mirror of https://github.com/wolfSSL/wolfssl.git
Added client/server certs and keys for P-384-bit signed by P-384 CA. Fix for broken certs/ecc/genecc.sh script. Added simple P-384 cipher suite test.
parent
23445546c5
commit
3be7eacea9
Binary file not shown.
|
@ -0,0 +1,18 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC7jCCAnOgAwIBAgICEAEwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw
|
||||||
|
EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
|
||||||
|
b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
|
||||||
|
c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MTAx
|
||||||
|
OTEzNDEwMloXDTQ4MTAxMTEzNDEwMlowgZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
|
||||||
|
DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj
|
||||||
|
MRMwEQYDVQQLDApFQ0MzODRDbGl0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
|
||||||
|
HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wdjAQBgcqhkjOPQIBBgUr
|
||||||
|
gQQAIgNiAARmxAg9ZqehFdRTCiOzrQvOj8j0mB2m2LJuIhH6ue+ZwPopPkgA+f7C
|
||||||
|
pkobpxKoa5BMHLusXW4OYs5wIPdDd9iXx3TTaP6J7HfLGS+JSh13+ZdLZgJopWKv
|
||||||
|
lYHL4yQ264WjgZAwgY0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwHQYD
|
||||||
|
VR0OBBYEFB7y0Bv4/KXLP9yK9ZcqQlOwQvnUMB8GA1UdIwQYMBaAFKvgwyZMGNRy
|
||||||
|
u9KEjJwKBZKAElNSMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
|
||||||
|
AgYIKwYBBQUHAwQwCgYIKoZIzj0EAwMDaQAwZgIxAPQNeML87vVHHBRaob0yBP0Q
|
||||||
|
K4wxvwQEuyes/XSEHupNYfSvcK24YuLVm2mrx+3NyAIxAIn8dyiX85tuunv89xNC
|
||||||
|
XIkXUHZlvK60fMYi9PBucuYhdy7UO22IRrRncuURVs3oJQ==
|
||||||
|
-----END CERTIFICATE-----
|
Binary file not shown.
|
@ -0,0 +1,6 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB1nVO7/TbLqFdjldpO
|
||||||
|
TH23WVi/DIOkNaLUNEpfkh3gbrWk1AQ2OgnmrBSgMI8FN5ahZANiAARmxAg9Zqeh
|
||||||
|
FdRTCiOzrQvOj8j0mB2m2LJuIhH6ue+ZwPopPkgA+f7CpkobpxKoa5BMHLusXW4O
|
||||||
|
Ys5wIPdDd9iXx3TTaP6J7HfLGS+JSh13+ZdLZgJopWKvlYHL4yQ264U=
|
||||||
|
-----END PRIVATE KEY-----
|
|
@ -17,25 +17,23 @@ setup_files() {
|
||||||
mkdir demoCA || exit 1
|
mkdir demoCA || exit 1
|
||||||
touch ./demoCA/index.txt || exit 1
|
touch ./demoCA/index.txt || exit 1
|
||||||
touch ./index.txt || exit 1
|
touch ./index.txt || exit 1
|
||||||
touch ../ecc/index.txt || exit 1
|
touch ../crl/index.txt || exit 1
|
||||||
touch ./crlnumber || exit 1
|
touch ./crlnumber || exit 1
|
||||||
touch ../ecc/crlnumber || exit 1
|
touch ../crl/crlnumber || exit 1
|
||||||
echo "01" >> crlnumber || exit 1
|
echo "01" >> crlnumber || exit 1
|
||||||
echo "01" >> ../ecc/crlnumber || exit 1
|
echo "01" >> ../crl/crlnumber || exit 1
|
||||||
touch ./blank.index.txt || exit 1
|
touch ./blank.index.txt || exit 1
|
||||||
touch ./demoCA/index.txt.attr || exit 1
|
touch ./demoCA/index.txt.attr || exit 1
|
||||||
touch ../ecc/index.txt.attr || exit 1
|
touch ../crl/index.txt.attr || exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
cleanup_files() {
|
cleanup_files() {
|
||||||
rm blank.index.txt || exit 1
|
rm blank.index.txt || exit 1
|
||||||
rm index.* || exit 1
|
rm index.* || exit 1
|
||||||
rm crlnumber* || exit 1
|
rm crlnumber* || exit 1
|
||||||
rm ../ecc/crlnumber* || exit 1
|
rm -rf demoCA || exit 1
|
||||||
rm ../ecc/index.* || exit 1
|
|
||||||
rm -r demoCA || exit 1
|
|
||||||
echo "Removed ../wolfssl.cnf, blank.index.txt, index.*, crlnumber*, demoCA/"
|
echo "Removed ../wolfssl.cnf, blank.index.txt, index.*, crlnumber*, demoCA/"
|
||||||
echo " ../ecc/index.txt"
|
echo " ../crl/index.txt"
|
||||||
echo ""
|
echo ""
|
||||||
exit 0
|
exit 0
|
||||||
}
|
}
|
||||||
|
@ -171,12 +169,12 @@ mv tmp eccSrvCRL.pem
|
||||||
|
|
||||||
# caEccCrl
|
# caEccCrl
|
||||||
echo "Step 21"
|
echo "Step 21"
|
||||||
openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
|
openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEccCrl.pem -keyfile ../ca-ecc-key.pem -cert ../ca-ecc-cert.pem
|
||||||
check_result $?
