Add Test CA and simple certs for testing
This commit is contained in:
parent
190f0ed36b
commit
c4cd54e020
20
files/ssl/certs/ca.crt
Normal file
20
files/ssl/certs/ca.crt
Normal file
@ -0,0 +1,20 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDVDCCAjygAwIBAgIUInouaHzfe4GFGlCYFmIi0AvWHEowDQYJKoZIhvcNAQEL
|
||||
BQAwGTEXMBUGA1UEAwwOVmVpbGlkIFRlc3QgQ0EwHhcNMjExMTIyMTM0OTE5WhcN
|
||||
MzExMTIwMTM0OTE5WjAZMRcwFQYDVQQDDA5WZWlsaWQgVGVzdCBDQTCCASIwDQYJ
|
||||
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqKTFn4FCcKWysW8NbQZwysKUlwI9kc
|
||||
S4CYy1+4eQC7Tn0eILG3+WfGCjAgRx72co+852NjsNnVwPVh8Xr7RdjyPscp4HTJ
|
||||
jObVC93GofiAKFld2038A3/rsA5DoXyiUj2/nhBdw+aO1yiBXdEw7tIUZLUJ46Ku
|
||||
QapuGXtL4xYXPAxhPhn5PY6xAWkar+6E9tv3g1BknxWlGmfulYaf1dAg2ra0Lswu
|
||||
fiZfepPq9iwhiUlOSo3sWy7ObF+3TxWlQxMpGC1LiAmA4XEyWp2tDOV90B98yLQK
|
||||
2pBhEexGaAJYy7DgZUNOV/WpjzLdDccXrQV9NoKXMOqsYC8MgDV2KjUCAwEAAaOB
|
||||
kzCBkDAdBgNVHQ4EFgQUXX+NrxpW0/TKPdNt71AR92SZbwIwVAYDVR0jBE0wS4AU
|
||||
XX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNVBAMMDlZlaWxpZCBUZXN0
|
||||
IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
|
||||
AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAfL9k5ZrsnFTXrcBsCNhgqll0dwutbn36
|
||||
RzpE6bKZwGAYU3irdFFM3+D2zxaN/H665yL07uLn+XxrgIEplHAao5NSSxeYDUJo
|
||||
5BV5rmnOy+bSDrSfEGvV0OA/WWhPVFAtq2SQnC6GW5YbmzaHIoOunEv2EQrg8yKP
|
||||
pgff16xi+XFuAsR7Z4Cpbkb687Z878a4UaSWP/knnJM8Tjjl2wwxxTbWOvK9hbG3
|
||||
3+L4G6xxXbgvXw2VR8rIUMK44u0xXb3Vwq4dHU6HZZwTNaEs41vNVrCZV45hu8NX
|
||||
ZmcNEdDTPZQ67n+R4pJnbxDFLbTFEU/NZiCjug0jtjzHeRxnAntDFw==
|
||||
-----END CERTIFICATE-----
|
88
files/ssl/certs/test.crt
Normal file
88
files/ssl/certs/test.crt
Normal file
@ -0,0 +1,88 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number:
|
||||
12:ce:63:bd:90:f5:ab:de:6d:7f:d7:3e:f3:e6:bb
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: CN=Veilid Test CA
|
||||
Validity
|
||||
Not Before: Nov 22 13:52:16 2021 GMT
|
||||
Not After : Feb 25 13:52:16 2024 GMT
|
||||
Subject: CN=Veilid Test Certificate
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:cb:2e:7a:47:81:be:6f:6b:53:37:51:c1:50:68:
|
||||
5a:44:3d:ba:b9:9b:78:40:84:35:d4:0e:e8:41:a6:
|
||||
0e:0a:b9:34:ae:97:a3:37:3e:81:ed:6c:0f:f8:8a:
|
||||
8b:0b:1a:ed:06:97:57:6d:49:a5:ec:b4:c4:d8:6d:
|
||||
d2:57:c3:87:89:99:ee:b0:d7:c5:82:a1:dc:d5:98:
|
||||
b3:ef:10:da:c0:5c:38:a2:bb:15:3e:0e:5e:bc:a0:
|
||||
cd:a1:f0:07:67:bb:57:3f:89:cc:72:4f:bb:c0:a7:
|
||||
ed:ad:15:07:61:c2:b4:21:73:39:00:9b:8f:aa:04:
|
||||
1b:c4:9d:d4:00:44:87:b1:79:b4:e1:4e:01:3c:ee:
|
||||
a4:bb:f9:ad:5d:88:41:03:b4:bf:df:bf:71:24:ee:
|
||||
0b:69:59:55:dd:43:d1:91:04:de:98:9c:54:f2:ee:
|
||||
63:78:fe:76:19:bf:e6:5d:d6:58:81:3c:1b:02:3d:
|
||||
5d:cc:70:4a:c1:84:06:f6:1a:db:16:b0:e0:30:b0:
|
||||
3a:85:41:48:a1:88:c5:38:04:7b:03:c4:86:f0:da:
|
||||
1a:ff:bc:d1:ac:7f:cd:0c:e8:5a:42:5e:43:7f:0d:
|
||||
61:5d:41:67:0f:b8:07:47:21:93:44:b2:ab:fa:d8:
|
||||
69:bb:b9:6d:a1:56:6d:23:54:aa:49:67:e7:57:c6:
|
||||
e9:c7
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
X509v3 Subject Key Identifier:
|
||||
70:ED:B0:96:71:33:43:16:EF:32:FF:69:11:C9:F0:02:3F:6C:81:88
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:5D:7F:8D:AF:1A:56:D3:F4:CA:3D:D3:6D:EF:50:11:F7:64:99:6F:02
|
||||
DirName:/CN=Veilid Test CA
|
||||
serial:22:7A:2E:68:7C:DF:7B:81:85:1A:50:98:16:62:22:D0:0B:D6:1C:4A
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Server Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature, Key Encipherment
|
||||
X509v3 Subject Alternative Name:
|
||||
DNS:Veilid Test Certificate
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
b8:fc:ac:62:d6:95:af:09:db:24:7d:82:2c:02:e1:d0:7b:f5:
|
||||
69:03:a4:42:55:c6:0d:2a:f1:9d:0e:c4:9b:78:40:7d:0d:7d:
|
||||
ec:66:f6:c4:6d:06:d0:5b:58:de:ba:e6:67:ea:af:41:a3:87:
|
||||
b4:37:8b:a8:1f:51:ae:70:e0:0d:f5:51:0a:7a:b3:b3:1d:d1:
|
||||
77:92:63:35:ae:50:9e:04:3d:04:6e:f1:60:c8:e3:8f:1f:75:
|
||||
47:05:27:a0:ff:c5:1b:30:68:b2:f9:5b:e6:f2:81:0f:9b:f2:
|
||||
e8:8c:9d:b6:57:b2:c1:29:e7:d0:d0:88:b3:ba:8e:78:2e:ef:
|
||||
ce:03:a3:12:fa:b4:e9:4e:1f:de:1a:cb:77:72:6b:71:98:02:
|
||||
37:d2:b4:02:f0:2c:08:67:ca:75:0d:af:81:bf:f8:57:f8:d9:
|
||||
4a:93:4f:db:3c:e1:af:3e:ab:9c:fe:87:f0:3a:01:21:6a:5c:
|
||||
99:83:e3:03:47:98:15:23:24:b3:ee:29:27:f4:f1:34:c1:e4:
|
||||
f8:39:5a:92:da:c7:08:dc:71:87:1c:ff:67:e7:ef:24:bc:34:
|
||||
e3:4e:e0:16:12:84:60:d4:7f:a2:c0:5b:85:a9:c5:ef:78:0b:
|
||||
c3:64:cb:b4:05:eb:51:e5:c1:0f:60:da:5c:98:08:bf:5d:b9:
|
||||
1d:33:a7:26
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDjjCCAnagAwIBAgIPEs5jvZD1q95tf9c+8+a7MA0GCSqGSIb3DQEBCwUAMBkx
|
||||
FzAVBgNVBAMMDlZlaWxpZCBUZXN0IENBMB4XDTIxMTEyMjEzNTIxNloXDTI0MDIy
|
||||
NTEzNTIxNlowIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUwggEi
|
||||
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpEPbq5
|
||||
m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJme6w
|
||||
18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQhczkA
|
||||
m4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6YnFTy
|
||||
7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw2hr/
|
||||
vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunHAgMB
|
||||
AAGjgckwgcYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUcO2wlnEzQxbvMv9pEcnwAj9s
|
||||
gYgwVAYDVR0jBE0wS4AUXX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNV
|
||||
BAMMDlZlaWxpZCBUZXN0IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjATBgNVHSUE
|
||||
DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwIgYDVR0RBBswGYIXVmVpbGlkIFRl
|
||||
c3QgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBALj8rGLWla8J2yR9giwC
|
||||
4dB79WkDpEJVxg0q8Z0OxJt4QH0Nfexm9sRtBtBbWN665mfqr0Gjh7Q3i6gfUa5w
|
||||
4A31UQp6s7Md0XeSYzWuUJ4EPQRu8WDI448fdUcFJ6D/xRswaLL5W+bygQ+b8uiM
|
||||
nbZXssEp59DQiLO6jngu784DoxL6tOlOH94ay3dya3GYAjfStALwLAhnynUNr4G/
|
||||
+Ff42UqTT9s84a8+q5z+h/A6ASFqXJmD4wNHmBUjJLPuKSf08TTB5Pg5WpLaxwjc
|
||||
cYcc/2fn7yS8NONO4BYShGDUf6LAW4Wpxe94C8Nky7QF61HlwQ9g2lyYCL9duR0z
|
||||
pyY=
|
||||
-----END CERTIFICATE-----
|
27
files/ssl/keys-decrypted/test.key
Normal file
27
files/ssl/keys-decrypted/test.key
Normal file
@ -0,0 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpAIBAAKCAQEAyy56R4G+b2tTN1HBUGhaRD26uZt4QIQ11A7oQaYOCrk0rpej
|
||||
Nz6B7WwP+IqLCxrtBpdXbUml7LTE2G3SV8OHiZnusNfFgqHc1Ziz7xDawFw4orsV
|
||||
Pg5evKDNofAHZ7tXP4nMck+7wKftrRUHYcK0IXM5AJuPqgQbxJ3UAESHsXm04U4B
|
||||
PO6ku/mtXYhBA7S/379xJO4LaVlV3UPRkQTemJxU8u5jeP52Gb/mXdZYgTwbAj1d
|
||||
zHBKwYQG9hrbFrDgMLA6hUFIoYjFOAR7A8SG8Noa/7zRrH/NDOhaQl5Dfw1hXUFn
|
||||
D7gHRyGTRLKr+thpu7ltoVZtI1SqSWfnV8bpxwIDAQABAoIBAQCae5MjbUWC56JU
|
||||
7EdEQKNpQVoIp2mt/BgFTPRQfdYtVxX0LX0+krss7r3R5lzDq8xN96HUiWur5uHI
|
||||
APAuJI+YEr8GHHii0zjZ+onMmg8ItNWm/QGwtjJXzxeqKZsnxqwWtkoJHBCP8d5n
|
||||
fBapwOU+jaHokV6RESCfxLSdI33cdGcOgDAn4/lvcXZ4Pq0qbitFuZwBPpobHbp4
|
||||
Mo94K7oh4KCt3FDMfZshkSF0wlquRIeUsI2uZUofybDa/j1RgEsqBZIrHqM6xXV1
|
||||
/r13+mMZC4otE0qhBV9jTYffaxooOnae8/Ve0FgaPWpNm7AD6p7l4a3csIkcggMS
|
||||
xx7cntR5AoGBAOvPgDDLJ7h+AgY7jAd13/eZ75NtuEWbSq4c4Kwwy1K17L+3isX/
|
||||
RRkQ5qGTNsT6j1dddfwzX6Rhsi+JywczEdJdWgGNpFCIa8Ly2+47YLDpv0ZIISIZ
|
||||
V0Ngg6dyuuQo7gFlLz9Dhe/If32/93gEW6HZOjn+GmQu53ZSDdHvukpjAoGBANyT
|
||||
0GZzaP2ulV3Pk+9nJhC6eK2BZWF4ODXHsAgNUEyWZ4qDM71oDxyFbaWS2IDg7jz7
|
||||
T2wVffRFDcx8oNXWbhWbejSBGHWI8HRk0Ki83K0r7Cj8Uhy53rQjGOsdLf3K9T9h
|
||||
GGVcwMHlBGIvswqTnJKysvgcoh1Ir+6RqbfCmG5NAoGAaVa8UQ+vor7HcLlRCFQj
|
||||
xJvDZfxxgMaqSbUkuEbjzQLvy4TWPTSXTWc7X5o/sSasub5KYmsgonHyA0Juq7yo
|
||||
jWyeNGttp3wJh4CttnJX8y+3/lFiW7UuQi7vIPIjgqC2EXF99ajYQBE0wpvqlHZ9
|
||||
6IL9e8KDT5WUWEq3WbzZXzkCgYB/0Md6FnZISdoTui0nFMZh+yvinpB4ookv4L6I
|
||||
a+6T8rOc99oLbzkSdd7LiwQZ6j0i6R1krC+IVFtimvU39EFmE+oEcqoRsYBkcebX
|
||||
YFkfn8wBE/Ug4DPEfnH6C7aS0gC68TCJy+2GbYbUvn8pKdAY0aQTUcQ+49fOjmmi
|
||||
KgjaIQKBgQDoT0af/7a7LnY9dkbkz624HmNVyMPOa4/STrdxyy3NRhq/dysRW+At
|
||||
x30nvCWpv0Z5BAyaUCrRWPGFxhv3/Z7qb4fx5uUbC3Jc04I5D6fwYqrQofGS8TMK
|
||||
Lrg83o5Ag++pllu1IeWiGQPRbn7VZ+O6pISgpRpYBexXGyLJ6wtcAw==
|
||||
-----END RSA PRIVATE KEY-----
|
30
files/ssl/keys/test.key
Normal file
30
files/ssl/keys/test.key
Normal file
@ -0,0 +1,30 @@
|
||||
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIgpTGP+qhFisCAggA
|
||||
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLU8ddNZ6jJ3BIIEyMB/nTIXTaUO
|
||||
n8Oe/ld7JjX1jeiQUuXP9oEYT0Ehi5F5IIQ3zUDUrJujJP+iMniX1OafmzmtcQGc
|
||||
pAmGLAyhJS3p5ILlzvZGjjF19QItKGDno/cwHjQMY0ldj1CfjdGf809DQRdo4q8H
|
||||
2jlGUmtMs83DhsxrlWf9Stia/4s/L+zOvpTaVFXn7UMvVtM2LXWF7GdyRIx6a5w4
|
||||
fXOA6FWGY4ZvSzfkadKJSgyGPEwOW51tLJ+BYZpstrSvgh3VWPtluH0zSFdlOH3t
|
||||
N5V5aQzjoeJyP7uTU09Vzp3zjux1uijmzMHnF2LSw8kGmPRIfWKF91LNn12TUNQu
|
||||
oQLkFWXYRIRBDcEKetr4zkOtvp/JPNOkX44D3Zexl2KhHBqG2hDyOQZ03QN+9H7h
|
||||
PUE4MAHsfx7s62sr7TJ/GHC170ZDtgj6HZAjxjs5D7lkPmKSQoods7sCENMadZiX
|
||||
G0ljz/FTHzpMhhpeaRFqQfE7B3F9K6yQttoxxjAhAX+mOD1ho6NSV7KDN1cESKXB
|
||||
4+afwxGV/Gp3tEk6aAbEz8ntqS+lAE1iOXLzbKPmzFs5CCXDs3/EvvLRh3MPtNkz
|
||||
LcNjFypDL4CCCrxlSVMWce6iouSWyiet+3iwr+YuDx+3U9iMYyTrtL0pQSGiC/3s
|
||||
LZloWf7sWT5zab+KSnhxCu3BsazSqShIRsC1lLziJGQnING1m1bw6nG0gph2vzSJ
|
||||
N/ewIANJkby6XP9e/vJipPyI7xHD2aHUQLBU+Zmc7GhZWgVoAfHs/OvqwmTG2wHX
|
||||
10LVpDX6Fr3wBSqsdtPKH7hNBS2Y/Q/plJk/KwyZ7qlby1SMUYj86vtvcZRG4gn/
|
||||
9Mp72//FqfMrvXaBSZKR3SdR6tZTjBY9w1hUJ/c1HfRQYPISgPU9zSSPgRZtrlwx
|
||||
3/FPp6i2YnfpAFWn9zFkFcUCqdEIWjK50K+v+JAUnD+7aCaznA4/yCAonXGjZwcj
|
||||
eVgk5TJ4OfCVx5JE+HLXDWJSU115rMOUYXm5Jpo/j+ZKakM3diU2opW5ocgrHUl2
|
||||
OwinKMiSwVK2NiLZyv4jcCJdyZI+CqvxqIU9X1fDbJP0v9pm3ANzyii6gPaO57e3
|
||||
NZfmrMSqdlIq93wNIi2oZD7hgKwTBj1p/zxOTbP+QY1Ku8oFfXcF9dh32BBL+cHa
|
||||
aza+RkkGzJ+qBRF6Ub7FmcY/y6r+eOvof+c4drTE5icKP5lzpB85ZuUduF535p5d
|
||||
Y4dy3MM2h/t4dk7xmWp5EAZRRvKBUd7SYyi3a+LyTtHGS8FKdRCENXQi47RUlAqO
|
||||
RpzAgYhchqnRDup2Tmu+MtDTPoOht55haM38kXJZ4LxACzPpYHQ6E37BT77K3Qjh
|
||||
HgLxi/Hr97ZxiuPl7Tq113ljEB5xX1RGgn+s3F+/xxFEJojvGdNJXFWtE2BMSBQb
|
||||
JhFkCyVYsqztBt6kLAJosYA0HornidYYwznswe+d+3ruHicax99JEA2m9xnB3LGy
|
||||
A9+SJCbhS9m+hO10KalW8nuUtX1lXP0ZmjuoYrLMLmv9ihH/CoxmHynMPgFVCXih
|
||||
RRGQmuS+PYBIFs1EShT04Ic280QT00un90ydaUZS3uad9qt7gNbNJ3UW3XqyWf14
|
||||
2Gscnl0IXL4gKNNUxKPeGg==
|
||||
-----END ENCRYPTED PRIVATE KEY-----
|
33
files/test-ca/COPYING.md
Normal file
33
