Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / thrift / b18964e1352bf0e051f6a3d3b8a34e5f34b42543 / . / test / keys / keygen / make-serverkey.sh
blob: 618b0f45cd09f574d71fc1eb7ef437ab3a266fb9 [file] [log] [blame]
Jens Geyerb18964e2022-06-28 22:54:38 +0200[diff] [blame^]1#!/bin/bash
2
3# tested with git bash on Windows
4# probably needs a bit of tweaking for other environments
5
6# re the "//SKIP=this" in sub see at https://stackoverflow.com/a/54924640/499466
7
8echo init folder
9rm *.p12 2> /dev/null
10rm *.pem 2> /dev/null
11rm *.crt 2> /dev/null
12rm *.key 2> /dev/null
13rm *.cfg 2> /dev/null
14rm *.csr 2> /dev/null
15
16#cp ../*.key .
17
18echo writing config
19echo '[ req ]' > my.cfg
20echo 'default_bits= 4096' >> my.cfg
21echo 'distinguished_name=req' >> my.cfg
22echo 'x509_extensions = v3_ca' >> my.cfg
23echo 'req_extensions = v3_req' >> my.cfg
24echo '' >> my.cfg
25echo '[ v3_req ]' >> my.cfg
26echo 'basicConstraints = CA:FALSE' >> my.cfg
27echo 'keyUsage = nonRepudiation, digitalSignature, keyEncipherment' >> my.cfg
28echo 'subjectAltName=@alternate_names' >> my.cfg
29echo '' >> my.cfg
30echo '[ alternate_names ]' >> my.cfg
31echo 'IP.1=127.0.0.1' >> my.cfg
32echo 'IP.2=::1' >> my.cfg
33echo 'IP.3=::ffff:127.0.0.1' >> my.cfg
34echo 'DNS.1=localhost' >> my.cfg
35echo '' >> my.cfg
36echo '[ v3_ca ]' >> my.cfg
37echo 'subjectKeyIdentifier=hash' >> my.cfg
38echo 'authorityKeyIdentifier=keyid:always,issuer' >> my.cfg
39echo 'basicConstraints = critical, CA:TRUE, pathlen:0' >> my.cfg
40echo 'keyUsage = critical, cRLSign, keyCertSign, nonRepudiation, digitalSignature, keyEncipherment' >> my.cfg
41echo 'extendedKeyUsage = serverAuth, clientAuth' >> my.cfg
42echo 'subjectAltName=@alternate_names' >> my.cfg
43echo '' >> my.cfg
44
45echo
46echo step 1a
47winpty openssl req \
48 -new \
49 -x509 \
50 -nodes \
51 -days 3000 \
52 -out server.crt \
53 -keyout server.key \
54 -subj '//SKIP=this/CN=localhost/emailAddress=dev@thrift.apache.org/OU=Apache Thrift/O=The Apache Software Foundation/L=Forest Hill/ST=Maryland/C=US' \
55 -extensions v3_ca \
56 -config my.cfg
57
58echo
59echo step 1b
60openssl x509 -in server.crt -text > CA.pem
61
62echo
63echo step 1c
64cat server.crt server.key > server.pem
65
66echo
67echo step 2
68echo 'Use "thrift" as password (without the quotes)'
69winpty openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12
70
71echo
72echo step 3
73winpty openssl genrsa -out client.key
74
75
76echo
77echo step 4
78winpty openssl req \
79 -new \
80 -subj '//SKIP=this/CN=localhost/emailAddress=dev@thrift.apache.org/OU=Apache Thrift/O=The Apache Software Foundation/L=Forest Hill/ST=Maryland/C=US' \
81 -key client.key \
82 -out client.csr
83
84echo
85echo step 5
86winpty openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt
87
88
89echo
90echo step 6
91winpty openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
92
93
94echo
95echo step 7
96winpty openssl pkcs12 -in client.p12 -out client.pem -clcerts
97
98
99echo
100echo step 8a
101openssl genrsa -out client_v3.key
102
103echo
104echo step 8b
105winpty openssl req \
106 -new \
107 -subj '//SKIP=this/CN=localhost/emailAddress=dev@thrift.apache.org/OU=Apache Thrift/O=The Apache Software Foundation/L=Forest Hill/ST=Maryland/C=US' \
108 -key client_v3.key \
109 -out client_v3.csr \
110 -extensions v3_req \
111 -config my.cfg
112
113
114echo
115echo step 9
116winpty openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile my.cfg
117
118echo
119echo cleanup
120rm *.cfg 2> /dev/null
121rm *.csr 2> /dev/null
122
123echo
124echo test
125openssl s_client -connect localhost:9090 &
126openssl s_server -accept 9090 -www
127
128echo
129echo done
130
131