You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gm...@apache.org on 2016/06/27 13:12:52 UTC

qpid-dispatch git commit: NO-JIRA - Modified gencerts_openssl.sh to include creation of an intermediate CA and create the certs from it

Repository: qpid-dispatch
Updated Branches:
  refs/heads/master 7e6a9156b -> 7ff381269


NO-JIRA - Modified gencerts_openssl.sh to include creation of an intermediate CA and create the certs from it


Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/7ff38126
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/7ff38126
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/7ff38126

Branch: refs/heads/master
Commit: 7ff38126966b34ca7c2170047d65afc0279e40aa
Parents: 7e6a915
Author: Ganesh Murthy <gm...@redhat.com>
Authored: Mon Jun 27 09:12:34 2016 -0400
Committer: Ganesh Murthy <gm...@redhat.com>
Committed: Mon Jun 27 09:12:34 2016 -0400

----------------------------------------------------------------------
 tests/ssl_certs/gencerts_openssl.sh | 40 ++++++++++++++++++++++++++------
 tests/ssl_certs/v3_ca.ext           |  1 +
 2 files changed, 34 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7ff38126/tests/ssl_certs/gencerts_openssl.sh
----------------------------------------------------------------------
diff --git a/tests/ssl_certs/gencerts_openssl.sh b/tests/ssl_certs/gencerts_openssl.sh
index 2b20c93..e45d141 100755
--- a/tests/ssl_certs/gencerts_openssl.sh
+++ b/tests/ssl_certs/gencerts_openssl.sh
@@ -1,6 +1,6 @@
 #!/bin/bash -ex
 
-# Creates a root CA and creates password protected server and client certificates using openssl commands
+# Creates a root CA and intermediate CA and creates password protected server and client certificates using openssl commands
 
 ##### Create root CA #####
 # Create a password protected private key for root CA
@@ -9,16 +9,36 @@ openssl genrsa -aes256 -passout pass:ca-password -out ca-private-key.pem 4096
 # Use the private key to create a root CA cert
 openssl req -key ca-private-key.pem -new -x509 -days 99999 -sha256 -out ca-certificate.pem -passin pass:ca-password -subj "/C=US/ST=New York/L=Brooklyn/O=Trust Me Inc./CN=Trusted.CA.com"
 
-##### Create a server certificate signed by the root CA #####
+
+
+##### Create an intermediate CA #####
+# Create a password protected private key for the intermediate CA
+openssl genrsa -aes256 -passout pass:intermediate-ca-password -out intermediate-ca-private-key.pem 4096
+
+# Create a CSR using the private key created from the previous step
+openssl req -new -key intermediate-ca-private-key.pem -passin pass:intermediate-ca-password -out intermediate.csr -subj "/C=US/ST=FL/L=Miami/O=Server/CN=Trusted.IntermediateCA.com"
+
+# Create the intermediate signed certificate signed by the root CA
+# Note here that the v3_ca.ext file sets basicConstraints=critical, CA:true which means that the issued certificate is for a Certificate Authority, in this case an intermediate CA
+# and this certificate must not be used to create further CA certificates
+openssl x509 -req -in intermediate.csr -CA ca-certificate.pem -CAkey ca-private-key.pem -CAcreateserial -days 9999 -out intermediate-ca-certificate.pem -passin pass:ca-password -extfile v3_ca.ext
+
+# Concatenate the intermediate-ca-certificate.pem and ca-certificate.pem to form the ca-chain-cert.pem
+cat ca-certificate.pem intermediate-ca-certificate.pem > ca-chain-cert.pem
+
+
+
+##### Create a server certificate signed by the intermediate CA #####
 # Create a password protected server private key which will be used to create the server certificate
 openssl genrsa -aes256 -passout pass:server-password -out server-private-key.pem 4096
 
 # Create a CSR using the private key created from the previous step
-openssl req -new -key server-private-key.pem -passin pass:server-password -out server.csr -subj "/C=US/ST=CA/L=San Francisco/O=Server/CN=127.0.0.1"
+openssl req -new -key server-private-key.pem -passin pass:server-password -out server.csr -subj "/C=US/ST=CA/L=San Francisco/O=Server/CN=server.com"
 
 # Now the CSR has been created and must be sent to the CA.
-# The root CA receives the CSR and runs this command to create a server certificate (server-certificate.pem)
-openssl x509 -req -in server.csr -CA ca-certificate.pem -CAkey ca-private-key.pem -CAcreateserial -days 9999 -out server-certificate.pem -passin pass:ca-password
+# The intermediate CA receives the CSR and runs this command to create a server certificate (server-certificate.pem)
+openssl x509 -req -in server.csr -CA intermediate-ca-certificate.pem -CAkey intermediate-ca-private-key.pem -CAcreateserial -days 9999 -out server-certificate.pem -passin pass:intermediate-ca-password
+
 
 
 ##### Create a client certificate signed by the root CA #####
@@ -26,8 +46,14 @@ openssl x509 -req -in server.csr -CA ca-certificate.pem -CAkey ca-private-key.pe
 openssl genrsa -aes256 -passout pass:client-password -out client-private-key.pem 4096
 
 # Create a CSR using the client private key created from the previous step
-openssl req -new -key client-private-key.pem -passin pass:client-password -out client.csr -subj "/C=US/ST=CA/L=San Francisco/O=Client/CN=127.0.0.1"
+openssl req -new -key client-private-key.pem -passin pass:client-password -out client.csr -subj "/C=US/ST=CA/L=San Francisco/O=Client/CN=client.com"
 
 # Now the CSR has been created and must be sent to the CA.
 # The root CA receives the CSR and runs this command to create a client certificate (client_certificate.pem)
-openssl x509 -req -in client.csr -CA ca-certificate.pem -CAkey ca-private-key.pem -CAcreateserial -days 9999 -out client-certificate.pem -passin pass:ca-password
\ No newline at end of file
+openssl x509 -req -in client.csr -CA intermediate-ca-certificate.pem -CAkey intermediate-ca-private-key.pem -CAcreateserial -days 9999 -out client-certificate.pem -passin pass:intermediate-ca-password
+
+
+# Verify the certs with the cert chain
+openssl verify -verbose -CAfile ca-chain-cert.pem server-certificate.pem
+openssl verify -verbose -CAfile ca-chain-cert.pem client-certificate.pem
+openssl verify -verbose -CAfile ca-chain-cert.pem intermediate-ca-certificate.pem
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7ff38126/tests/ssl_certs/v3_ca.ext
----------------------------------------------------------------------
diff --git a/tests/ssl_certs/v3_ca.ext b/tests/ssl_certs/v3_ca.ext
new file mode 100644
index 0000000..616de37
--- /dev/null
+++ b/tests/ssl_certs/v3_ca.ext
@@ -0,0 +1 @@
+basicConstraints=critical, CA:true
\ No newline at end of file


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org