blob: 2a31f46c1004313f21c5a6a99810ed4d9aecb0a6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
#!/bin/sh
# Copyright (c) 2013 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# This script generates two chains of test certificates:
# 1. A1 (end-entity) -> B (self-signed root)
# 2. A2 (end-entity) -> B (self-signed root)
#
# In which A1 and A2 share the same key, the same subject common name, but have
# distinct O values in their subjects.
#
# This is used to test that NSS can properly generate unique certificate
# nicknames for both certificates.
try () {
echo "$@"
"$@" || exit 1
}
try rm -rf out
try mkdir out
echo Create the serial number and index files.
try /bin/sh -c "echo 01 > out/B-serial"
try touch out/B-index.txt
echo Generate the keys.
try openssl genrsa -out out/A.key 2048
try openssl genrsa -out out/B.key 2048
echo Generate the B CSR.
CA_COMMON_NAME="B Root CA" \
CERTIFICATE=B \
try openssl req \
-new \
-key out/B.key \
-out out/B.csr \
-config redundant-ca.cnf
echo B signs itself.
CA_COMMON_NAME="B Root CA" \
try openssl x509 \
-req -days 3650 \
-in out/B.csr \
-extfile redundant-ca.cnf \
-extensions ca_cert \
-signkey out/B.key \
-out out/B.pem
echo Generate the A1 end-entity CSR.
SUBJECT_NAME=req_duplicate_cn_1 \
try openssl req \
-new \
-key out/A.key \
-out out/A1.csr \
-config ee.cnf
echo Generate the A2 end-entity CSR
SUBJECT_NAME=req_duplicate_cn_2 \
try openssl req \
-new \
-key out/A.key \
-out out/A2.csr \
-config ee.cnf
echo B signs A1.
CA_COMMON_NAME="B CA" \
CERTIFICATE=B \
try openssl ca \
-batch \
-extensions user_cert \
-in out/A1.csr \
-out out/A1.pem \
-config redundant-ca.cnf
echo B signs A2.
CA_COMMON_NAME="B CA" \
CERTIFICATE=B \
try openssl ca \
-batch \
-extensions user_cert \
-in out/A2.csr \
-out out/A2.pem \
-config redundant-ca.cnf
echo Exporting the certificates to PKCS#12
try openssl pkcs12 \
-export \
-inkey out/A.key \
-in out/A1.pem \
-out ../certificates/duplicate_cn_1.p12 \
-passout pass:chrome
try openssl pkcs12 \
-export \
-inkey out/A.key \
-in out/A2.pem \
-out ../certificates/duplicate_cn_2.p12 \
-passout pass:chrome
cp out/A1.pem ../certificates/duplicate_cn_1.pem
cp out/A2.pem ../certificates/duplicate_cn_2.pem
|
