyU +g/ZMOGI84i0teaXyjGzgGNSbfB+fcZX2IkuZvNshYv7SRtGRDYsI8pR/4KWffPZk +T6tfB1aVPyBV+/nU6l+SnaUsNVSot80pEZCCK+NIKYupjYup4HRJpU2+5oPcSmpn +IgfQTlJmCOoEeBFG28aRzLSs6anlIjY0BIu6BSKhdr04taOlgPCh2x3cRGUvQMnV +olbxMLxOqLHiLSixbNqv4tcEiKfRC9qv3+5Ec3SnWSrenReA0cqpamJNPnj5ZjHs +96a/ipFfPXWzCInNQv4/DUO6tD2yZvMOACzPtXYUmdR4JwIDAQABo4GNMIGKMAwG +A1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFJfm323LJbKTM/tMKSt0 +qlUqewbnMB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tUMA0GCSqGSIb3 +DQEBCwUAA4IBAQC1a0NQfmqT8Ky/BFo5H+G+GoQTlqi3J83ujAMdLUD57zYCEyDL +XzAhMPfrOSLPDcQb0ooD1Ie+Rz8Xs1h00cD2OGKwH479+nisF5ksqJVJ4fn/aNFE +6W2Xb3MCB+4FRdmy0UeDDA6N2OpVskCM30s9tmovlBLVK46HogdLvy/O1o7z/gbx +vV8luevxobnevZ3NdWLyVE3BJZiThBHmZUvL1XNy4KAR4wDAkbCwoTN/JkehTu0i +WR6DaG7N7M6psc7rctfzRqimlAkxnoAUwc8LwNLTB3v613xXX8iSUsLKsh6pQfZR +e5wnYQIS4MzowvDx8WevTPMRKlN72d8HHuv9 +-----END CERTIFICATE----- diff --git a/testenv/certs/server-crl.pem b/testenv/certs/server-crl.pem new file mode 100644 index 0000000..ca70479 --- /dev/null +++ b/testenv/certs/server-crl.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIB1jCBvwIBATANBgkqhkiG9w0BAQsFADAwMREwDwYDVQQDEwhHTlUgV2dldDEN +MAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VFw0xNzA3MDgxNTA3MDRaFw0xODA3 +MDgxNTA3MDRaMB8wHQIMWWD1GB1UFkEICdQvFw0xNzA3MDgxNTA3MDRaoDowODAf +BgNVHSMEGDAWgBTzPk44hEqpvsFvx2GjUNpuKYvrVDAVBgNVHRQEDgIMWWD1GB4C +YfERSnyEMA0GCSqGSIb3DQEBCwUAA4IBAQAAKu+Lum1l/XtcCJ43WveouPK97iOE +bjUZWaGYx8Ys/iBdhTa1GXG+E+JuyqgyHTW0HrWJi1D+GiYmsjPJXoEgVgtxXEQ7 +8b3NyIQ8OCsSTTlVCmLECN9R0xlsitzH+HXOaIEs5sbmIxCnxu+brqno9gQocmCv +LHYvoSxsSsOCkkmodbYtKssl2dBonvQPSijN/z3NhZ259e2U3Yv4V7/MrEoTvOxg +M0GC0u0Nx86EWbq0sWeiUu270Qk9En5YGNtRhkeq0bXerJswmMAmvrtuKdyfouny +4WMvtn30xsO3WwWSV2oyrDSN/IQdDbcmul/bg8ewqlnN77cVf2m70c/W +-----END X509 CRL----- diff --git a/testenv/certs/server-key.pem b/testenv/certs/server-key.pem new file mode 100644 index 0000000..80d61cc --- /dev/null +++ b/testenv/certs/server-key.pem @@ -0,0 +1,144 @@ +Public Key Info: + Public Key Algorithm: RSA + Key Security Level: Medium (2048 bits) + +modulus: + 00:c8:c2:dc:6b:79:e4:47:d2:b6:5e:a6:13:7e:f5: + fa:90:f7:fd:ca:51:e4:c2:f1:91:d6:c1:b2:ce:4c: + 94:83:f6:4c:38:62:3c:e2:2d:2d:79:a5:f2:8c:6c: + e0:18:d4:9b:7c:1f:9f:71:95:f6:22:4b:99:bc:db: + 21:62:fe:d2:46:d1:91:0d:8b:08:f2:94:7f:e0:a5: + 9f:7c:f6:64:4f:ab:5f:07:56:95:3f:20:55:fb:f9: + d4:ea:5f:92:9d:a5:2c:35:54:a8:b7:cd:29:11:90: + 82:2b:e3:48:29:8b:a9:8d:8b:a9:e0:74:49:a5:4d: + be:e6:83:dc:4a:6a:67:22:07:d0:4e:52:66:08:ea: + 04:78:11:46:db:c6:91:cc:b4:ac:e9:a9:e5:22:36: + 34:04:8b:ba:05:22:a1:76:bd:38:b5:a3:a5:80:f0: + a1:db:1d:dc:44:65:2f:40:c9:d5:a2:56:f1:30:bc: + 4e:a8:b1:e2:2d:28:b1:6c:da:af:e2:d7:04:88:a7: + d1:0b:da:af:df:ee:44:73:74:a7:59:2a:de:9d:17: + 80:d1:ca:a9:6a:62:4d:3e:78:f9:66:31:ec:f7:a6: + bf:8a:91:5f:3d:75:b3:08:89:cd:42:fe:3f:0d:43: + ba:b4:3d:b2:66:f3:0e:00:2c:cf:b5:76:14:99:d4: + 78:27: + +public exponent: + 01:00:01: + +private exponent: + 00:92:80:1f:f9:0d:e9:d7:bf:9b:f5:55:9b:c4:7a: + 1b:6e:ce:89:14:aa:ce:14:b3:d3:88:b3:b0:97:7a: + aa:a5:e1:85:9d:5f:92:ae:39:e9:85:6b:e3:a3:35: + 90:12:8e:93:27:f0:ab:99:67:a5:45:41:85:de:9a: + c9:b2:43:e1:8e:6c:3f:3d:72:c8:04:bc:f8:d4:26: + 08:4c:58:40:bb:22:83:26:07:b8:c1:68:07:56:e8: + e8:c6:5f:17:ce:92:49:c0:61:16:fd:89:68:fe:b8: + 45:45:61:85:b7:4b:83:5f:17:1b:cf:ff:0b:fe:e4: + cc:f9:ca:1f:66:ee:5e:74:25:94:7a:27:0e:0f:43: + 50:14:48:ad:c6:8a:e1:ac:ff:8e:10:ed:e6:92:48: + c8:94:c1:3a:2c:db:86:71:66:8e:19:93:13:ed:f9: + 47:06:5e:8b:e2:2e:cb:3a:c2:b3:5e:8d:31:e4:c5: + a7:cd:3f:09:70:e4:02:5d:34:2a:4d:b7:f5:06:e2: + f5:3b:8f:b6:ad:4a:22:b8:fe:43:a7:4d:67:ef:c3: + e1:ed:83:e2:d5:f2:d0:37:0f:56:ab:5b:47:69:0a: + 14:03:2c:43:a3:73:e9:05:72:5e:df:68:9c:67:4b: + 08:64:2d:c2:67:23:aa:e5:35:88:56:99:95:17:60: + 20:01: + +prime1: + 00:ea:ca:12:86:c0:25:b8:ab:fd:44:2c:1a:3f:1b: + 19:68:d4:26:6e:9c:ad:6d:35:12:29:9f:40:c2:4c: + 96:ef:8b:08:61:39:08:b7:8a:1f:81:97:71:ff:af: + 5a:5b:db:9a:2f:2f:29:ab:92:bb:c5:51:a2:84:c5: + f4:88:79:ac:a2:b8:17:1e:4a:66:62:be:e5:ab:fd: + 01:42:6b:16:f9:73:7b:cd:3e:f7:5c:5c:95:dd:79: + 73:c4:60:a8:cf:95:80:ba:7d:02:14:9c:7e:58:4f: + 8c:08:2c:b8:46:31:23:b2:1a:c3:38:78:5c:ea:50: + 9d:42:23:31:30:9a:0f:3f:27: + +prime2: + 00:da:e5:d3:66:0f:34:53:8c:e8:bf:5f:1e:46:93: + 47:df:30:57:be:1f:30:6a:7e:e9:f0:6b:3f:61:89: + 51:e2:0b:da:51:09:65:f6:23:3a:61:86:02:46:0a: + cf:11:73:7c:2d:65:bd:64:b8:0e:24:d2:b7:51:8f: + 39:b4:a2:1b:e4:9a:bc:66:31:e2:00:eb:3e:20:06: + 97:0a:a0:bb:82:da:bf:d5:e9:20:77:a7:55:86:69: + ce:eb:38:d3:f4:ad:82:9e:ce:02:05:c5:11:aa:c0: + b9:66:6f:e7:f4:26:57:72:fa:50:0b:ad:76:44:86: + e0:3e:f7:c0:3e:f3:94:9f:01: + +coefficient: + 00:94:f2:42:a9:1a:62:1c:7a:bf:34:1b:a7:87:ae: + bd:3a:d9:f1:8c:4e:f6:f5:27:5a:ae:f1:1e:15:06: + a6:d0:e4:e0:ec:3a:40:02:13:b9:31:9a:cd:3a:c6: + 34:7d:c6:9d:9e:60:5b:ca:03:88:87:56:f0:e1:ea: + 37:96:2b:53:40:b2:78:4e:80:e2:e0:24:8c:83:0e: + f8:77:a4:64:d5:cc:09:6c:d6:52:49:f9:55:61:16: + 72:b5:d2:ea:e1:61:fb:31:24:f0:30:8c:fe:5c:29: + 71:06:09:11:4d:ef:51:a6:33:62:54:d2:c7:de:ba: + 78:17:b1:27:50:f4:ef:c4:3a: + +exp1: + 1f:36:0d:90:6c:2a:97:8a:05:78:f2:83:ea:af:a7: + 89:0f:ea:ab:f9:97:f4:54:81:bd:96:b5:fd:1e:41: + 52:46:a1:2e:8b:6e:65:37:af:48:82:e1:5c:a3:ea: + d7:1b:32:3b:e3:81:1e:95:ba:f0:58:11:ca:a4:a6: + 05:1e:67:9c:99:ec:38:d2:9b:19:b5:56:c2:ae:37: + 64:a4:e7:c0:f1:61:1b:bf:ab:12:54:1c:77:fc:95: + 2f:1d:ca:53:0e:04:b6:c5:b7:69:16:04:95:a8:bd: + 6c:b8:c5:26:4f:91:f7:33:27:90:72:2f:a7:d6:5f: + 91:53:2c:4e:d1:ac:05:31: + +exp2: + 00:83:a4:55:a6:fa:1b:d8:e7:54:0d:ca:f1:55:36: + 3b:b1:f0:cb:c3:cd:d3:fb:27:ca:1e:c9:10:bb:e2: + ae:78:c7:f2:0a:6c:21:82:8e:1b:0d:0d:5f:8e:a9: + ef:6f:aa:49:12:b0:2d:df:45:85:54:05:d9:33:56: + 74:38:ba:89:15:c9:2c:e6:34:b7:9b:1f:de:23:ba: + 72:d9:74:62:70:46:87:b9:e8:52:9b:42:e9:ff:44: + e0:a8:bb:6b:54:a9:88:75:62:a4:fa:bd:52:6b:a3: + 2d:9c:7a:4e:3f:99:53:5c:15:47:50:4e:88:62:9b: + ce:7e:6f:d6:90:c5:42:2b:01: + + +Public Key ID: 97:E6:DF:6D:CB:25:B2:93:33:FB:4C:29:2B:74:AA:55:2A:7B:06:E7 +Public key's random art: ++--[ RSA 2048]----+ +| | +| | +| | +| . | +| S + . | +| .+oo. . | +| .=+oo.+ .| +| +E.=O.oo| +| o+ .=*++o| ++-----------------+ + +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAyMLca3nkR9K2XqYTfvX6kPf9ylHkwvGR1sGyzkyUg/ZMOGI8 +4i0teaXyjGzgGNSbfB+fcZX2IkuZvNshYv7SRtGRDYsI8pR/4KWffPZkT6tfB1aV +PyBV+/nU6l+SnaUsNVSot80pEZCCK+NIKYupjYup4HRJpU2+5oPcSmpnIgfQTlJm +COoEeBFG28aRzLSs6anlIjY0BIu6BSKhdr04taOlgPCh2x3cRGUvQMnVolbxMLxO +qLHiLSixbNqv4tcEiKfRC9qv3+5Ec3SnWSrenReA0cqpamJNPnj5ZjHs96a/ipFf +PXWzCInNQv4/DUO6tD2yZvMOACzPtXYUmdR4JwIDAQABAoIBAQCSgB/5DenXv5v1 +VZvEehtuzokUqs4Us9OIs7CXeqql4YWdX5KuOemFa+OjNZASjpMn8KuZZ6VFQYXe +msmyQ+GObD89csgEvPjUJghMWEC7IoMmB7jBaAdW6OjGXxfOkknAYRb9iWj+uEVF +YYW3S4NfFxvP/wv+5Mz5yh9m7l50JZR6Jw4PQ1AUSK3GiuGs/44Q7eaSSMiUwTos +24ZxZo4ZkxPt+UcGXoviLss6wrNejTHkxafNPwlw5AJdNCpNt/UG4vU7j7atSiK4 +/kOnTWfvw+Htg+LV8tA3D1arW0dpChQDLEOjc+kFcl7faJxnSwhkLcJnI6rlNYhW +mZUXYCABAoGBAOrKEobAJbir/UQsGj8bGWjUJm6crW01EimfQMJMlu+LCGE5CLeK +H4GXcf+vWlvbmi8vKauSu8VRooTF9Ih5rKK4Fx5KZmK+5av9AUJrFvlze80+91xc +ld15c8RgqM+VgLp9AhScflhPjAgsuEYxI7Iawzh4XOpQnUIjMTCaDz8nAoGBANrl +02YPNFOM6L9fHkaTR98wV74fMGp+6fBrP2GJUeIL2lEJZfYjOmGGAkYKzxFzfC1l +vWS4DiTSt1GPObSiG+SavGYx4gDrPiAGlwqgu4Lav9XpIHenVYZpzus40/Stgp7O +AgXFEarAuWZv5/QmV3L6UAutdkSG4D73wD7zlJ8BAoGAHzYNkGwql4oFePKD6q+n +iQ/qq/mX9FSBvZa1/R5BUkahLotuZTevSILhXKPq1xsyO+OBHpW68FgRyqSmBR5n +nJnsONKbGbVWwq43ZKTnwPFhG7+rElQcd/yVLx3KUw4EtsW3aRYElai9bLjFJk+R +9zMnkHIvp9ZfkVMsTtGsBTECgYEAg6RVpvob2OdUDcrxVTY7sfDLw83T+yfKHskQ +u+KueMfyCmwhgo4bDQ1fjqnvb6pJErAt30WFVAXZM1Z0OLqJFcks5jS3mx/eI7py +2XRicEaHuehSm0Lp/0TgqLtrVKmIdWKk+r1Sa6MtnHpOP5lTXBVHUE6IYpvOfm/W +kMVCKwECgYEAlPJCqRpiHHq/NBunh669OtnxjE729SdarvEeFQam0OTg7DpAAhO5 +MZrNOsY0fcadnmBbygOIh1bw4eo3litTQLJ4ToDi4CSMgw74d6Rk1cwJbNZSSflV +YRZytdLq4WH7MSTwMIz+XClxBgkRTe9RpjNiVNLH3rp4F7EnUPTvxDo= +-----END RSA PRIVATE KEY----- diff --git a/testenv/certs/server-pubkey-sha256.base64 b/testenv/certs/server-pubkey-sha256.base64 new file mode 100644 index 0000000..6c24e4f --- /dev/null +++ b/testenv/certs/server-pubkey-sha256.base64 @@ -0,0 +1 @@ +mHiEhWHvusnzP7COZk+SzSJ+Gl7nZT+ADx0PUnDD7mM= diff --git a/testenv/certs/server-pubkey.der b/testenv/certs/server-pubkey.der Binary files differnew file mode 100644 index 0000000..6db082a --- /dev/null +++ b/testenv/certs/server-pubkey.der diff --git a/testenv/certs/server-pubkey.pem b/testenv/certs/server-pubkey.pem new file mode 100644 index 0000000..44a3628 --- /dev/null +++ b/testenv/certs/server-pubkey.