files/test-ca/COPYING.md
Normal file
@ -0,0 +1,33 @@
|
||||
Easy-RSA -- A Shell-based CA Utility
|
||||
====================================
|
||||
|
||||
Copyright (C) 2013 by the Open-Source OpenVPN development community
|
||||
|
||||
Easy-RSA 3 license: GPLv2
|
||||
-------------------------
|
||||
|
||||
All the Easy-RSA code contained in this project falls under a GPLv2 license with
|
||||
full text available in the Licensing/ directory. Additional components used by
|
||||
this project fall under additional licenses:
|
||||
|
||||
Additional licenses for external components
|
||||
-------------------------------------------
|
||||
|
||||
The following components are under different licenses; while not part of the
|
||||
Easy-RSA source code, these components are used by Easy-RSA or provided in
|
||||
platform distributions as described below:
|
||||
|
||||
### OpenSSL
|
||||
|
||||
OpenSSL is not linked by Easy-RSA, nor is it currently provided in any release
|
||||
package by Easy-RSA. However, Easy-RSA is tightly coupled with OpenSSL, so
|
||||
effective use of this code will require your acceptance and installation of
|
||||
OpenSSL.
|
||||
|
||||
### Additional Windows Components
|
||||
|
||||
The Windows binary package includes mksh/Win32 and unxutils binary components,
|
||||
with full licensing details available in the distro/windows/Licensing/
|
||||
subdirectory of this project. mksh/Win32 is under a MirOS license (with some
|
||||
additional component licenses present there) and unxutils is under a GPLv2
|
||||
license.
|
144
files/test-ca/ChangeLog
Normal file
144
files/test-ca/ChangeLog
Normal file
@ -0,0 +1,144 @@
|
||||
Easy-RSA 3 ChangeLog
|
||||
|
||||
3.0.8 (2020-09-09)
|
||||
* Provide --version option (#372)
|
||||
* Version information now within generated certificates like on *nix
|
||||
* Fixed issue where gen-dh overwrote existing files without warning (#373)
|
||||
* Fixed issue with ED/EC certificates were still signed by RSA (#374)
|
||||
* Added support for export-p8 (#339)
|
||||
* Clarified error message (#384)
|
||||
* 2->3 upgrade now errors and prints message when vars isn't found (#377)
|
||||
* Update OpenSSL Windows binaries to 1.1.1g
|
||||
|
||||
3.0.7 (2020-03-30)
|
||||
* Include OpenSSL libs and binary for Windows 1.1.0j
|
||||
* Remove RANDFILE environment variable (#261)
|
||||
* Workaround for bug in win32 mktemp (#247, #305, PR #312)
|
||||
* Handle IP address in SAN and renewals (#317)
|
||||
* Workaround for ash and no set -o echo (#319)
|
||||
* Shore up windows testing framework (#314)
|
||||
* Provide upgrade mechanism for older versions of EasyRSA (#349)
|
||||
* Add support for KDC certificates (#322)
|
||||
* Add support for Edward Curves (#354, #350)
|
||||
* Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars (#368)
|
||||
* Add support for RID to SAN (#362)
|
||||
|
||||
3.0.6 (2019-02-01)
|
||||
* Certificates that are revoked now move to a revoked subdirectory (#63)
|
||||
* EasyRSA no longer clobbers non-EASYRSA environment variables (#277)
|
||||
* More sane string checking, allowing for commas in CN (#267)
|
||||
* Support for reasonCode in CRL (#280)
|
||||
* Better handling for capturing passphrases (#230, others)
|
||||
* Improved LibreSSL/MacOS support
|
||||
* Adds support to renew certificates up to 30 days before expiration (#286)
|
||||
- This changes previous behavior allowing for certificate creation using
|
||||
duplicate CNs.
|
||||
|
||||
3.0.5 (2018-09-15)
|
||||
* Fix #17 & #58: use AES256 for CA key
|
||||
* Also, don't use read -s, use stty -echo
|
||||
* Fix broken "nopass" option
|
||||
* Add -r to read to stop errors reported by shellcheck (and to behave)
|
||||
* Remove overzealous quotes around $pkcs_opts (more SC errors)
|
||||
* Support for LibreSSL
|
||||
* EasyRSA version will be reported in certificate comments
|
||||
* Client certificates now expire in 3 year (1080 days) by default
|
||||
|
||||
3.0.4 (2018-01-21)
|
||||
* Remove use of egrep (#154)
|
||||
* Integrate with Travis-CI (#165)
|
||||
* Remove "local" from variable assignment (#165)
|
||||
* Other changes related to Travis-CI fixes
|
||||
* Assign values to variables defined previously w/local
|
||||
* Finally(?) fix the subjectAltName issues I presented earlier (really
|
||||
fixes #168)
|
||||
|
||||
3.0.3 (2017-08-22)
|
||||
* Include mktemp windows binary
|
||||
* copy CSR extensions into signed certificate
|
||||
|
||||
|
||||
3.0.2 (2017-08-21)
|
||||
* Add missing windows binaries
|
||||
|
||||
|
||||
3.0.1 (2015-10-25)
|
||||
* Correct some packaging errors
|
||||
|
||||
|
||||
3.0.0 (2015-09-07)
|
||||
|
||||
* cab4a07 Fix typo: Hellman
|
||||
(ljani: Github)
|
||||
|
||||
* 171834d Fix typo: Default
|
||||
(allo-: Github)
|
||||
|
||||
* 8b42eea Make aes256 default, replacing 3des
|
||||
(keros: Github)
|
||||
|
||||
* f2f4ac8 Make -utf8 default
|
||||
(roubert: Github)
|
||||
|
||||
|
||||
3.0.0-rc2 (2014/07/27)
|
||||
|
||||
* 1551e5f docs: fix typo
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* 7ae44b3 Add KNOWN_ISSUES to stage next -rc release
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* a0d58b2 Update documentation
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* 5758825 Fix vars.example with proper path to extensions.temp
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* 89f369c Add support to change private key passphrases
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* 49d7c10 Improve docs: add Upgrade-Notes; add online support refs
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* fcc4547 Add build-dist packaging script; update Building docs
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* f74d08e docs: update Hacking.md with layout & git conventions
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* 0754f23 Offload temp file removal to a clean_temp() function
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* 1c90df9 Fix incorrect handling of invalid --use-algo option
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* c86289b Fix batch-mode handling with changes in e75ad75
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* e75ad75 refine how booleans are evaluated
|
||||
(Eric F Crist <ecrist@secure-computing.net>)
|
||||
|
||||
* cc19823 Merge PKCS#7 feature from pull req #14
|
||||
(Author: Luiz Angelo Daros de Luca <luizluca@tre-sc.gov.br>)
|
||||
(Modified-By: Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* 8b1fe01 Support OpenSSL-0.9.8 with the EXTRA_EXTS feature
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* d5516d5 Windows: make builds easier by using a matching dir structure
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
* dc2e6dc Windows: improve external checks and env-var help
|
||||
(Josh Cepek <josh.cepek@usa.net>)
|
||||
|
||||
3.0.0-rc1 (2013/12/01)
|
||||
|
||||
* The 3.x release is a nearly complete re-write of the 2.x codebase
|
||||
|
||||
* Initial 3.x series code by Josh Cepek <josh.cepek@usa.net> -- continuing
|
||||
maintenance by the OpenVPN community development team and associated
|
||||
contributors
|
||||
|
||||
* Add ECDSA (elliptic curve) support, thanks to Steffan Karger
|
||||
<steffan@karger.me>
|
52
files/test-ca/README.md
Normal file
52
files/test-ca/README.md
Normal file
@ -0,0 +1,52 @@
|
||||
# Overview
|
||||
|
||||
easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms,
|
||||
this means to create a root certificate authority, and request and sign
|
||||
certificates, including intermediate CAs and certificate revocation lists (CRL).
|
||||
|
||||
# Downloads
|
||||
|
||||
If you are looking for release downloads, please see the releases section on
|
||||
GitHub. Releases are also available as source checkouts using named tags.
|
||||
|
||||
# Documentation
|
||||
|
||||
For 3.x project documentation and usage, see the [README.quickstart.md](README.quickstart.md) file or
|
||||
the more detailed docs under the doc/ directory. The .md files are in Markdown
|
||||
format and can be converted to html files as desired for release packages, or
|
||||
read as-is in plaintext.
|
||||
|
||||
# Getting help using easy-rsa
|
||||
|
||||
Currently, Easy-RSA development co-exists with OpenVPN even though they are
|
||||
separate projects. The following resources are good places as of this writing to
|
||||
seek help using Easy-RSA:
|
||||
|
||||
The [openvpn-users mailing list](https://lists.sourceforge.net/lists/listinfo/openvpn-users)
|
||||
is a good place to post usage or help questions.
|
||||
|
||||
You can also try IRC at Freenode/#openvpn for general support or Freenode/#easyrsa for development discussion.
|
||||
|
||||
# Branch structure
|
||||
|
||||
The easy-rsa master branch is currently tracking development for the 3.x release
|
||||
cycle. Please note that, at any given time, master may be broken. Feel free to
|
||||
create issues against master, but have patience when using the master branch. It
|
||||
is recommended to use a release, and priority will be given to bugs identified in
|
||||
the most recent release.
|
||||
|
||||
The prior 2.x and 1.x versions are available as release branches for
|
||||
tracking and possible back-porting of relevant fixes. Branch layout is:
|
||||
|
||||
master <- 3.x, at present
|
||||
v3.x.x pre-release branches, used for staging branches
|
||||
release/2.x
|
||||
release/1.x
|
||||
|
||||
LICENSING info for 3.x is in the [COPYING.md](COPYING.md) file
|
||||
|
||||
# Code style, standards
|
||||
|
||||
We are attempting to adhere to the POSIX standard, which can be found here:
|
||||
|
||||
https://pubs.opengroup.org/onlinepubs/9699919799/
|
99
files/test-ca/README.quickstart.md
Normal file
99
files/test-ca/README.quickstart.md
Normal file
@ -0,0 +1,99 @@
|
||||
Easy-RSA 3 Quickstart README
|
||||
============================
|
||||
|
||||
This is a quickstart guide to using Easy-RSA version 3. Detailed help on usage
|
||||
and specific commands can be found by running ./easyrsa -h. Additional
|
||||
documentation can be found in the doc/ directory.
|
||||
|
||||
If you're upgrading from the Easy-RSA 2.x series, there are Upgrade-Notes
|
||||
available, also under the doc/ path.