|
check_result $?
|
||||||
|
|
||||||
# ca-ecc384-cert
|
# ca-ecc384-cert
|
||||||
echo "Step 22"
|
echo "Step 22"
|
||||||
openssl ca -config ../ecc/wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
|
openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem
|
||||||
check_result $?
|
check_result $?
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
@ -9,7 +9,8 @@ EXTRA_DIST += \
|
||||||
certs/crl/eccCliCRL.pem \
|
certs/crl/eccCliCRL.pem \
|
||||||
certs/crl/crl2.pem \
|
certs/crl/crl2.pem \
|
||||||
certs/crl/caEccCrl.pem \
|
certs/crl/caEccCrl.pem \
|
||||||
certs/crl/caEcc384Crl.pem
|
certs/crl/caEcc384Crl.pem \
|
||||||
|
certs/crl/wolfssl.cnf
|
||||||
|
|
||||||
EXTRA_DIST += \
|
EXTRA_DIST += \
|
||||||
certs/crl/crl.revoked
|
certs/crl/crl.revoked
|
||||||
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
[ ca ]
|
||||||
|
# `man ca`
|
||||||
|
default_ca = CA_default
|
||||||
|
|
||||||
|
[ CA_default ]
|
||||||
|
# Directory and file locations relevant to where the script is executing
|
||||||
|
dir = .
|
||||||
|
certs = $dir/../
|
||||||
|
new_certs_dir = $dir/../
|
||||||
|
database = $dir/../crl/index.txt
|
||||||
|
serial = $dir/../crl/serial
|
||||||
|
# This should come from the system disregard local pathing
|
||||||
|
RANDFILE = $dir/private/.rand
|
||||||
|
|
||||||
|
# The root key and root certificate.
|
||||||
|
private_key = $dir/../ca-ecc-key.pem
|
||||||
|
certificate = $dir/../ca-ecc-cert.pem
|
||||||
|
|
||||||
|
# For certificate revocation lists.
|
||||||
|
crlnumber = $dir/../crl/crlnumber
|
||||||
|
crl_extensions = crl_ext
|
||||||
|
default_crl_days = 1000
|
||||||
|
|
||||||
|
# SHA-1 is deprecated, so use SHA-2 instead.
|
||||||
|
default_md = sha256
|
||||||
|
|
||||||
|
name_opt = ca_default
|
||||||
|
cert_opt = ca_default
|
||||||
|
default_days = 3650
|
||||||
|
preserve = no
|
||||||
|
policy = policy_loose
|
||||||
|
|
||||||
|
|
||||||
|
[ policy_strict ]
|
||||||
|
# The root CA should only sign intermediate certificates that match.
|
||||||
|
# See the POLICY FORMAT section of `man ca`.
|
||||||
|
countryName = match
|
||||||
|
stateOrProvinceName = match
|
||||||
|
organizationName = match
|
||||||
|
organizationalUnitName = optional
|
||||||
|
commonName = supplied
|
||||||
|
emailAddress = optional
|
||||||
|
|
||||||
|
[ policy_loose ]
|
||||||
|
# Allow the intermediate CA to sign a more diverse range of certificates.
|
||||||
|
# See the POLICY FORMAT section of the `ca` man page.
|
||||||
|
countryName = optional
|
||||||
|
stateOrProvinceName = optional
|
||||||
|
localityName = optional
|
||||||
|
organizationName = optional
|
||||||
|
organizationalUnitName = optional
|
||||||
|
commonName = supplied
|
||||||
|
emailAddress = optional
|
||||||
|
|
||||||
|
[ req ]