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMLca3nkR9K2XqYTfvX6 +kPf9ylHkwvGR1sGyzkyUg/ZMOGI84i0teaXyjGzgGNSbfB+fcZX2IkuZvNshYv7S +RtGRDYsI8pR/4KWffPZkT6tfB1aVPyBV+/nU6l+SnaUsNVSot80pEZCCK+NIKYup +jYup4HRJpU2+5oPcSmpnIgfQTlJmCOoEeBFG28aRzLSs6anlIjY0BIu6BSKhdr04 +taOlgPCh2x3cRGUvQMnVolbxMLxOqLHiLSixbNqv4tcEiKfRC9qv3+5Ec3SnWSre +nReA0cqpamJNPnj5ZjHs96a/ipFfPXWzCInNQv4/DUO6tD2yZvMOACzPtXYUmdR4 +JwIDAQAB +-----END PUBLIC KEY----- diff --git a/testenv/certs/server-template.cfg b/testenv/certs/server-template.cfg new file mode 100644 index 0000000..00389aa --- /dev/null +++ b/testenv/certs/server-template.cfg @@ -0,0 +1,245 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "GNU" + +# The organizational unit of the subject. +unit = "Wget" + +# The locality of the subject. +# locality = + +# The state of the certificate owner. +# state = "" + +# The country of the subject. Two letter code. +# country = GR + +# The common name of the certificate owner. +cn = "127.0.0.1" + +# A user id of the certificate owner. +#uid = "" + +# Set domain components +#dc = "name" +#dc = "domain" + +# If the supported DN OIDs are not adequate you can set +# any OID here. +# For example set the X.520 Title and the X.520 Pseudonym +# by using OID and string pairs. +#dn_oid = 2.5.4.12 Dr. +#dn_oid = 2.5.4.65 jackal + +# This is deprecated and should not be used in new +# certificates. +# pkcs9_email = "bug-wget@gnu.org" + +# An alternative way to set the certificate's distinguished name directly +# is with the "dn" option. The attribute names allowed are: +# C (country), street, O (organization), OU (unit), title, CN (common name), +# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship, +# countryOfResidence, serialNumber, telephoneNumber, surName, initials, +# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name, +# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName, +# jurisdictionOfIncorporationStateOrProvinceName, +# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs. + +#dn = "cn = Nikos,st = New Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias" + +# The serial number of the certificate +# Comment the field for a time-based serial number. +# serial = 007 + +# In how many days, counting from today, this certificate will expire. +# Use -1 