|
||||
|
||||
Setup and signing the first request
|
||||
-----------------------------------
|
||||
|
||||
Here is a quick run-though of what needs to happen to start a new PKI and sign
|
||||
your first entity certificate:
|
||||
|
||||
1. Choose a system to act as your CA and create a new PKI and CA:
|
||||
|
||||
./easyrsa init-pki
|
||||
./easyrsa build-ca
|
||||
|
||||
2. On the system that is requesting a certificate, init its own PKI and generate
|
||||
a keypair/request. Note that init-pki is used _only_ when this is done on a
|
||||
separate system (or at least a separate PKI dir.) This is the recommended
|
||||
procedure. If you are not using this recommended procedure, skip the next
|
||||
import-req step.
|
||||
|
||||
./easyrsa init-pki
|
||||
./easyrsa gen-req EntityName
|
||||
|
||||
3. Transport the request (.req file) to the CA system and import it. The name
|
||||
given here is arbitrary and only used to name the request file.
|
||||
|
||||
./easyrsa import-req /tmp/path/to/import.req EntityName
|
||||
|
||||
4. Sign the request as the correct type. This example uses a client type:
|
||||
|
||||
./easyrsa sign-req client EntityName
|
||||
|
||||
5. Transport the newly signed certificate to the requesting entity. This entity
|
||||
may also need the CA cert (ca.crt) unless it had a prior copy.
|
||||
|
||||
6. The entity now has its own keypair, signed cert, and the CA.
|
||||
|
||||
Signing subsequent requests
|
||||
---------------------------
|
||||
|
||||
Follow steps 2-6 above to generate subsequent keypairs and have the CA return
|
||||
signed certificates.
|
||||
|
||||
Revoking certs and creating CRLs
|
||||
--------------------------------
|
||||
|
||||
This is a CA-specific task.
|
||||
|
||||
To permanently revoke an issued certificate, provide the short name used during
|
||||
import:
|
||||
|
||||
./easyrsa revoke EntityName
|
||||
|
||||
To create an updated CRL that contains all revoked certs up to that point:
|
||||
|
||||
./easyrsa gen-crl
|
||||
|
||||
After generation, the CRL will need to be sent to systems that reference it.
|
||||
|
||||
Generating Diffie-Hellman (DH) params
|
||||
-------------------------------------
|
||||
|
||||
After initializing a PKI, any entity can create DH params that needs them. This
|
||||
is normally only used by a TLS server. While the CA PKI can generate this, it
|
||||
makes more sense to do it on the server itself to avoid the need to send the
|
||||
files to another system after generation.
|
||||
|
||||
DH params can be generated with:
|
||||
|
||||
./easyrsa gen-dh
|
||||
|
||||
Showing details of requests or certs
|
||||
------------------------------------
|
||||
|
||||
To show the details of a request or certificate by referencing the short
|
||||
EntityName, use one of the following commands. It is an error to call these
|
||||
without a matching file.
|
||||
|
||||
./easyrsa show-req EntityName
|
||||
./easyrsa show-cert EntityName
|
||||
|
||||
Changing private key passphrases
|
||||
--------------------------------
|
||||
|
||||
RSA and EC private keys can be re-encrypted so a new passphrase can be supplied
|
||||
with one of the following commands depending on the key type:
|
||||
|
||||
./easyrsa set-rsa-pass EntityName
|
||||
./easyrsa set-ec-pass EntityName
|
||||
|
||||
Optionally, the passphrase can be removed completely with the 'nopass' flag.
|
||||
Consult the command help for details.
|
124
files/test-ca/doc/EasyRSA-Advanced.md
Normal file
124
files/test-ca/doc/EasyRSA-Advanced.md
Normal file
@ -0,0 +1,124 @@
|
||||
Easy-RSA Advanced Reference
|
||||
=============================
|
||||
|
||||
This is a technical reference for advanced users familiar with PKI processes. If
|
||||
you need a more detailed description, see the `EasyRSA-Readme` or `Intro-To-PKI`
|
||||
docs instead.
|
||||
|
||||
Configuration Reference
|
||||
-----------------------
|
||||
|
||||
#### Configuration Sources
|
||||
|
||||
There are 3 possible ways to perform external configuration of Easy-RSA,
|
||||
selected in the following order where the first defined result wins:
|
||||
|
||||
1. Command-line option
|
||||
2. Environmental variable
|
||||
3. 'vars' file, if one is present (see `vars Autodetection` below)
|
||||
4. Built-in default
|
||||
|
||||
Note that not every possible config option can be set everywhere, although any
|
||||
env-var can be added to the 'vars' file even if it's not shown by default.
|
||||
|
||||
#### vars Autodetection
|
||||
|
||||
A 'vars' file is a file named simply `vars` (without an extension) that
|
||||
Easy-RSA will source for configuration. This file is specifically designed
|
||||
*not* to replace variables that have been set with a higher-priority method
|
||||
such as CLI opts or env-vars.
|
||||
|
||||
The following locations are checked, in this order, for a vars file. Only the
|
||||
first one found is used:
|
||||
|
||||
1. The file referenced by the `--vars` CLI option
|
||||
2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
|
||||
3. The directory referenced by the `EASYRSA_PKI` env-var
|
||||
4. The default PKI directory at `$PWD/pki`
|
||||
4. The directory referenced by the `EASYRSA` env-var
|
||||
5. The directory containing the easyrsa program
|
||||
|
||||
Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
|
||||
file in all cases, including defining it subsequently as a global option.
|
||||
|
||||
#### OpenSSL Config
|
||||
|
||||
Easy-RSA is tightly coupled to the OpenSSL config file (.cnf) for the
|
||||
flexibility the script provides. It is required that this file be available,
|
||||
yet it is possible to use a different OpenSSL config file for a particular
|
||||
PKI, or even change it for a particular invocation.
|
||||
|
||||
The OpenSSL config file is searched for in the following order:
|
||||
|
||||
1. The env-var `EASYRSA_SSL_CONF`
|
||||
2. The 'vars' file (see `vars Autodetection` above)
|
||||
3. The `EASYRSA_PKI` directory with a filename of `openssl-easyrsa.cnf`
|
||||
4. The `EASYRSA` directory with a filename of `openssl-easyrsa.cnf`
|
||||
|
||||
Advanced extension handling
|
||||
---------------------------
|
||||
|
||||
Normally the cert extensions are selected by the cert type given on the CLI
|
||||
during signing; this causes the matching file in the x509-types subdirectory to
|
||||
be processed for OpenSSL extensions to add. This can be overridden in a
|
||||
particular PKI by placing another x509-types dir inside the `EASYRSA_PKI` dir
|
||||
which will be used instead.
|
||||
|
||||
The file named `COMMON` in the x509-types dir is appended to every cert type;
|
||||
this is designed for CDP usage, but can be used for any extension that should
|
||||
apply to every signed cert.
|
||||
|
||||
Additionally, the contents of the env-var `EASYRSA_EXTRA_EXTS` is appended with
|
||||
its raw text added to the OpenSSL extensions. The contents are appended as-is to
|
||||
the cert extensions; invalid OpenSSL configs will usually result in failure.
|
||||
|
||||
Environmental Variables Reference
|
||||
---------------------------------
|
||||
|
||||
A list of env-vars, any matching global option (CLI) to set/override it, and a
|
||||
possible terse description is shown below:
|
||||
|
||||
* `EASYRSA` - should point to the Easy-RSA top-level dir, where the easyrsa
|
||||
script is located.
|
||||
* `EASYRSA_OPENSSL` - command to invoke openssl
|
||||
* `EASYRSA_SSL_CONF` - the openssl config file to use
|
||||
* `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific
|
||||
files, defaults to `$PWD/pki`.
|
||||
* `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to
|
||||
alter the fields to include in the req DN
|
||||
* `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode
|
||||
* `EASYRSA_REQ_PROVINCE` (CLI: `--req-st`) - set the DN state/province with
|
||||
org mode
|
||||
* `EASYRSA_REQ_CITY` (CLI: `--req-city`) - set the DN city/locality with org
|
||||
mode
|
||||
* `EASYRSA_REQ_ORG` (CLI: `--req-org`) - set the DN organization with org mode
|
||||
* `EASYRSA_REQ_EMAIL` (CLI: `--req-email`) - set the DN email with org mode
|
||||
* `EASYRSA_REQ_OU` (CLI: `--req-ou`) - set the DN organizational unit with org
|
||||
mode
|
||||
* `EASYRSA_KEY_SIZE` (CLI: `--key-size`) - set the key size in bits to
|
||||
generate
|
||||
* `EASYRSA_ALGO` (CLI: `--use-algo`) - set the crypto alg to use: rsa or ec
|
||||
* `EASYRSA_CURVE` (CLI: `--curve`) - define the named EC curve to use
|
||||
* `EASYRSA_EC_DIR` - dir to store generated ecparams
|
||||
* `EASYRSA_CA_EXPIRE` (CLI: `--days`) - set the CA expiration time in days
|
||||
* `EASYRSA_CERT_EXPIRE` (CLI: `--days`) - set the issued cert expiration time
|
||||
in days
|
||||
* `EASYRSA_CRL_DAYS` (CLI: `--days`) - set the CRL 'next publish' time in days
|
||||
* `EASYRSA_NS_SUPPORT` (CLI: `--ns-cert`) - string 'yes' or 'no' fields to
|
||||
include the deprecated Netscape extensions
|
||||
* `EASYRSA_NS_COMMENT` (CLI: `--ns-comment`) - string comment to include when
|
||||
using the deprecated Netscape extensions
|
||||
* `EASYRSA_TEMP_FILE` - a temp file to use when dynamically creating req/cert
|
||||
extensions
|
||||
* `EASYRSA_REQ_CN` (CLI: `--req-cn`) - default CN, necessary to set in BATCH
|
||||
mode
|
||||
* `EASYRSA_DIGEST` (CLI: `--digest`) - set a hash digest to use for req/cert
|
||||
signing
|
||||
* `EASYRSA_BATCH` (CLI: `--batch`) - enable batch (no-prompt) mode; set
|
||||
env-var to non-zero string to enable (CLI takes no options)
|
||||
* `EASYRSA_PASSIN` (CLI: `--passin`) - allows to specify a source for
|
||||
password using any openssl password options like pass:1234 or env:var
|
||||
* `EASYRSA_PASSOUT` (CLI: `--passout`) - allows to specify a source for
|
||||
password using any openssl password options like pass:1234 or env:var
|
||||
|
||||
**NOTE:** the global options need to be provided before the actual commands.
|
236
files/test-ca/doc/EasyRSA-Readme.md
Normal file
236
files/test-ca/doc/EasyRSA-Readme.md
Normal file
@ -0,0 +1,236 @@
|
||||
Easy-RSA 3 Documentation Readme
|
||||
===============================
|
||||
|
||||
This document explains how Easy-RSA 3 and each of its assorted features work.
|
||||
|
||||
If you are looking for a quickstart with less background or detail, an
|
||||
implementation-specific How-to or Readme may be available in this (the `doc/`)
|
||||
directory.
|
||||
|
||||
Easy-RSA Overview
|
||||
-----------------
|
||||
|
||||
Easy-RSA is a utility for managing X.509 PKI, or Public Key Infrastructure. A
|
||||
PKI is based on the notion of trusting a particular authority to authenticate a
|
||||
remote peer; for more background on how PKI works, see the `Intro-To-PKI`
|
||||
document.
|
||||
|
||||
The code is written in platform-neutral POSIX shell, allowing use on a wide
|
||||
range of host systems. The official Windows release also comes bundled with the
|
||||
programs necessary to use Easy-RSA. The shell code attempts to limit the number
|
||||
of external programs it depends on. Crypto-related tasks use openssl as the
|
||||
functional backend.
|
||||
|
||||
Feature Highlights
|
||||
------------------
|
||||
|
||||
Here's a non-exhaustive list of the more notable Easy-RSA features:
|
||||
|
||||
* Easy-RSA is able to manage multiple PKIs, each with their own independent
|
||||
configuration, storage directory, and X.509 extension handling.
|
||||
* Multiple Subject Name (X.509 DN field) formatting options are supported. For
|
||||
VPNs, this means a cleaner commonName only setup can be used.
|
||||
* A single backend is used across all supported platforms, ensuring that no
|
||||
platform is 'left out' of the rich features. Unix-alikes (BSD, Linux, etc)
|
||||
and Windows are all supported.
|
||||
* Easy-RSA's X.509 support includes CRL, CDP, keyUsage/eKu attributes, and
|
||||
additional features. The included support can be changed or extended as an
|
||||
advanced feature.
|
||||
* Interactive and automated (batch) modes of operation
|
||||
* Flexible configuration: features can be enabled through command-line
|
||||
options, environment variables, a config file, or a combination of these.
|
||||
* Built-in defaults allow Easy-RSA to be used without first editing a config
|
||||
file.
|
||||
|
||||
Obtaining and Using Easy-RSA
|
||||
----------------------------
|
||||
|
||||
#### Download and extraction (installation)
|
||||
|
||||
Easy-RSA's main program is a script, supported by a couple of config files. As
|
||||
such, there is no formal "installation" required. Preparing to use Easy-RSA is
|
||||
as simple as downloading the compressed package (.tar.gz for Linux/Unix or
|
||||
.zip for Windows) and extract it to a location of your choosing. There is no
|
||||
compiling or OS-dependent setup required.
|
||||
|
||||
You should install and run Easy-RSA as a non-root (non-Administrator) account
|
||||
as root access is not required.
|
||||
|
||||
#### Running Easy-RSA
|
||||
|
||||
Invoking Easy-RSA is done through your preferred shell. Under Windows, you
|
||||
will use the `EasyRSA Start.bat` program to provide a POSIX-shell environment
|
||||
suitable for using Easy-RSA.
|
||||
|
||||
The basic format for running commands is:
|
||||
|
||||
./easyrsa command [ cmd-opts ]
|
||||
|
||||
where `command` is the name of a command to run, and `cmd-opts` are any
|
||||
options to supply to the command. Some commands have mandatory or optional
|
||||
cmd-opts. Note the leading `./` component of the command: this is required in
|
||||
Unix-like environments and may be a new concept to some Windows users.
|
||||
|
||||
General usage and command help can be shown with:
|
||||
|
||||
./easyrsa help [ command ]
|
||||
|
||||
When run without any command, general usage and a list of available commands
|
||||
are shown; when a command is supplied, detailed help output for that command
|
||||
is shown.
|
||||
|
||||
Configuring Easy-RSA
|
||||
--------------------
|
||||
|
||||
Easy-RSA 3 no longer needs any configuration file prior to operation, unlike
|
||||
earlier versions. However, the `vars.example` file contains many commented
|
||||
options that can be used to control non-default behavior as required. Reading
|
||||
this file will provide an idea of the basic configuration available. Note that
|
||||
a vars file must be named just `vars` (without an extension) to actively use it.
