1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
#! /bin/sh
# Primary root: root-cert
# root cert variants: CA:false, key2, DN2
# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
#
./mkcert.sh genroot "Root CA" root-key root-cert
./mkcert.sh genss "Root CA" root-key root-nonca
./mkcert.sh genroot "Root CA" root-key2 root-cert2
./mkcert.sh genroot "Root Cert 2" root-key root-name2
#
openssl x509 -in root-cert.pem -trustout \
-addtrust serverAuth -out root+serverAuth.pem
openssl x509 -in root-cert.pem -trustout \
-addreject serverAuth -out root-serverAuth.pem
openssl x509 -in root-cert.pem -trustout \
-addtrust clientAuth -out root+clientAuth.pem
openssl x509 -in root-cert.pem -trustout \
-addreject clientAuth -out root-clientAuth.pem
openssl x509 -in root-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out root-anyEKU.pem
openssl x509 -in root-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out root+anyEKU.pem
openssl x509 -in root-cert2.pem -trustout \
-addtrust serverAuth -out root2+serverAuth.pem
openssl x509 -in root-cert2.pem -trustout \
-addreject serverAuth -out root2-serverAuth.pem
openssl x509 -in root-cert2.pem -trustout \
-addtrust clientAuth -out root2+clientAuth.pem
openssl x509 -in root-nonca.pem -trustout \
-addtrust serverAuth -out nroot+serverAuth.pem
openssl x509 -in root-nonca.pem -trustout \
-addtrust anyExtendedKeyUsage -out nroot+anyEKU.pem
# primary client-EKU root: croot-cert
# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
#
./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth
#
openssl x509 -in croot-cert.pem -trustout \
-addtrust serverAuth -out croot+serverAuth.pem
openssl x509 -in croot-cert.pem -trustout \
-addreject serverAuth -out croot-serverAuth.pem
openssl x509 -in croot-cert.pem -trustout \
-addtrust clientAuth -out croot+clientAuth.pem
openssl x509 -in croot-cert.pem -trustout \
-addreject clientAuth -out croot-clientAuth.pem
openssl x509 -in croot-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out croot-anyEKU.pem
openssl x509 -in croot-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out croot+anyEKU.pem
# primary server-EKU root: sroot-cert
# trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU
#
./mkcert.sh genroot "Root CA" root-key sroot-cert serverAuth
#
openssl x509 -in sroot-cert.pem -trustout \
-addtrust serverAuth -out sroot+serverAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
-addreject serverAuth -out sroot-serverAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
-addtrust clientAuth -out sroot+clientAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
-addreject clientAuth -out sroot-clientAuth.pem
openssl x509 -in sroot-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out sroot-anyEKU.pem
openssl x509 -in sroot-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out sroot+anyEKU.pem
# Primary intermediate ca: ca-cert
# ca variants: CA:false, key2, DN2, issuer2, expired
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
#
./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert
./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert
./mkcert.sh gen_nonbc_ca "CA" ca-key ca-nonbc root-key root-cert
./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert
./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert
./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2
./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert -days -1
#
openssl x509 -in ca-cert.pem -trustout \
-addtrust serverAuth -out ca+serverAuth.pem
openssl x509 -in ca-cert.pem -trustout \
-addreject serverAuth -out ca-serverAuth.pem
openssl x509 -in ca-cert.pem -trustout \
-addtrust clientAuth -out ca+clientAuth.pem
openssl x509 -in ca-cert.pem -trustout \
-addreject clientAuth -out ca-clientAuth.pem
openssl x509 -in ca-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out ca-anyEKU.pem
openssl x509 -in ca-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out ca+anyEKU.pem
openssl x509 -in ca-nonca.pem -trustout \
-addtrust serverAuth -out nca+serverAuth.pem
openssl x509 -in ca-nonca.pem -trustout \
-addtrust serverAuth -out nca+anyEKU.pem
# client intermediate ca: cca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
#
./mkcert.sh genca "CA" ca-key cca-cert root-key root-cert clientAuth
#
openssl x509 -in cca-cert.pem -trustout \
-addtrust serverAuth -out cca+serverAuth.pem
openssl x509 -in cca-cert.pem -trustout \
-addreject serverAuth -out cca-serverAuth.pem
openssl x509 -in cca-cert.pem -trustout \
-addtrust clientAuth -out cca+clientAuth.pem
openssl x509 -in cca-cert.pem -trustout \
-addtrust clientAuth -out cca-clientAuth.pem
openssl x509 -in cca-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out cca-anyEKU.pem
openssl x509 -in cca-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out cca+anyEKU.pem
# server intermediate ca: sca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
#
./mkcert.sh genca "CA" ca-key sca-cert root-key root-cert serverAuth
#
openssl x509 -in sca-cert.pem -trustout \
-addtrust serverAuth -out sca+serverAuth.pem
openssl x509 -in sca-cert.pem -trustout \
-addreject serverAuth -out sca-serverAuth.pem
openssl x509 -in sca-cert.pem -trustout \
-addtrust clientAuth -out sca+clientAuth.pem
openssl x509 -in sca-cert.pem -trustout \
-addreject clientAuth -out sca-clientAuth.pem
openssl x509 -in sca-cert.pem -trustout \
-addreject anyExtendedKeyUsage -out sca-anyEKU.pem
openssl x509 -in sca-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out sca+anyEKU.pem
# Primary leaf cert: ee-cert
# ee variants: expired, issuer-key2, issuer-name2
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
# purpose variants: client
#
./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert
./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1
./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
#
openssl x509 -in ee-cert.pem -trustout \
-addtrust serverAuth -out ee+serverAuth.pem
openssl x509 -in ee-cert.pem -trustout \
-addreject serverAuth -out ee-serverAuth.pem
openssl x509 -in ee-client.pem -trustout \
-addtrust clientAuth -out ee+clientAuth.pem
openssl x509 -in ee-client.pem -trustout \
-addreject clientAuth -out ee-clientAuth.pem
|