|
||||||
|
# Options for the `req` tool (`man req`).
|
||||||
|
default_bits = 2048
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
string_mask = utf8only
|
||||||
|
|
||||||
|
# SHA-1 is deprecated, so use SHA-2 instead.
|
||||||
|
default_md = sha256
|
||||||
|
|
||||||
|
# Extension to add when the -x509 option is used.
|
||||||
|
x509_extensions = v3_ca
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
countryName = US
|
||||||
|
stateOrProvinceName = Washington
|
||||||
|
localityName = Seattle
|
||||||
|
0.organizationName = wolfSSL
|
||||||
|
organizationalUnitName = Development
|
||||||
|
commonName = www.wolfssl.com
|
||||||
|
emailAddress = info@wolfssl.com
|
||||||
|
|
||||||
|
[ v3_ca ]
|
||||||
|
# Extensions for a typical CA (`man x509v3_config`).
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid:always,issuer
|
||||||
|
basicConstraints = critical, CA:true
|
||||||
|
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||||
|
|
||||||
|
[ v3_intermediate_ca ]
|
||||||
|
# Extensions for a typical intermediate CA (`man x509v3_config`).
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid:always,issuer
|
||||||
|
basicConstraints = critical, CA:true, pathlen:0
|
||||||
|
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||||
|
|
||||||
|
[ usr_cert ]
|
||||||
|
# Extensions for client certificates (`man x509v3_config`).
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
nsCertType = client, email
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid,issuer
|
||||||
|
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
||||||
|
extendedKeyUsage = clientAuth, emailProtection
|
||||||
|
|
||||||
|
[ server_cert ]
|
||||||
|
# Extensions for server certificates (`man x509v3_config`).
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
nsCertType = server
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid,issuer:always
|
||||||
|
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
|
||||||
|
extendedKeyUsage = serverAuth
|
||||||
|
|
||||||
|
[ crl_ext ]
|
||||||
|
# Extension for CRLs (`man x509v3_config`).
|
||||||
|
authorityKeyIdentifier=keyid:always
|
|
@ -13,21 +13,17 @@ echo 2000 > ./certs/ecc/crlnumber
|
||||||
|
|
||||||
# generate ECC 256-bit CA
|
# generate ECC 256-bit CA
|
||||||
openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
|
openssl ecparam -out ./certs/ca-ecc-key.par -name prime256v1
|
||||||
openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
|
openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc-key.par -keyout ./certs/ca-ecc-key.pem -out ./certs/ca-ecc-cert.pem -sha256 \
|
||||||
|
-days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
|
||||||
|
|
||||||
openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER
|
openssl x509 -in ./certs/ca-ecc-cert.pem -inform PEM -out ./certs/ca-ecc-cert.der -outform DER
|
||||||
openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
|
openssl ec -in ./certs/ca-ecc-key.pem -inform PEM -out ./certs/ca-ecc-key.der -outform DER
|
||||||
|
|
||||||
rm ./certs/ca-ecc-key.par
|
rm ./certs/ca-ecc-key.par
|
||||||
|
|
||||||
# generate ECC 384-bit CA
|
# Gen CA CRL
|
||||||
openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
|
openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
|
||||||
openssl req -config ./certs/ecc/wolfssl.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 -days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
|
|
||||||
|
|
||||||
openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER
|
|
||||||
openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER
|
|
||||||
|
|
||||||
rm ./certs/ca-ecc384-key.par
|
|
||||||
|
|
||||||
|
|
||||||
# Generate ECC 256-bit server cert
|
# Generate ECC 256-bit server cert
|
||||||
|
@ -40,9 +36,53 @@ openssl x509 -in ./certs/server-ecc.pem -outform der -out ./certs/server-ecc.der
|
||||||
|
|
||||||
rm ./certs/server-ecc-req.pem
|
rm ./certs/server-ecc-req.pem
|
||||||
|
|
||||||
# Gen CRL
|
|
||||||
openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEccCrl.pem -keyfile ./certs/ca-ecc-key.pem -cert ./certs/ca-ecc-cert.pem
|
|
||||||
openssl ca -config ./certs/ecc/wolfssl.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
|
# generate ECC 384-bit CA
|
||||||
|
openssl ecparam -out ./certs/ca-ecc384-key.par -name secp384r1