|
||||
|
||||
Additionally, some options can be defined at runtime with options on the
|
||||
command-line. A full list can be shown with:
|
||||
|
||||
./easyrsa help options
|
||||
|
||||
Any of these options can appear before the command as required as shown below:
|
||||
|
||||
./easyrsa [options] command [ cmd-opts ]
|
||||
|
||||
For experts, additional configuration with env-vars and custom X.509 extensions
|
||||
is possible. Consult the `EasyRSA-Advanced` documentation for details.
|
||||
|
||||
Getting Started: The Basics
|
||||
---------------------------
|
||||
|
||||
Some of the terms used here will be common to those familiar with how PKI works.
|
||||
Instead of describing PKI basics, please consult the document `Intro-To-PKI` if
|
||||
you need a more basic description of how a PKI works.
|
||||
|
||||
#### Creating an Easy-RSA PKI
|
||||
|
||||
In order to do something useful, Easy-RSA needs to first initialize a
|
||||
directory for the PKI. Multiple PKIs can be managed with a single installation
|
||||
of Easy-RSA, but the default directory is called simply "pki" unless otherwise
|
||||
specified.
|
||||
|
||||
To create or clear out (re-initialize) a new PKI, use the command:
|
||||
|
||||
./easyrsa init-pki
|
||||
|
||||
which will create a new, blank PKI structure ready to be used. Once created,
|
||||
this PKI can be used to make a new CA or generate keypairs.
|
||||
|
||||
#### The PKI Directory Structure
|
||||
|
||||
An Easy-RSA PKI contains the following directory structure:
|
||||
|
||||
* private/ - dir with private keys generated on this host
|
||||
* reqs/ - dir with locally generated certificate requests (for a CA imported
|
||||
requests are stored here)
|
||||
|
||||
In a clean PKI no files exist yet, just the bare directories. Commands called
|
||||
later will create the necessary files depending on the operation.
|
||||
|
||||
When building a CA, a number of new files are created by a combination of
|
||||
Easy-RSA and (indirectly) openssl. The important CA files are:
|
||||
|
||||
* `ca.crt` - This is the CA certificate
|
||||
* `index.txt` - This is the "master database" of all issued certs
|
||||
* `serial` - Stores the next serial number (serial numbers increment)
|
||||
* `private/ca.key` - This is the CA private key (security-critical)
|
||||
* `certs_by_serial/` - dir with all CA-signed certs by serial number
|
||||
* `issued/` - dir with issued certs by commonName
|
||||
|
||||
#### After Creating a PKI
|
||||
|
||||
Once you have created a PKI, the next useful step will be to either create a
|
||||
CA, or generate keypairs for a system that needs them. Continue with the
|
||||
relevant section below.
|
||||
|
||||
Using Easy-RSA as a CA
|
||||
----------------------
|
||||
|
||||
#### Building the CA
|
||||
|
||||
In order to sign requests to produce certificates, you need a CA. To create a
|
||||
new CA in a PKI you have created, run:
|
||||
|
||||
./easyrsa build-ca
|
||||
|
||||
Be sure to use a strong passphrase to protect the CA private key. Note that
|
||||
you must supply this passphrase in the future when performing signing
|
||||
operations with your CA, so be sure to remember it.
|
||||
|
||||
During the creation process, you will also select a name for the CA called the
|
||||
Common Name (CN.) This name is purely for display purposes and can be set as
|
||||
you like.
|
||||
|
||||
#### Importing requests to the CA
|
||||
|
||||
Once a CA is built, the PKI is intended to be used to import requests from
|
||||
external systems that are requesting a signed certificate from this CA. In
|
||||
order to sign the request, it must first be imported so Easy-RSA knows about
|
||||
it. This request file must be a standard CSR in PKCS#10 format.
|
||||
|
||||
Regardless of the file name to import, Easy-RSA uses a "short name" defined
|
||||
during import to refer to this request. Importing works like this:
|
||||
|
||||
./easyrsa import-req /path/to/request.req nameOfRequest
|
||||
|
||||
The nameOfRequest should normally refer to the system or person making the
|
||||
request.
|
||||
|
||||
#### Signing a request
|
||||
|
||||
Once Easy-RSA has imported a request, it can be reviewed and signed. Every
|
||||
certificate needs a "type" which controls what extensions the certificate gets
|
||||
Easy-RSA ships with 3 possible types: `client`, `server`, and `ca`, described
|
||||
below:
|
||||
|
||||
* client - A TLS client, suitable for a VPN user or web browser (web client)
|
||||
* server - A TLS server, suitable for a VPN or web server
|
||||
* ca - A intermediate CA, used when chaining multiple CAs together
|
||||
|
||||
./easyrsa sign-req <type> nameOfRequest
|
||||
|
||||
Additional types of certs may be defined by local sites as needed; see the
|
||||
advanced documentation for details.
|
||||
|
||||
#### Revoking and publishing CRLs
|
||||
|
||||
If an issue certificate needs to be revoked, this can be done as follows:
|
||||
|
||||
./easyrsa revoke nameOfRequest
|
||||
|
||||
To generate a CRL suitable for publishing to systems that use it, run:
|
||||
|
||||
./easyrsa gen-crl
|
||||
|
||||
Note that this will need to be published or sent to systems that rely on an
|
||||
up-to-date CRL as the certificate is still valid otherwise.
|
||||
|
||||
Using Easy-RSA to generate keypairs & requests
|
||||
----------------------------------------------
|
||||
|
||||
Easy-RSA can generate a keypair and certificate request in PKCS#10 format. This
|
||||
request is what a CA needs in order to generate and return a signed certificate.
|
||||
|
||||
Ideally you should never generate entity keypairs for a client or server in a
|
||||
PKI you are using for your CA. It is best to separate this process and generate
|
||||
keypairs only on the systems you plan to use them.
|
||||
|
||||
Easy-RSA can generate a keypair and request with the following command:
|
||||
|
||||
./easyrsa gen-req nameOfRequest
|
||||
|
||||
You will then be given a chance to modify the Subject details of your request.
|
||||
Easy-RSA uses the short name supplied on the command-line by default, though you
|
||||
are free to change it if necessary. After providing a passphrase and Subject
|
||||
details, the keypair and request files will be shown.
|
||||
|
||||
In order to obtain a signed certificate, the request file must be sent to the
|
||||
CA for signing; this step is obviously not required if a single PKI is used as
|
||||
both the CA and keypair/request generation as the generated request is already
|
||||
"imported."
|
||||
|
58
files/test-ca/doc/EasyRSA-Upgrade-Notes.md
Normal file
58
files/test-ca/doc/EasyRSA-Upgrade-Notes.md
Normal file
@ -0,0 +1,58 @@
|
||||
Upgrading to Easy-RSA 3 from earlier versions
|
||||
=========
|
||||
|
||||
People upgrading to Easy-RSA 3 from a 2.x version should note some important
|
||||
changes starting with version 3. For a better overview of version 3 in general,
|
||||
see the Readme in the doc/ directory.
|
||||
|
||||
List of important changes
|
||||
----
|
||||
|
||||
* nsCertType extensions are no longer included by default. Use of such
|
||||
"Netscape" attributes have been deprecated upstream and their use is
|
||||
discouraged. Configure `EASYRSA_NS_SUPPORT` in vars if you want to enable
|
||||
this legacy behavior.
|
||||
|
||||
Notably, this is important for OpenVPN deployments relying on the
|
||||
`--ns-cert-type` directive. Either have OpenVPN use the preferred
|
||||
`--remote-cert-tls` option, or enable legacy NS extensions.
|
||||
|
||||
* The default request Subject (or DN, Distinguished Name) includes just the
|
||||
commonName. This is more suitable for VPNs and environments that don't wish
|
||||
to include info about the Country/State/City/Org/OU in certs. Configure
|
||||
`EASYRSA_DN` in vars if you want to enable the legacy behavior.
|
||||
|
||||
* The 3.0 release lacks PKCS#11 (smartcard/token) support. This is anticipated
|
||||
to be supported in a future point-release to target each platform's need.
|
||||
|
||||
* The -utf8 option has been added for all supported commands. This should be
|
||||
backwards compatible with ASCII strings.
|
||||
|
||||
* The default private key encryption has been changed from 3des to aes256.
|
||||
|
||||
|
||||
Some new concepts
|
||||
----
|
||||
|
||||
Easy-RSA 3 has some new concepts compared to the prior v2 series.
|
||||
|
||||
### Request-Import-Sign workflow
|
||||
|
||||
v3 is now designed to support keypairs generated on the target system where
|
||||
they will be used, thus improving security as no keys need to be transferred
|
||||
between hosts. The old workflow of generating everything in a single PKI is
|
||||
still supported as well.
|
||||
|
||||
The recommended workflow when using Easy-RSA as a CA is to import requests,
|
||||
sign them, and return the issued & CA certs. Each requesting system can use
|
||||
Easy-RSA without a CA to generate keypairs & requests.
|
||||
|
||||
### "Org"-style DN flexibility
|
||||
|
||||
When using Easy-RSA in the "org" DN mode, it is no longer required to match
|
||||
some of the field values. This improves flexibility, and enables easier remote
|
||||
generation as the requester doesn't need to know the CA's values in advance.
|
||||
|
||||
Previously in v2, the Country, State, and Org values all had to match or a
|
||||
request couldn't be signed. If you want the old behavior you can change the
|
||||
OpenSSL config to require it or simply look over the DN at signing time.
|
142
files/test-ca/doc/Hacking.md
Normal file
142
files/test-ca/doc/Hacking.md
Normal file
@ -0,0 +1,142 @@
|
||||
Easy-RSA 3 Hacking Guide
|
||||
===
|
||||
|
||||
This document is aimed at programmers looking to improve on the existing
|
||||
codebase.
|
||||
|
||||
Compatibility
|
||||
---
|
||||
|
||||
The `easyrsa` code is written in POSIX shell (and any cases where it is not is
|
||||
considered a bug to be fixed.) The only exceptions are the `local` keyword and
|
||||
the construct `export FOO=baz`, both well-supported.
|
||||
|
||||
As such, modifications to the code should also be POSIX; platform-specific code
|
||||
should be placed under the `distro/` dir and listed by target platform.
|
||||
|
||||
Coding conventions
|
||||
---
|
||||
|
||||
While there aren't strict syntax standards associated with the project, please
|
||||
follow the existing format and flow when possible; however, specific exceptions
|
||||
can be made if there is a significant reason or benefit.
|
||||
|
||||
Do try to:
|
||||
|
||||
* Keep variables locally-scoped when possible
|
||||
* Comment sections of code for readability
|
||||
* Use the conventions for prefixes on global variables
|
||||
* Set editors for tab stops of 8 spaces
|
||||
* Use tabs for code indents; use aligned spaces for console text
|
||||
|
||||
Keeping code, docs, and examples in sync
|
||||
---
|
||||
|
||||
Changes that adjust, add, or remove features should have relevant docs, help
|
||||
output, and examples updated at the same time.
|
||||
|
||||
Release versioning
|
||||
---
|
||||
|
||||
A point-release bump (eg: 3.0 to 3.1) is required when the frontend interface
|
||||
changes in a non-backwards compatible way. Always assume someone has an
|
||||
automated process that relies on the current functionality for official
|
||||
(non-beta, non-rc) releases. A possible exception exists for bugfixes that do
|
||||
break backwards-compatibility; caution is to be used in such cases.
|
||||
|
||||
The addition of a new command may or may not require a point-release depending
|
||||
on the significance of the feature; the same holds true for additional optional
|
||||
arguments to commands.
|
||||
|
||||
Project layout
|
||||
---
|
||||
|
||||
The project's files are structured as follows:
|
||||
|
||||
* `easyrsa3/` is the primary project code. On Linux/Unix-alikes, all the core
|
||||
code and supporting files are stored here.
|
||||
* `Licensing/` is for license docs.
|
||||
* `build/` is for build information and scripts.
|
||||
* `contrib/` is for externally-contributed files, such as useful external
|
||||
scripts or interfaces for other systems/languages.
|
||||
* `distro/` is for distro-specific supporting files, such as the Windows
|
||||
frontend wrappers. Code components that are not platform-neutral should go
|
||||
here.
|
||||
* `doc/` is for documentation. Much of this is in Markdown format which can be
|
||||
easily converted to HTML for easy viewing under Windows.
|
||||
* `release-keys/` list current and former KeyIDs used to sign release packages
|
||||
(not necessarily git tags) available for download.
|
||||
* The top-level dir includes files for basic project info and reference
|
||||
appropriate locations for more detail.
|
||||
|
||||
As a brief note, it is actually possible to take just the easyrsa3/ dir and end
|
||||
up with a functional project; the remaining structure includes docs, build prep,
|
||||
distro-specific wrappers, and contributed files.
|
||||
|
||||
Git conventions
|
||||
---
|
||||
|
||||
As of Easy-RSA 3, the following git conventions should be used. These are mostly
|
||||
useful for people with repo access in order to keep a standard meaning to commit
|
||||
messages and merge actions.
|
||||
|
||||
### Signed-off-by: and related commit message lines
|
||||
|
||||
Committers with push access should ensure a `Signed-off-by:` line exists at
|
||||
the end of the commit message with their name on it. This indicates that the
|
||||
committer has reviewed the changes to the commit in question and approve of
|
||||
the feature and code in question. It also helps verify the code came from an
|
||||
acceptable source that won't cause issues with the license.
|
||||
|
||||
This can be automatically added by git using `git commit -s`.
|
||||
|
||||
Additional references can be included as well. If multiple people reviewed the
|
||||
change, the committer may add their names in additional `Signed-off-by:`
|
||||
lines; do get permission from that person before using their name, however ;)
|
||||
|
||||
The following references may be useful as well:
|
||||
|
||||
* `Signed-off-by:` -- discussed above, indicates review of the commit
|
||||
* `Author:` -- references an author of a particular feature, in full or
|
||||
significant part
|
||||
* `Changes-by:` -- indicates the listed party contributed changes or
|
||||
modifications to a feature
|
||||
* `Acked-by:` -- indicates review of the feature, code, and/or functional
|
||||
correctness
|
||||
|
||||
### Merging from external sources (forks, patches, etc)
|
||||
|
||||
Contributions can come in many forms: GitHub "pull requests" from cloned
|
||||
repos, references to external repos, patches to the ML, or others. Those won't
|
||||
necessary have `Signed-off-by:` lines or may contain less info in the commit
|
||||
message than is desirable to explain the changes.
|
||||
|
||||
The committing author to this project should make a merge-commit in this case
|
||||
with the appropriate details provided there. If additional code changes are
|
||||
necessary, this can be done on a local branch prior to merging back into the
|
||||
mainline branch.