if there is no expiration date. +expiration_days = -1 + +# Alternatively you may set concrete dates and time. The GNU date string +# formats are accepted. See: +# http://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html + +#activation_date = "2004-02-29 16:21:42" +#expiration_date = "2025-02-29 16:24:41" + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "localhost" + +# A subject alternative name URI +#uri = "http://www.example.com" + +# An IP address in case of a server. +# ip_address = "127.0.0.1" + +# An email in case of a person +# email = "none@none.org" + +# Challenge password used in certificate requests +challenge_password = 123456 + +# Password when encrypting a private key +#password = secret + +# An URL that has CRLs (certificate revocation lists) +# available. Needed in CA certificates. +#crl_dist_points = "http://www.getcrl.crl/getcrl/" + +# Whether this is a CA certificate or not +# ca + +# Subject Unique ID (in hex) +#subject_unique_id = 00153224 + +# Issuer Unique ID (in hex) +#issuer_unique_id = 00153225 + +#### Key usage + +# The following key usage flags are used by CAs and end certificates + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). This is the digitalSignature flag +# in RFC5280 terminology. +signing_key + +# Whether this certificate will be used to encrypt data (needed +# in TLS RSA ciphersuites). Note that it is preferred to use different +# keys for encryption and signing. This is the keyEncipherment flag +# in RFC5280 terminology. +encryption_key + +# Whether this key will be used to sign other certificates. The +# keyCertSign flag in RFC5280 terminology. +# cert_signing_key + +# Whether this key will be used to sign CRLs. The +# cRLSign flag in RFC5280 terminology. +# crl_signing_key + +# The keyAgreement flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#key_agreement + +# The dataEncipherment flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#data_encipherment + +# The nonRepudiation flag of RFC5280. It's purpose is loosely +# defined. Not use it unless required by a protocol. +#non_repudiation + +#### Extended key usage (key purposes) + +# The following extensions are used in an end certificate +# to clarify its purpose. Some CAs also use it to indicate +# the types of certificates they are purposed to sign. + +# Whether this certificate will be used for a TLS client; +# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of +# extended key usage. +#tls_www_client + +# Whether this certificate will be used for a TLS server; +# This sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of +# extended key usage. +tls_www_server + +# Whether this key will be used to sign code. This sets