|
||||
|
||||
This merge-commit should list involved contributors with `Author:` or similar
|
||||
lines as required. The individual commits involved in a merge also retain the
|
||||
original committer; regardless, the merge-commit message should give a clear
|
||||
indication of what the entire set of commits does as a whole.
|
||||
|
||||
### Tagging
|
||||
|
||||
Tags should follow the convention:
|
||||
|
||||
vM.m.p
|
||||
|
||||
where `M` is the major version, `m` is the minor "point-release" version, and
|
||||
`p` is the patch-level. Suffixes of `-rc#`, `-beta#`, etc can be added for
|
||||
pre-release versions as required.
|
||||
|
||||
Currently tags are taken from the mainline development branch in question. The
|
||||
ChangeLog should thus be updated prior to tagging. Tags should also be
|
||||
annotated with an appropriate commit message and signed-off. This can be done
|
||||
as shown below (don't use `-s` unless you intend to use GPG with git.)
|
||||
|
||||
git tag -a v1.2.3
|
||||
|
||||
Corresponding release downloads can be uploaded to release distribution points
|
||||
as required.
|
97
files/test-ca/doc/Intro-To-PKI.md
Normal file
97
files/test-ca/doc/Intro-To-PKI.md
Normal file
@ -0,0 +1,97 @@
|
||||
Introduction to PKI
|
||||
===================
|
||||
|
||||
This document is designed to give you a brief introduction into how a PKI, or
|
||||
Public Key Infrastructure, works.
|
||||
|
||||
Terminology Used
|
||||
----------------
|
||||
|
||||
To avoid confusion, the following terms will be used throughout the Easy-RSA
|
||||
documentation. Short forms may be substituted for longer forms as convenient.
|
||||
|
||||
* **PKI**: Public Key Infrastructure. This describes the collection of files
|
||||
and associations between the CA, keypairs, requests, and certificates.
|
||||
* **CA**: Certificate Authority. This is the "master cert" at the root of a
|
||||
PKI.
|
||||
* **cert**: Certificate. A certificate is a request that has been signed by a
|
||||
CA. The certificate contains the public key, some details describing the
|
||||
cert itself, and a digital signature from the CA.
|
||||
* **request**: Certificate Request (optionally 'req'.) This is a request for a
|
||||
certificate that is then send to a CA for signing. A request contains the
|
||||
desired cert information along with a digital signature from the private
|
||||
key.
|
||||
* **keypair**: A keypair is an asymmetric cryptographic pair of keys. These
|
||||
keys are split into two parts: the public and private keys. The public key
|
||||
is included in a request and certificate.
|
||||
|
||||
The CA
|
||||
------
|
||||
|
||||
The heart of a PKI is the CA, or Certificate Authority, and this is also the
|
||||
most security-sensitive. The CA private key is used to sign all issued
|
||||
certificates, so its security is critical in keeping the entire PKI safe. For
|
||||
this reason, it is highly recommended that the CA PKI structure be kept on a
|
||||
system dedicated for such secure usage; it is not a great idea to keep the CA
|
||||
PKI mixed in with one used to generate end-entity certificates, such as clients
|
||||
or servers (VPN or web servers.)
|
||||
|
||||
To start a new PKI, the CA is first created on the secure environment.
|
||||
Depending on security needs, this could be managed under a locked down account,
|
||||
dedicated system, or even a completely offline system or using removable media
|
||||
to improve security (after all, you can't suffer an online break-in if your
|
||||
system or PKI is not online.) The exact steps to create a CA are described in a
|
||||
separate section. When creating a new CA, the CA keypair (private and public
|
||||
keys) are created, as well as the file structure necessary to support signing
|
||||
issued certificates.
|
||||
|
||||
Once a CA has been created, it can receive certificate requests from
|
||||
end-entities. These entity certificates are issued to consumers of X509
|
||||
certificates, such as a client or server of a VPN, web, or email system. The
|
||||
certificate requests and certificates are not security-sensitive, and can be
|
||||
transferred in whatever means convenient, such as email, flash drive, etc. For
|
||||
better security, it is a good idea to verify the received request matches the
|
||||
sender's copy, such as by verifying the expected checksum against the sender's
|
||||
original.
|
||||
|
||||
Keypairs and requests
|
||||
---------------------
|
||||
|
||||
Individual end-entities do not need a full CA set up and will only need to
|
||||
create a keypair and associated certificate request. The private key is not used
|
||||
anywhere except on this entity, and should never leave that system. It is wise
|
||||
to secure this private key with a strong passphrase, because if lost or stolen
|
||||
the holder of the private key can make connections appearing as the certificate
|
||||
holder.
|
||||
|
||||
Once a keypair is generated, the certificate request is created and digitally
|
||||
signed using the private key. This request will be sent to a CA for signing, and
|
||||
a signed certificate will be returned.
|
||||
|
||||
How requests become certificates
|
||||
--------------------------------
|
||||
|
||||
After a CA signs the certificate request, a signed certificate is produced. In
|
||||
this step, the CA's private key is used to digitally sign the entity's public
|
||||
key so that any system trusting the CA certificate can implicitly trust the
|
||||
newly issued certificate. This signed certificate is then sent back to the
|
||||
requesting entity. The issued certificate is not security-sensitive and can be
|
||||
sent over plaintext transmission methods.
|
||||
|
||||
Verifying an issued certificate
|
||||
-------------------------------
|
||||
|
||||
After 2 entities have created keypairs, sent their requests to the CA, and
|
||||
received a copy of their signed certificates and the CA's own certificate, they
|
||||
can mutually authenticate with one-another. This process does not require the 2
|
||||
entities to have previously exchanged any kind of security information directly.
|
||||
|
||||
During a TLS handshake each side of the connection presents their own cert chain
|
||||
to the remote end. Each side checks the validity of the cert received against
|
||||
their own copy of the CA cert. By trusting the CA root cert, the peer they are
|
||||
talking to can be authenticated.
|
||||
|
||||
The remote end proves it "really is" the entity identified by the cert by
|
||||
signing a bit of data using its own private key. Only the holder of the private
|
||||
key is able to do this, allowing the remote end to verify the authenticity of
|
||||
the system being connected to.
|
2579
files/test-ca/easyrsa
Executable file
2579
files/test-ca/easyrsa
Executable file
File diff suppressed because it is too large
Load Diff
340
files/test-ca/gpl-2.0.txt
Normal file
340
files/test-ca/gpl-2.0.txt
Normal file
@ -0,0 +1,340 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Lesser General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) year name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Lesser General
|
||||
Public License instead of this License.
|
||||
|
20
files/test-ca/mktemp.txt
Normal file
20
files/test-ca/mktemp.txt
Normal file
@ -0,0 +1,20 @@
|
||||
Mktemp is distributed under the following ISC-style license:
|
||||
|
||||
Copyright (c) 1996-1997, 2000-2001, 2008, 2010
|
||||
Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
Copyright (c) 1996, David Mazieres <dm@uun.org>
|
||||
Copyright (c) 2008, Damien Miller <djm@openbsd.org>
|
||||
|
||||
Permission to use, copy, modify, and distribute this software for any
|
||||
purpose with or without fee is hereby granted, provided that the above
|
||||
copyright notice and this permission notice appear in all copies.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
From https://www.mktemp.org/mktemp/license.html
|
138
files/test-ca/openssl-easyrsa.cnf
Normal file
138
files/test-ca/openssl-easyrsa.cnf
Normal file
@ -0,0 +1,138 @@
|
||||
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::EASYRSA_PKI # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir/certs_by_serial # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/private/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = basic_exts # The extensions to add to the cert
|
||||
|
||||
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
|
||||
# is designed for will. In return, we get the Issuer attached to CRLs.
|
||||
crl_extensions = crl_ext
|
||||
|
||||
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
|
||||
default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL
|
||||
default_md = $ENV::EASYRSA_DIGEST # use public key default MD
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# This allows to renew certificates which have not been revoked
|
||||
unique_subject = no
|
||||
|
||||
# A few different ways of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the 'anything' policy, which defines allowed DN fields
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
# Easy-RSA request handling
|
||||
# We key off $DN_MODE to determine how to format the DN
|
||||
[ req ]
|
||||
default_bits = $ENV::EASYRSA_KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
default_md = $ENV::EASYRSA_DIGEST
|
||||
distinguished_name = $ENV::EASYRSA_DN
|
||||
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
|
||||
|
||||
# A placeholder to handle the $EXTRA_EXTS feature:
|
||||
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
|
||||
|
||||
####################################################################
|
||||
# Easy-RSA DN (Subject) handling
|
||||
|
||||
# Easy-RSA DN for cn_only support:
|
||||
[ cn_only ]
|
||||
commonName = Common Name (eg: your user, host, or server name)
|
||||
commonName_max = 64
|
||||
commonName_default = $ENV::EASYRSA_REQ_CN
|
||||
|
||||
# Easy-RSA DN for org support:
|
||||
[ org ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::EASYRSA_REQ_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::EASYRSA_REQ_ORG
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
|
||||
|
||||
commonName = Common Name (eg: your user, host, or server name)
|
||||
commonName_max = 64
|
||||
commonName_default = $ENV::EASYRSA_REQ_CN
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
|
||||
emailAddress_max = 64
|
||||
|
||||
####################################################################
|
||||
# Easy-RSA cert extension handling
|
||||
|
||||
# This section is effectively unused as the main script sets extensions
|
||||
# dynamically. This core section is left to support the odd usecase where
|
||||
# a user calls openssl directly.
|
||||
[ basic_exts ]
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
|
||||
# The Easy-RSA CA extensions
|
||||
[ easyrsa_ca ]
|
||||
|
||||
# PKIX recommendations:
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This could be marked critical, but it's nice to support reading by any
|
||||
# broken clients who attempt to do so.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Limit key usage to CA tasks. If you really want to use the generated pair as
|
||||
# a self-signed cert, comment this out.
|
||||
keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
|
||||
# nsCertType = sslCA
|
||||
|
||||
# CRL extensions.
|
||||
[ crl_ext ]
|
||||
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
1
files/test-ca/password.txt
Normal file
1
files/test-ca/password.txt
Normal file
@ -0,0 +1 @@
|
||||
1234
|
20
files/test-ca/pki/ca.crt
Normal file
20
files/test-ca/pki/ca.crt
Normal file
@ -0,0 +1,20 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDVDCCAjygAwIBAgIUInouaHzfe4GFGlCYFmIi0AvWHEowDQYJKoZIhvcNAQEL
|
||||
BQAwGTEXMBUGA1UEAwwOVmVpbGlkIFRlc3QgQ0EwHhcNMjExMTIyMTM0OTE5WhcN
|
||||
MzExMTIwMTM0OTE5WjAZMRcwFQYDVQQDDA5WZWlsaWQgVGVzdCBDQTCCASIwDQYJ
|
||||
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqKTFn4FCcKWysW8NbQZwysKUlwI9kc
|
||||
S4CYy1+4eQC7Tn0eILG3+WfGCjAgRx72co+852NjsNnVwPVh8Xr7RdjyPscp4HTJ
|
||||
jObVC93GofiAKFld2038A3/rsA5DoXyiUj2/nhBdw+aO1yiBXdEw7tIUZLUJ46Ku
|
||||
QapuGXtL4xYXPAxhPhn5PY6xAWkar+6E9tv3g1BknxWlGmfulYaf1dAg2ra0Lswu
|
||||
fiZfepPq9iwhiUlOSo3sWy7ObF+3TxWlQxMpGC1LiAmA4XEyWp2tDOV90B98yLQK
|
||||
2pBhEexGaAJYy7DgZUNOV/WpjzLdDccXrQV9NoKXMOqsYC8MgDV2KjUCAwEAAaOB
|
||||
kzCBkDAdBgNVHQ4EFgQUXX+NrxpW0/TKPdNt71AR92SZbwIwVAYDVR0jBE0wS4AU
|
||||
XX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNVBAMMDlZlaWxpZCBUZXN0
|
||||
IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
|
||||
AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAfL9k5ZrsnFTXrcBsCNhgqll0dwutbn36
|
||||
RzpE6bKZwGAYU3irdFFM3+D2zxaN/H665yL07uLn+XxrgIEplHAao5NSSxeYDUJo
|
||||
5BV5rmnOy+bSDrSfEGvV0OA/WWhPVFAtq2SQnC6GW5YbmzaHIoOunEv2EQrg8yKP
|
||||
pgff16xi+XFuAsR7Z4Cpbkb687Z878a4UaSWP/knnJM8Tjjl2wwxxTbWOvK9hbG3
|
||||
3+L4G6xxXbgvXw2VR8rIUMK44u0xXb3Vwq4dHU6HZZwTNaEs41vNVrCZV45hu8NX
|
||||
ZmcNEdDTPZQ67n+R4pJnbxDFLbTFEU/NZiCjug0jtjzHeRxnAntDFw==
|
||||
-----END CERTIFICATE-----
|
@ -0,0 +1,88 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number:
|
||||
12:ce:63:bd:90:f5:ab:de:6d:7f:d7:3e:f3:e6:bb
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: CN=Veilid Test CA
|
||||
Validity
|
||||
Not Before: Nov 22 13:52:16 2021 GMT
|
||||
Not After : Feb 25 13:52:16 2024 GMT
|
||||
Subject: CN=Veilid Test Certificate
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:cb:2e:7a:47:81:be:6f:6b:53:37:51:c1:50:68:
|
||||
5a:44:3d:ba:b9:9b:78:40:84:35:d4:0e:e8:41:a6:
|
||||
0e:0a:b9:34:ae:97:a3:37:3e:81:ed:6c:0f:f8:8a:
|
||||
8b:0b:1a:ed:06:97:57:6d:49:a5:ec:b4:c4:d8:6d:
|
||||
d2:57:c3:87:89:99:ee:b0:d7:c5:82:a1:dc:d5:98:
|
||||
b3:ef:10:da:c0:5c:38:a2:bb:15:3e:0e:5e:bc:a0:
|
||||
cd:a1:f0:07:67:bb:57:3f:89:cc:72:4f:bb:c0:a7:
|
||||
ed:ad:15:07:61:c2:b4:21:73:39:00:9b:8f:aa:04:
|
||||
1b:c4:9d:d4:00:44:87:b1:79:b4:e1:4e:01:3c:ee:
|
||||
a4:bb:f9:ad:5d:88:41:03:b4:bf:df:bf:71:24:ee:
|
||||
0b:69:59:55:dd:43:d1:91:04:de:98:9c:54:f2:ee:
|
||||
63:78:fe:76:19:bf:e6:5d:d6:58:81:3c:1b:02:3d:
|
||||
5d:cc:70:4a:c1:84:06:f6:1a:db:16:b0:e0:30:b0:
|
||||
3a:85:41:48:a1:88:c5:38:04:7b:03:c4:86:f0:da:
|
||||
1a:ff:bc:d1:ac:7f:cd:0c:e8:5a:42:5e:43:7f:0d:
|
||||
61:5d:41:67:0f:b8:07:47:21:93:44:b2:ab:fa:d8:
|
||||
69:bb:b9:6d:a1:56:6d:23:54:aa:49:67:e7:57:c6:
|
||||
e9:c7
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
X509v3 Subject Key Identifier:
|
||||
70:ED:B0:96:71:33:43:16:EF:32:FF:69:11:C9:F0:02:3F:6C:81:88
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:5D:7F:8D:AF:1A:56:D3:F4:CA:3D:D3:6D:EF:50:11:F7:64:99:6F:02
|
||||
DirName:/CN=Veilid Test CA
|
||||
serial:22:7A:2E:68:7C:DF:7B:81:85:1A:50:98:16:62:22:D0:0B:D6:1C:4A
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Server Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature, Key Encipherment
|
||||
X509v3 Subject Alternative Name:
|
||||
DNS:Veilid Test Certificate
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
b8:fc:ac:62:d6:95:af:09:db:24:7d:82:2c:02:e1:d0:7b:f5:
|
||||
69:03:a4:42:55:c6:0d:2a:f1:9d:0e:c4:9b:78:40:7d:0d:7d:
|
||||
ec:66:f6:c4:6d:06:d0:5b:58:de:ba:e6:67:ea:af:41:a3:87:
|
||||
b4:37:8b:a8:1f:51:ae:70:e0:0d:f5:51:0a:7a:b3:b3:1d:d1:
|
||||
77:92:63:35:ae:50:9e:04:3d:04:6e:f1:60:c8:e3:8f:1f:75:
|
||||
47:05:27:a0:ff:c5:1b:30:68:b2:f9:5b:e6:f2:81:0f:9b:f2:
|
||||
e8:8c:9d:b6:57:b2:c1:29:e7:d0:d0:88:b3:ba:8e:78:2e:ef:
|
||||
ce:03:a3:12:fa:b4:e9:4e:1f:de:1a:cb:77:72:6b:71:98:02:
|
||||
37:d2:b4:02:f0:2c:08:67:ca:75:0d:af:81:bf:f8:57:f8:d9:
|
||||
4a:93:4f:db:3c:e1:af:3e:ab:9c:fe:87:f0:3a:01:21:6a:5c:
|
||||
99:83:e3:03:47:98:15:23:24:b3:ee:29:27:f4:f1:34:c1:e4:
|
||||
f8:39:5a:92:da:c7:08:dc:71:87:1c:ff:67:e7:ef:24:bc:34:
|
||||
e3:4e:e0:16:12:84:60:d4:7f:a2:c0:5b:85:a9:c5:ef:78:0b:
|
||||
c3:64:cb:b4:05:eb:51:e5:c1:0f:60:da:5c:98:08:bf:5d:b9:
|
||||
1d:33:a7:26
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDjjCCAnagAwIBAgIPEs5jvZD1q95tf9c+8+a7MA0GCSqGSIb3DQEBCwUAMBkx
|
||||
FzAVBgNVBAMMDlZlaWxpZCBUZXN0IENBMB4XDTIxMTEyMjEzNTIxNloXDTI0MDIy
|
||||
NTEzNTIxNlowIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUwggEi
|
||||
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpEPbq5
|
||||
m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJme6w
|
||||
18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQhczkA
|
||||
m4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6YnFTy
|
||||
7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw2hr/
|
||||
vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunHAgMB
|
||||
AAGjgckwgcYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUcO2wlnEzQxbvMv9pEcnwAj9s
|
||||
gYgwVAYDVR0jBE0wS4AUXX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNV
|
||||
BAMMDlZlaWxpZCBUZXN0IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjATBgNVHSUE
|
||||
DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwIgYDVR0RBBswGYIXVmVpbGlkIFRl
|
||||
c3QgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBALj8rGLWla8J2yR9giwC
|
||||
4dB79WkDpEJVxg0q8Z0OxJt4QH0Nfexm9sRtBtBbWN665mfqr0Gjh7Q3i6gfUa5w
|
||||
4A31UQp6s7Md0XeSYzWuUJ4EPQRu8WDI448fdUcFJ6D/xRswaLL5W+bygQ+b8uiM
|
||||
nbZXssEp59DQiLO6jngu784DoxL6tOlOH94ay3dya3GYAjfStALwLAhnynUNr4G/
|
||||
+Ff42UqTT9s84a8+q5z+h/A6ASFqXJmD4wNHmBUjJLPuKSf08TTB5Pg5WpLaxwjc
|
||||
cYcc/2fn7yS8NONO4BYShGDUf6LAW4Wpxe94C8Nky7QF61HlwQ9g2lyYCL9duR0z
|
||||
pyY=
|
||||
-----END CERTIFICATE-----
|
1
files/test-ca/pki/index.txt
Normal file
1
files/test-ca/pki/index.txt
Normal file
@ -0,0 +1 @@
|
||||
V 240225135216Z 12CE63BD90F5ABDE6D7FD73EF3E6BB unknown /CN=Veilid Test Certificate
|
1
files/test-ca/pki/index.txt.attr
Normal file
1
files/test-ca/pki/index.txt.attr
Normal file
@ -0,0 +1 @@
|
||||
unique_subject = no
|
0
files/test-ca/pki/index.txt.attr.old
Normal file
0
files/test-ca/pki/index.txt.attr.old
Normal file
0
files/test-ca/pki/index.txt.old
Normal file
0
files/test-ca/pki/index.txt.old
Normal file
88
files/test-ca/pki/issued/test.crt
Normal file
88
files/test-ca/pki/issued/test.crt
Normal file
@ -0,0 +1,88 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number:
|
||||
12:ce:63:bd:90:f5:ab:de:6d:7f:d7:3e:f3:e6:bb
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: CN=Veilid Test CA
|
||||
Validity
|
||||
Not Before: Nov 22 13:52:16 2021 GMT
|
||||
Not After : Feb 25 13:52:16 2024 GMT
|
||||
Subject: CN=Veilid Test Certificate
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:cb:2e:7a:47:81:be:6f:6b:53:37:51:c1:50:68:
|
||||
5a:44:3d:ba:b9:9b:78:40:84:35:d4:0e:e8:41:a6:
|
||||
0e:0a:b9:34:ae:97:a3:37:3e:81:ed:6c:0f:f8:8a:
|
||||
8b:0b:1a:ed:06:97:57:6d:49:a5:ec:b4:c4:d8:6d:
|
||||
d2:57:c3:87:89:99:ee:b0:d7:c5:82:a1:dc:d5:98:
|
||||
b3:ef:10:da:c0:5c:38:a2:bb:15:3e:0e:5e:bc:a0:
|
||||
cd:a1:f0:07:67:bb:57:3f:89:cc:72:4f:bb:c0:a7:
|
||||
ed:ad:15:07:61:c2:b4:21:73:39:00:9b:8f:aa:04:
|
||||
1b:c4:9d:d4:00:44:87:b1:79:b4:e1:4e:01:3c:ee:
|
||||
a4:bb:f9:ad:5d:88:41:03:b4:bf:df:bf:71:24:ee:
|
||||
0b:69:59:55:dd:43:d1:91:04:de:98:9c:54:f2:ee:
|
||||
63:78:fe:76:19:bf:e6:5d:d6:58:81:3c:1b:02:3d:
|
||||
5d:cc:70:4a:c1:84:06:f6:1a:db:16:b0:e0:30:b0:
|
||||
3a:85:41:48:a1:88:c5:38:04:7b:03:c4:86:f0:da:
|
||||
1a:ff:bc:d1:ac:7f:cd:0c:e8:5a:42:5e:43:7f:0d:
|
||||
61:5d:41:67:0f:b8:07:47:21:93:44:b2:ab:fa:d8:
|
||||
69:bb:b9:6d:a1:56:6d:23:54:aa:49:67:e7:57:c6:
|
||||
e9:c7
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
X509v3 Subject Key Identifier:
|
||||
70:ED:B0:96:71:33:43:16:EF:32:FF:69:11:C9:F0:02:3F:6C:81:88
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:5D:7F:8D:AF:1A:56:D3:F4:CA:3D:D3:6D:EF:50:11:F7:64:99:6F:02
|
||||
DirName:/CN=Veilid Test CA
|
||||
serial:22:7A:2E:68:7C:DF:7B:81:85:1A:50:98:16:62:22:D0:0B:D6:1C:4A
|
||||
|
||||
X509v3 Extended Key Usage:
|
||||
TLS Web Server Authentication
|
||||
X509v3 Key Usage:
|
||||
Digital Signature, Key Encipherment
|
||||
X509v3 Subject Alternative Name:
|
||||
DNS:Veilid Test Certificate
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
b8:fc:ac:62:d6:95:af:09:db:24:7d:82:2c:02:e1:d0:7b:f5:
|
||||
69:03:a4:42:55:c6:0d:2a:f1:9d:0e:c4:9b:78:40:7d:0d:7d:
|
||||
ec:66:f6:c4:6d:06:d0:5b:58:de:ba:e6:67:ea:af:41:a3:87:
|
||||
b4:37:8b:a8:1f:51:ae:70:e0:0d:f5:51:0a:7a:b3:b3:1d:d1:
|
||||
77:92:63:35:ae:50:9e:04:3d:04:6e:f1:60:c8:e3:8f:1f:75:
|
||||
47:05:27:a0:ff:c5:1b:30:68:b2:f9:5b:e6:f2:81:0f:9b:f2:
|
||||
e8:8c:9d:b6:57:b2:c1:29:e7:d0:d0:88:b3:ba:8e:78:2e:ef:
|
||||
ce:03:a3:12:fa:b4:e9:4e:1f:de:1a:cb:77:72:6b:71:98:02:
|
||||
37:d2:b4:02:f0:2c:08:67:ca:75:0d:af:81:bf:f8:57:f8:d9:
|
||||
4a:93:4f:db:3c:e1:af:3e:ab:9c:fe:87:f0:3a:01:21:6a:5c:
|
||||
99:83:e3:03:47:98:15:23:24:b3:ee:29:27:f4:f1:34:c1:e4:
|
||||
f8:39:5a:92:da:c7:08:dc:71:87:1c:ff:67:e7:ef:24:bc:34:
|
||||
e3:4e:e0:16:12:84:60:d4:7f:a2:c0:5b:85:a9:c5:ef:78:0b:
|
||||
c3:64:cb:b4:05:eb:51:e5:c1:0f:60:da:5c:98:08:bf:5d:b9:
|
||||
1d:33:a7:26
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDjjCCAnagAwIBAgIPEs5jvZD1q95tf9c+8+a7MA0GCSqGSIb3DQEBCwUAMBkx
|
||||
FzAVBgNVBAMMDlZlaWxpZCBUZXN0IENBMB4XDTIxMTEyMjEzNTIxNloXDTI0MDIy
|
||||
NTEzNTIxNlowIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUwggEi
|
||||
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpEPbq5
|
||||
m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJme6w
|
||||
18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQhczkA
|
||||
m4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6YnFTy
|
||||
7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw2hr/
|
||||
vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunHAgMB
|
||||
AAGjgckwgcYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUcO2wlnEzQxbvMv9pEcnwAj9s
|
||||
gYgwVAYDVR0jBE0wS4AUXX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNV
|
||||
BAMMDlZlaWxpZCBUZXN0IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjATBgNVHSUE
|
||||
DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwIgYDVR0RBBswGYIXVmVpbGlkIFRl
|
||||
c3QgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBALj8rGLWla8J2yR9giwC
|
||||
4dB79WkDpEJVxg0q8Z0OxJt4QH0Nfexm9sRtBtBbWN665mfqr0Gjh7Q3i6gfUa5w
|
||||
4A31UQp6s7Md0XeSYzWuUJ4EPQRu8WDI448fdUcFJ6D/xRswaLL5W+bygQ+b8uiM
|
||||
nbZXssEp59DQiLO6jngu784DoxL6tOlOH94ay3dya3GYAjfStALwLAhnynUNr4G/
|
||||
+Ff42UqTT9s84a8+q5z+h/A6ASFqXJmD4wNHmBUjJLPuKSf08TTB5Pg5WpLaxwjc
|
||||
cYcc/2fn7yS8NONO4BYShGDUf6LAW4Wpxe94C8Nky7QF61HlwQ9g2lyYCL9duR0z
|
||||
pyY=
|
||||
-----END CERTIFICATE-----
|
138
files/test-ca/pki/openssl-easyrsa.cnf
Normal file
138
files/test-ca/pki/openssl-easyrsa.cnf
Normal file
@ -0,0 +1,138 @@
|
||||
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = $ENV::EASYRSA_PKI # Where everything is kept
|
||||
certs = $dir # Where the issued certs are kept
|
||||
crl_dir = $dir # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
new_certs_dir = $dir/certs_by_serial # default place for new certs.