the +# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage +# extension. +#code_signing_key + +# Whether this key will be used to sign OCSP data. This sets the +# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension. +#ocsp_signing_key + +# Whether this key will be used for time stamping. This sets the +# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension. +#time_stamping_key + +# Whether this key will be used for email protection. This sets the +# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension. +#email_protection_key + +# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17). +#ipsec_ike_key + +## adding custom key purpose OIDs + +# for microsoft smart card logon +# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2 + +# for email protection +# key_purpose_oid = 1.3.6.1.5.5.7.3.4 + +# for any purpose (must not be used in intermediate CA certificates) +# key_purpose_oid = 2.5.29.37.0 + +### end of key purpose OIDs + +# When generating a certificate from a certificate +# request, then honor the extensions stored in the request +# and store them in the real certificate. +honor_crq_extensions + +# Path length constraint. Sets the maximum number of +# certificates that can be used to certify this certificate. +# (i.e. the certificate chain length) +#path_len = -1 +#path_len = 2 + +# OCSP URI +# ocsp_uri = http://my.ocsp.server/ocsp + +# CA issuers URI +# ca_issuers_uri = http://my.ca.issuer + +# Certificate policies +#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0 +#policy1_txt = "This is a long policy to summarize" +#policy1_url = http://www.example.com/a-policy-to-read + +#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1 +#policy2_txt = "This is a short policy" +#policy2_url = http://www.example.com/another-policy-to-read + +# Name constraints + +# DNS +#nc_permit_dns = example.com +#nc_exclude_dns = test.example.com + +# EMAIL +#nc_permit_email = "nmav@ex.net" + +# Exclude subdomains of example.com +#nc_exclude_email = .example.com + +# Exclude all e-mail addresses of example.com +#nc_exclude_email = example.com + +# Options for proxy certificates +#proxy_policy_language = 1.3.6.1.5.5.7.21.1 + +# Options for generating a CRL + +# The number of days the next CRL update will be due. +# next CRL update will be in 43 days +#crl_next_update = 43 + +# this is the 5th CRL by this CA +# Comment the field for a time-based number. +#crl_number = 5 + +# Specify the update dates more precisely. +#crl_this_update_date = "2004-02-29 16:21:42" +#crl_next_update_date = "2025-02-29 16:24:41" + +# The date that the certificates will be made seen as +# being revoked. +#crl_revocation_date = "2025-02-29 16:24:41" |