|
||||
|
||||
certificate = $dir/ca.crt # The CA certificate
|
||||
serial = $dir/serial # The current serial number
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/private/ca.key # The private key
|
||||
RANDFILE = $dir/.rand # private random number file
|
||||
|
||||
x509_extensions = basic_exts # The extensions to add to the cert
|
||||
|
||||
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
|
||||
# is designed for will. In return, we get the Issuer attached to CRLs.
|
||||
crl_extensions = crl_ext
|
||||
|
||||
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
|
||||
default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL
|
||||
default_md = $ENV::EASYRSA_DIGEST # use public key default MD
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# This allows to renew certificates which have not been revoked
|
||||
unique_subject = no
|
||||
|
||||
# A few different ways of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the 'anything' policy, which defines allowed DN fields
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
# Easy-RSA request handling
|
||||
# We key off $DN_MODE to determine how to format the DN
|
||||
[ req ]
|
||||
default_bits = $ENV::EASYRSA_KEY_SIZE
|
||||
default_keyfile = privkey.pem
|
||||
default_md = $ENV::EASYRSA_DIGEST
|
||||
distinguished_name = $ENV::EASYRSA_DN
|
||||
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
|
||||
|
||||
# A placeholder to handle the $EXTRA_EXTS feature:
|
||||
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
|
||||
|
||||
####################################################################
|
||||
# Easy-RSA DN (Subject) handling
|
||||
|
||||
# Easy-RSA DN for cn_only support:
|
||||
[ cn_only ]
|
||||
commonName = Common Name (eg: your user, host, or server name)
|
||||
commonName_max = 64
|
||||
commonName_default = $ENV::EASYRSA_REQ_CN
|
||||
|
||||
# Easy-RSA DN for org support:
|
||||
[ org ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = $ENV::EASYRSA_REQ_CITY
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = $ENV::EASYRSA_REQ_ORG
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
|
||||
|
||||
commonName = Common Name (eg: your user, host, or server name)
|
||||
commonName_max = 64
|
||||
commonName_default = $ENV::EASYRSA_REQ_CN
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
|
||||
emailAddress_max = 64
|
||||
|
||||
####################################################################
|
||||
# Easy-RSA cert extension handling
|
||||
|
||||
# This section is effectively unused as the main script sets extensions
|
||||
# dynamically. This core section is left to support the odd usecase where
|
||||
# a user calls openssl directly.
|
||||
[ basic_exts ]
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
|
||||
# The Easy-RSA CA extensions
|
||||
[ easyrsa_ca ]
|
||||
|
||||
# PKIX recommendations:
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This could be marked critical, but it's nice to support reading by any
|
||||
# broken clients who attempt to do so.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Limit key usage to CA tasks. If you really want to use the generated pair as
|
||||
# a self-signed cert, comment this out.
|
||||
keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
|
||||
# nsCertType = sslCA
|
||||
|
||||
# CRL extensions.
|
||||
[ crl_ext ]
|
||||
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
30
files/test-ca/pki/private/ca.key
Normal file
30
files/test-ca/pki/private/ca.key
Normal file
@ -0,0 +1,30 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-256-CBC,63E22C921323D1B9A6C52515022B0A22
|
||||
|
||||
xeNTc40tJIc7hUflTNbz4ecGjv4Nk61jjBsT3cpqQmetpijltgve+T1JaEl2ValI
|
||||
ToHsRfvOErhdBLlnkOOpxRK9kxZJQsH+nNxUdX16LoPLmAar70fpZDYmocVhZtm0
|
||||
rjYu00eXapJV7mErWgRRg6Av8y4fMhDhhw8lhaWp+Wr91gv+EX9N8R7jXS5g58PW
|
||||
v9PQ/WRDsf7PQX0BARRYLRl+fQs7JD6nlnzV9W8liEjQifQ0qmzaWYx0Yo53XRj4
|
||||
+rw8CMnXFmU4pFM73qUskOmIDn56wf8Y8rADlTJJ28z+luiWwFotHP7ufiEaVXVr
|
||||
kOmlh3/ZN5y6KVfyx9ef3AZ+M7ZyYn8NepD98zRIuhVTBCDZ1Spk61yZuhP8FYgV
|
||||
gqJrwHxKSKHS0SJwM/o973iniQRIMDb40NXMZw5+nF1XWLqGesijdmLX4Dy/CQy0
|
||||
HVMZ+w99bZtAyogmJLv78QI6VtXOcZdm+IQIcBMflTy2AgEywENDce5hXzTqOFSH
|
||||
xtODTvbUD9XXjUEZCfv08fqHFYUnJ/8Sf0IWs4m52HirTOy7pBLXQi7fl1acM0Ky
|
||||
sVJmAfTmxSHY4c0dIT3U9zfkxGFWoTrvthWl4q7ss+n7W2Z0CNaKkCyvOZEoZkFV
|
||||
VTgDDaQN5BJ4bOAByiiRQ+lpkA2yVun606ASFfPNpbuD5cBa0Ei3mg6Wu/+4uGcl
|
||||
YoucGY1b0+kvhdIibNZNFfCYzbEa/rKzYBKV8aVWleyDLHCGnqZh4JG4fItbXvXz
|
||||
8c6Bis4h4+JhAWosDeMaumsAvwPw/ZQ1R0Xj9iFP2di0DSeTYGkoIn3P0/Yf+6ph
|
||||
q9Nlr0w0uqtnAiclrpgXdeBwawmgHF66Gi6VAt5JQHeNEQO6U1KGJz8f97F+xILl
|
||||
MSpUmxqBwe2lGCDILLqvAcj2kRKoOtuUQk+wSCArVxiKIeVwW7VX0I27s67Yi2CQ
|
||||
q2k96R8k90s9M7hzuFdlkp2vZ46MHqR1QLlzI3vWP/zkFxkFUtuko9CYCjYnGxaY
|
||||
VjoGyV1PoIbSGxu1/NR7b6aFGHHFI575L4gEr4lfa9iLK59GVcWvrzwuGRyrT2d2
|
||||
LLm5SF3HGu9uFPVDvYux9HROhIAh6B70pnYxP3nMg3DoyJdoGrtg+vSni7mkBF9J
|
||||
UOuQfqhC2KL93C1srunvPK5eLgRSPjRaHR045DQv+xPL0A7ciEtH4rgmZ1tZnU2W
|
||||
BFlFiDPebrVfx3qWthrsUkykZCAYG0XypumU2LipGQV1kavABGwmII0BXPIPXJA0
|
||||
UsBQOiZbGviBYvPAWTpi8c2Hd36XjEmwMXFgpDWZXXpiST9FWuAd49MMmepLy+JA
|
||||
98V3oaU65rn6Iqplp1rYac8ey2StGxLzl3GIC0gzHZvD6xaJWuyvG60hT4ZL1Zsw
|
||||
Ryo5NXMHvOxa5aCjkVTk5lf2a4AhAF+Fx2wIiAFxHrcplagVf7PLmqOgh+cJPhwD
|
||||
juR3wfKmBA2Z8ldCmuvgxhw/uSdQv/nx6swgPI7u8g3YOIs1/HnLWRp5w0dylXSf
|
||||
mxCcun42fcTY0OPyv1iC3EY/pHOTn4dInQNNhcCVExbqq4bFW836u5AfFBvBjbOA
|
||||
-----END RSA PRIVATE KEY-----
|
30
files/test-ca/pki/private/test.key
Normal file
30
files/test-ca/pki/private/test.key
Normal file
@ -0,0 +1,30 @@
|
||||
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIgpTGP+qhFisCAggA
|
||||
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLU8ddNZ6jJ3BIIEyMB/nTIXTaUO
|
||||
n8Oe/ld7JjX1jeiQUuXP9oEYT0Ehi5F5IIQ3zUDUrJujJP+iMniX1OafmzmtcQGc
|
||||
pAmGLAyhJS3p5ILlzvZGjjF19QItKGDno/cwHjQMY0ldj1CfjdGf809DQRdo4q8H
|
||||
2jlGUmtMs83DhsxrlWf9Stia/4s/L+zOvpTaVFXn7UMvVtM2LXWF7GdyRIx6a5w4
|
||||
fXOA6FWGY4ZvSzfkadKJSgyGPEwOW51tLJ+BYZpstrSvgh3VWPtluH0zSFdlOH3t
|
||||
N5V5aQzjoeJyP7uTU09Vzp3zjux1uijmzMHnF2LSw8kGmPRIfWKF91LNn12TUNQu
|
||||
oQLkFWXYRIRBDcEKetr4zkOtvp/JPNOkX44D3Zexl2KhHBqG2hDyOQZ03QN+9H7h
|
||||
PUE4MAHsfx7s62sr7TJ/GHC170ZDtgj6HZAjxjs5D7lkPmKSQoods7sCENMadZiX
|
||||
G0ljz/FTHzpMhhpeaRFqQfE7B3F9K6yQttoxxjAhAX+mOD1ho6NSV7KDN1cESKXB
|
||||
4+afwxGV/Gp3tEk6aAbEz8ntqS+lAE1iOXLzbKPmzFs5CCXDs3/EvvLRh3MPtNkz
|
||||
LcNjFypDL4CCCrxlSVMWce6iouSWyiet+3iwr+YuDx+3U9iMYyTrtL0pQSGiC/3s
|
||||
LZloWf7sWT5zab+KSnhxCu3BsazSqShIRsC1lLziJGQnING1m1bw6nG0gph2vzSJ
|
||||
N/ewIANJkby6XP9e/vJipPyI7xHD2aHUQLBU+Zmc7GhZWgVoAfHs/OvqwmTG2wHX
|
||||
10LVpDX6Fr3wBSqsdtPKH7hNBS2Y/Q/plJk/KwyZ7qlby1SMUYj86vtvcZRG4gn/
|
||||
9Mp72//FqfMrvXaBSZKR3SdR6tZTjBY9w1hUJ/c1HfRQYPISgPU9zSSPgRZtrlwx
|
||||
3/FPp6i2YnfpAFWn9zFkFcUCqdEIWjK50K+v+JAUnD+7aCaznA4/yCAonXGjZwcj
|
||||
eVgk5TJ4OfCVx5JE+HLXDWJSU115rMOUYXm5Jpo/j+ZKakM3diU2opW5ocgrHUl2
|
||||
OwinKMiSwVK2NiLZyv4jcCJdyZI+CqvxqIU9X1fDbJP0v9pm3ANzyii6gPaO57e3
|
||||
NZfmrMSqdlIq93wNIi2oZD7hgKwTBj1p/zxOTbP+QY1Ku8oFfXcF9dh32BBL+cHa
|
||||
aza+RkkGzJ+qBRF6Ub7FmcY/y6r+eOvof+c4drTE5icKP5lzpB85ZuUduF535p5d
|
||||
Y4dy3MM2h/t4dk7xmWp5EAZRRvKBUd7SYyi3a+LyTtHGS8FKdRCENXQi47RUlAqO
|
||||
RpzAgYhchqnRDup2Tmu+MtDTPoOht55haM38kXJZ4LxACzPpYHQ6E37BT77K3Qjh
|
||||
HgLxi/Hr97ZxiuPl7Tq113ljEB5xX1RGgn+s3F+/xxFEJojvGdNJXFWtE2BMSBQb
|
||||
JhFkCyVYsqztBt6kLAJosYA0HornidYYwznswe+d+3ruHicax99JEA2m9xnB3LGy
|
||||
A9+SJCbhS9m+hO10KalW8nuUtX1lXP0ZmjuoYrLMLmv9ihH/CoxmHynMPgFVCXih
|
||||
RRGQmuS+PYBIFs1EShT04Ic280QT00un90ydaUZS3uad9qt7gNbNJ3UW3XqyWf14
|
||||
2Gscnl0IXL4gKNNUxKPeGg==
|
||||
-----END ENCRYPTED PRIVATE KEY-----
|
15
files/test-ca/pki/reqs/test.req
Normal file
15
files/test-ca/pki/reqs/test.req
Normal file
@ -0,0 +1,15 @@
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIICZzCCAU8CAQAwIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUw
|
||||
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpE
|
||||
Pbq5m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJ
|
||||
me6w18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQh
|
||||
czkAm4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6Y
|
||||
nFTy7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw
|
||||
2hr/vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunH
|
||||
AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAGe/0bWdwO5YGGfyQ5Gq+CTsEc1AW
|
||||
f5G6uUk55qK1AqpECy3K9YAdDDf3JKLkaVeWlT275TyLcU2qx+kzSIUdGDpvpFui
|
||||
E/vSfGcfZka7z2DSQfnsHvTy8odgMINPvcdZ6k8+ZsqLWPl6HE10QB0HqT7J1UVm
|
||||
/WZkwXKSWWMbDkXZXuGLIYxp7O+ZbweJLMBzWVCarwL7o4D0oWLj16Yta2s2Wn/5
|
||||
zkW9U4vM6W99t+xrZEfDo3reqYsr6i82cESUY0liTDFryYCF7BSmAbw4WPtWS8Qz
|
||||
DxVp8krxG0RlA/RGfwPYz828SCmgERijp9vHKUtQqx97OCo85Hw4kYtvJQ==
|
||||
-----END CERTIFICATE REQUEST-----
|
138
files/test-ca/pki/safessl-easyrsa.cnf
Normal file
138
files/test-ca/pki/safessl-easyrsa.cnf
Normal file
@ -0,0 +1,138 @@
|
||||
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
default_ca = CA_default # The default ca section
|
||||
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
dir = /home/jsmith/code/veilid/files/test-ca/pki # Where everything is kept
|
||||
certs = /home/jsmith/code/veilid/files/test-ca/pki # Where the issued certs are kept
|
||||
crl_dir = /home/jsmith/code/veilid/files/test-ca/pki # Where the issued crl are kept
|
||||
database = /home/jsmith/code/veilid/files/test-ca/pki/index.txt # database index file.
|
||||
new_certs_dir = /home/jsmith/code/veilid/files/test-ca/pki/certs_by_serial # default place for new certs.
|
||||
|
||||
certificate = /home/jsmith/code/veilid/files/test-ca/pki/ca.crt # The CA certificate
|
||||
serial = /home/jsmith/code/veilid/files/test-ca/pki/serial # The current serial number
|
||||
crl = /home/jsmith/code/veilid/files/test-ca/pki/crl.pem # The current CRL
|
||||
private_key = /home/jsmith/code/veilid/files/test-ca/pki/private/ca.key # The private key
|
||||
RANDFILE = /home/jsmith/code/veilid/files/test-ca/pki/.rand # private random number file
|
||||
|
||||
x509_extensions = basic_exts # The extensions to add to the cert
|
||||
|
||||
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
|
||||
# is designed for will. In return, we get the Issuer attached to CRLs.
|
||||
crl_extensions = crl_ext
|
||||
|
||||
default_days = 825 # how long to certify for
|
||||
default_crl_days= 180 # how long before next CRL
|
||||
default_md = sha256 # use public key default MD
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# This allows to renew certificates which have not been revoked
|
||||
unique_subject = no
|
||||
|
||||
# A few different ways of specifying how similar the request should look
|
||||
# For type CA, the listed attributes must be the same, and the optional
|
||||
# and supplied fields are just that :-)
|
||||
policy = policy_anything
|
||||
|
||||
# For the 'anything' policy, which defines allowed DN fields
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
name = optional
|
||||
emailAddress = optional
|
||||
|
||||
####################################################################
|
||||
# Easy-RSA request handling
|
||||
# We key off $DN_MODE to determine how to format the DN
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
default_keyfile = privkey.pem
|
||||
default_md = sha256
|
||||
distinguished_name = cn_only
|
||||
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
|
||||
|
||||
# A placeholder to handle the $EXTRA_EXTS feature:
|
||||
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
|
||||
|
||||
####################################################################
|
||||
# Easy-RSA DN (Subject) handling
|
||||
|
||||
# Easy-RSA DN for cn_only support:
|
||||
[ cn_only ]
|
||||
commonName = Common Name (eg: your user, host, or server name)
|
||||
commonName_max = 64
|
||||
commonName_default = ChangeMe
|
||||
|
||||
# Easy-RSA DN for org support:
|
||||
[ org ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = US
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = California
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
localityName_default = San Francisco
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = Copyleft Certificate Co
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
organizationalUnitName_default = My Organizational Unit
|
||||
|
||||
commonName = Common Name (eg: your user, host, or server name)
|
||||
commonName_max = 64
|
||||
commonName_default = ChangeMe
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_default = me@example.net
|
||||
emailAddress_max = 64
|
||||
|
||||
####################################################################
|
||||
# Easy-RSA cert extension handling
|
||||
|
||||
# This section is effectively unused as the main script sets extensions
|
||||
# dynamically. This core section is left to support the odd usecase where
|
||||
# a user calls openssl directly.
|
||||
[ basic_exts ]
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
|
||||
# The Easy-RSA CA extensions
|
||||
[ easyrsa_ca ]
|
||||
|
||||
# PKIX recommendations:
|
||||
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
||||
# This could be marked critical, but it's nice to support reading by any
|
||||
# broken clients who attempt to do so.
|
||||
basicConstraints = CA:true
|
||||
|
||||
# Limit key usage to CA tasks. If you really want to use the generated pair as
|
||||
# a self-signed cert, comment this out.
|
||||
keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
|
||||
# nsCertType = sslCA
|
||||
|
||||
# CRL extensions.
|
||||
[ crl_ext ]
|
||||
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
# issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
1
files/test-ca/pki/serial
Normal file
1
files/test-ca/pki/serial
Normal file
@ -0,0 +1 @@
|
||||
12CE63BD90F5ABDE6D7FD73EF3E6BC
|
1
files/test-ca/pki/serial.old
Normal file
1
files/test-ca/pki/serial.old
Normal file
@ -0,0 +1 @@
|
||||
0012ce63bd90f5abde6d7fd73ef3e6bb
|
221
files/test-ca/vars.example
Normal file
221
files/test-ca/vars.example
Normal file
@ -0,0 +1,221 @@
|
||||
# Easy-RSA 3 parameter settings
|
||||
|
||||
# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
|
||||
# this file in place -- instead, you should copy the entire easy-rsa directory
|
||||
# to another location so future upgrades don't wipe out your changes.
|
||||
|
||||
# HOW TO USE THIS FILE
|
||||
#
|
||||
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
|
||||
# this file 'vars' if you want it to be used as a configuration file. If you do
|
||||
# not, it WILL NOT be automatically read when you call easyrsa commands.
|
||||
#
|
||||
# It is not necessary to use this config file unless you wish to change
|
||||
# operational defaults. These defaults should be fine for many uses without the
|
||||
# need to copy and edit the 'vars' file.
|
||||
#
|
||||
# All of the editable settings are shown commented and start with the command
|
||||
# 'set_var' -- this means any set_var command that is uncommented has been
|
||||
# modified by the user. If you're happy with a default, there is no need to
|
||||
# define the value to its default.
|
||||
|
||||
# NOTES FOR WINDOWS USERS
|
||||
#
|
||||
# Paths for Windows *MUST* use forward slashes, or optionally double-escaped
|
||||
# backslashes (single forward slashes are recommended.) This means your path to
|
||||
# the openssl binary might look like this:
|
||||
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
|
||||
|
||||
# A little housekeeping: DON'T EDIT THIS SECTION
|
||||
#
|
||||
# Easy-RSA 3.x doesn't source into the environment directly.
|
||||
# Complain if a user tries to do this:
|
||||
if [ -z "$EASYRSA_CALLER" ]; then
|
||||
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
|
||||
echo "This is no longer necessary and is disallowed. See the section called" >&2
|
||||
echo "'How to use this file' near the top comments for more details." >&2
|
||||
return 1
|
||||
fi
|
||||
|
||||
# DO YOUR EDITS BELOW THIS POINT
|
||||
|
||||
# This variable is used as the base location of configuration files needed by
|
||||
# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
|
||||
# may override this default.
|
||||
#
|
||||
# The default value of this variable is the location of the easyrsa script
|
||||
# itself, which is also where the configuration files are located in the
|
||||
# easy-rsa tree.
|
||||
|
||||
#set_var EASYRSA "${0%/*}"
|
||||
|
||||
# If your OpenSSL command is not in the system PATH, you will need to define the
|
||||
# path to it here. Normally this means a full path to the executable, otherwise
|
||||
# you could have left it undefined here and the shown default would be used.
|
||||
#
|
||||
# Windows users, remember to use paths with forward-slashes (or escaped
|
||||
# back-slashes.) Windows users should declare the full path to the openssl
|
||||
# binary here if it is not in their system PATH.
|
||||
|
||||
#set_var EASYRSA_OPENSSL "openssl"
|
||||
#
|
||||
# This sample is in Windows syntax -- edit it for your path if not using PATH:
|
||||
#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
|
||||
|
||||
# Edit this variable to point to your soon-to-be-created key directory. By
|
||||
# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
|
||||
# directory you are currently in).
|
||||
#
|
||||
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
|
||||
# it correctly! (Interactive mode will prompt before acting.)
|
||||
|
||||
#set_var EASYRSA_PKI "$PWD/pki"
|
||||
|
||||
# Define directory for temporary subdirectories.
|
||||
|
||||
#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI"
|
||||
|
||||
# Define X509 DN mode.
|
||||
# This is used to adjust what elements are included in the Subject field as the DN
|
||||
# (this is the "Distinguished Name.")
|
||||
# Note that in cn_only mode the Organizational fields further below aren't used.
|
||||
#
|
||||
# Choices are:
|
||||
# cn_only - use just a CN value
|
||||
# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
|
||||
|
||||
#set_var EASYRSA_DN "cn_only"
|
||||
|
||||
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
|
||||
# These are the default values for fields which will be placed in the
|
||||
# certificate. Don't leave any of these fields blank, although interactively
|
||||
# you may omit any specific field by typing the "." symbol (not valid for
|
||||
# email.)
|
||||
|
||||
#set_var EASYRSA_REQ_COUNTRY "US"
|
||||
#set_var EASYRSA_REQ_PROVINCE "California"
|
||||
#set_var EASYRSA_REQ_CITY "San Francisco"
|
||||
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
|
||||
#set_var EASYRSA_REQ_EMAIL "me@example.net"
|
||||
#set_var EASYRSA_REQ_OU "My Organizational Unit"
|
||||
|
||||
# Choose a size in bits for your keypairs. The recommended value is 2048. Using
|
||||
# 2048-bit keys is considered more than sufficient for many years into the
|
||||
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
|
||||
# generation take much longer. Values up to 4096 should be accepted by most
|
||||
# software. Only used when the crypto alg is rsa (see below.)
|
||||
|
||||
#set_var EASYRSA_KEY_SIZE 2048
|
||||
|
||||
# The default crypto mode is rsa; ec can enable elliptic curve support.
|
||||
# Note that not all software supports ECC, so use care when enabling it.
|
||||
# Choices for crypto alg are: (each in lower-case)
|
||||
# * rsa
|
||||
# * ec
|
||||
# * ed
|
||||
|
||||
#set_var EASYRSA_ALGO rsa
|
||||
|
||||
# Define the named curve, used in ec & ed modes:
|
||||
|
||||
#set_var EASYRSA_CURVE secp384r1
|
||||
|
||||
# In how many days should the root CA key expire?
|
||||
|
||||
#set_var EASYRSA_CA_EXPIRE 3650
|
||||
|
||||
# In how many days should certificates expire?
|
||||
|
||||
#set_var EASYRSA_CERT_EXPIRE 825
|
||||
|
||||
# How many days until the next CRL publish date? Note that the CRL can still be
|
||||
# parsed after this timeframe passes. It is only used for an expected next
|
||||
# publication date.
|
||||
#set_var EASYRSA_CRL_DAYS 180
|
||||
|
||||
# How many days before its expiration date a certificate is allowed to be
|
||||
# renewed?
|
||||
#set_var EASYRSA_CERT_RENEW 30
|
||||
|
||||
# Random serial numbers by default, set to no for the old incremental serial numbers
|
||||
#
|
||||
#set_var EASYRSA_RAND_SN "yes"
|
||||
|
||||
# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
|
||||
# is "no" to discourage use of deprecated extensions. If you require this
|
||||
# feature to use with --ns-cert-type, set this to "yes" here. This support
|
||||
# should be replaced with the more modern --remote-cert-tls feature. If you do
|
||||
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
|
||||
# this defined to "no". When set to "yes", server-signed certs get the
|
||||
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
|
||||
# nsComment field.
|
||||
|
||||
#set_var EASYRSA_NS_SUPPORT "no"
|
||||
|
||||
# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
|
||||
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
|
||||
|
||||
#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
|
||||
|
||||
# A temp file used to stage cert extensions during signing. The default should
|
||||
# be fine for most users; however, some users might want an alternative under a
|
||||
# RAM-based FS, such as /dev/shm or /tmp on some systems.
|
||||
|
||||
#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
|
||||
|
||||
# !!
|
||||
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
|
||||
# PLAY WITH THEM AT YOUR OWN RISK
|
||||
# !!
|
||||
|
||||
# Broken shell command aliases: If you have a largely broken shell that is
|
||||
# missing any of these POSIX-required commands used by Easy-RSA, you will need
|
||||
# to define an alias to the proper path for the command. The symptom will be
|
||||
# some form of a 'command not found' error from your shell. This means your
|
||||
# shell is BROKEN, but you can hack around it here if you really need. These
|
||||
# shown values are not defaults: it is up to you to know what you're doing if
|
||||
# you touch these.
|
||||
#
|
||||
#alias awk="/alt/bin/awk"
|
||||
#alias cat="/alt/bin/cat"
|
||||
|
||||
# X509 extensions directory:
|
||||
# If you want to customize the X509 extensions used, set the directory to look
|
||||
# for extensions here. Each cert type you sign must have a matching filename,
|
||||
# and an optional file named 'COMMON' is included first when present. Note that
|
||||
# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
|
||||
# fallback to $EASYRSA for the 'x509-types' dir. You may override this
|
||||
# detection with an explicit dir here.
|
||||
#
|
||||
#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
|
||||
|
||||
# If you want to generate KDC certificates, you need to set the realm here.
|
||||
#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM"
|
||||
|
||||
# OpenSSL config file:
|
||||
# If you need to use a specific openssl config file, you can reference it here.
|
||||
# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
|
||||
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
|
||||
# specific and you cannot just use a standard config file, so this is an
|
||||
# advanced feature.
|
||||
|
||||
#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
|
||||
|
||||
# Default CN:
|
||||
# This is best left alone. Interactively you will set this manually, and BATCH
|
||||
# callers are expected to set this themselves.
|
||||
|
||||
#set_var EASYRSA_REQ_CN "ChangeMe"
|
||||
|
||||
# Cryptographic digest to use.
|
||||
# Do not change this default unless you understand the security implications.
|
||||
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
|
||||
|
||||
#set_var EASYRSA_DIGEST "sha256"
|
||||
|
||||
# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
|
||||
# in batch mode without any user input, confirmation on dangerous operations,
|
||||
# or most output. Setting this to any non-blank string enables batch mode.
|
||||
|
||||
#set_var EASYRSA_BATCH ""
|
||||
|
7
files/test-ca/x509-types/COMMON
Normal file
7
files/test-ca/x509-types/COMMON
Normal file
@ -0,0 +1,7 @@
|
||||
# X509 extensions added to every signed cert
|
||||
|
||||
# This file is included for every cert signed, and by default does nothing.
|
||||
# It could be used to add values every cert should have, such as a CDP as
|
||||
# demonstrated in the following example:
|
||||
|
||||
#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl
|
13
files/test-ca/x509-types/ca
Normal file
13
files/test-ca/x509-types/ca
Normal file
@ -0,0 +1,13 @@
|
||||
# X509 extensions for a ca
|
||||
|
||||
# Note that basicConstraints will be overridden by Easy-RSA when defining a
|
||||
# CA_PATH_LEN for CA path length limits. You could also do this here
|
||||
# manually as in the following example in place of the existing line:
|
||||
#
|
||||
# basicConstraints = CA:TRUE, pathlen:1
|
||||
|
||||
basicConstraints = CA:TRUE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer:always
|
||||
keyUsage = cRLSign, keyCertSign
|
||||
|
8
files/test-ca/x509-types/client
Normal file
8
files/test-ca/x509-types/client
Normal file
@ -0,0 +1,8 @@
|
||||
# X509 extensions for a client
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
extendedKeyUsage = clientAuth
|
||||
keyUsage = digitalSignature
|
||||
|
8
files/test-ca/x509-types/code-signing
Normal file
8
files/test-ca/x509-types/code-signing
Normal file
@ -0,0 +1,8 @@
|
||||
# X509 extensions for a client
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
extendedKeyUsage = codeSigning
|
||||
keyUsage = digitalSignature
|
||||
|
8
files/test-ca/x509-types/email
Normal file
8
files/test-ca/x509-types/email
Normal file
@ -0,0 +1,8 @@
|
||||
# X509 extensions for email
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
extendedKeyUsage = emailProtection
|
||||
keyUsage = digitalSignature,keyEncipherment,nonRepudiation
|
||||
|
21
files/test-ca/x509-types/kdc
Normal file
21
files/test-ca/x509-types/kdc
Normal file
@ -0,0 +1,21 @@
|
||||
# X509 extensions for a KDC server certificate
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
extendedKeyUsage = 1.3.6.1.5.2.3.5
|
||||
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
|
||||
issuerAltName = issuer:copy
|
||||
subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
|
||||
|
||||
[kdc_princ_name]
|
||||
realm = EXP:0,GeneralString:${ENV::EASYRSA_KDC_REALM}
|
||||
principal_name = EXP:1,SEQUENCE:kdc_principal_seq
|
||||
|
||||
[kdc_principal_seq]
|
||||
name_type = EXP:0,INTEGER:1
|
||||
name_string = EXP:1,SEQUENCE:kdc_principals
|
||||
|
||||
[kdc_principals]
|
||||
princ1 = GeneralString:krbtgt
|
||||
princ2 = GeneralString:${ENV::EASYRSA_KDC_REALM}
|
8
files/test-ca/x509-types/server
Normal file
8
files/test-ca/x509-types/server
Normal file
@ -0,0 +1,8 @@
|
||||
# X509 extensions for a server
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
extendedKeyUsage = serverAuth
|
||||
keyUsage = digitalSignature,keyEncipherment
|
||||
|
8
files/test-ca/x509-types/serverClient
Normal file
8
files/test-ca/x509-types/serverClient
Normal file
@ -0,0 +1,8 @@
|
||||
# X509 extensions for a client/server
|
||||
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer:always
|
||||
extendedKeyUsage = serverAuth,clientAuth
|
||||
keyUsage = digitalSignature,keyEncipherment
|
||||
|
Loading…
Reference in New Issue
Block a user