|
||||||
|
openssl req -config ./certs/ecc/wolfssl_384.cnf -extensions v3_ca -x509 -nodes -newkey ec:./certs/ca-ecc384-key.par -keyout ./certs/ca-ecc384-key.pem -out ./certs/ca-ecc384-cert.pem -sha384 \
|
||||||
|
-days 7300 -batch -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com/emailAddress=info@wolfssl.com"
|
||||||
|
|
||||||
|
openssl x509 -in ./certs/ca-ecc384-cert.pem -inform PEM -out ./certs/ca-ecc384-cert.der -outform DER
|
||||||
|
openssl ec -in ./certs/ca-ecc384-key.pem -inform PEM -out ./certs/ca-ecc384-key.der -outform DER
|
||||||
|
|
||||||
|
rm ./certs/ca-ecc384-key.par
|
||||||
|
|
||||||
|
# Gen CA CRL
|
||||||
|
openssl ca -config ./certs/ecc/wolfssl_384.cnf -gencrl -crldays 1000 -out ./certs/crl/caEcc384Crl.pem -keyfile ./certs/ca-ecc384-key.pem -cert ./certs/ca-ecc384-cert.pem
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Generate ECC 384-bit server cert
|
||||||
|
openssl ecparam -out ./certs/server-ecc384-key.par -name secp384r1
|
||||||
|
openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/server-ecc384-key.par -keyout ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
|
||||||
|
-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
|
||||||
|
openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/server-ecc384-key.pem -out ./certs/server-ecc384-req.pem \
|
||||||
|
-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Srv/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
|
||||||
|
openssl ec -in ./certs/server-ecc384-key.pem -inform PEM -out ./certs/server-ecc384-key.der -outform DER
|
||||||
|
|
||||||
|
# Sign server certificate
|
||||||
|
openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions server_cert -days 10950 -notext -md sha384 -in ./certs/server-ecc384-req.pem -out ./certs/server-ecc384-cert.pem
|
||||||
|
openssl x509 -in ./certs/server-ecc384-cert.pem -outform der -out ./certs/server-ecc384-cert.der
|
||||||
|
|
||||||
|
rm ./certs/server-ecc384-req.pem
|
||||||
|
rm ./certs/server-ecc384-key.par
|
||||||
|
|
||||||
|
# Generate ECC 384-bit client cert
|
||||||
|
openssl ecparam -out ./certs/client-ecc384-key.par -name secp384r1
|
||||||
|
openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -x509 -nodes -newkey ec:./certs/client-ecc384-key.par -keyout ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
|
||||||
|
-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Cli/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
|
||||||
|
openssl req -config ./certs/ecc/wolfssl_384.cnf -sha384 -new -key ./certs/client-ecc384-key.pem -out ./certs/client-ecc384-req.pem \
|
||||||
|
-subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC384Clit/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
|
||||||
|
openssl ec -in ./certs/client-ecc384-key.pem -inform PEM -out ./certs/client-ecc384-key.der -outform DER
|
||||||
|
|
||||||
|
# Sign client certificate
|
||||||
|
openssl ca -config ./certs/ecc/wolfssl_384.cnf -extensions usr_cert -days 10950 -notext -md sha384 -in ./certs/client-ecc384-req.pem -out ./certs/client-ecc384-cert.pem
|
||||||
|
openssl x509 -in ./certs/client-ecc384-cert.pem -outform der -out ./certs/client-ecc384-cert.der
|
||||||
|
|
||||||
|
rm ./certs/client-ecc384-req.pem
|
||||||
|
rm ./certs/client-ecc384-key.par
|
||||||
|
|
||||||
|
|
||||||
# Also manually need to:
|
# Also manually need to:
|
||||||
# 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
|
# 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
|
||||||
|
|
|
@ -4,5 +4,5 @@
|
||||||
|
|
||||||
EXTRA_DIST += \
|
EXTRA_DIST += \
|
||||||
certs/ecc/genecc.sh \
|
certs/ecc/genecc.sh \
|
||||||
certs/ecc/wolfssl.cnf
|
certs/ecc/wolfssl.cnf \
|
||||||
|
certs/ecc/wolfssl_384.cnf
|
||||||
|
|
|
@ -5,19 +5,19 @@ default_ca = CA_default
|
||||||
[ CA_default ]
|
[ CA_default ]
|
||||||
# Directory and file locations relevant to where the script is executing
|
# Directory and file locations relevant to where the script is executing
|
||||||
dir = .
|
dir = .
|
||||||
certs = $dir/../
|
certs = $dir/certs
|
||||||
new_certs_dir = $dir/../
|
new_certs_dir = $dir/certs
|
||||||
database = $dir/../ecc/index.txt
|
database = $dir/certs/ecc/index.txt
|
||||||
serial = $dir/../ecc/serial
|
serial = $dir/certs/ecc/serial
|
||||||
# This should come from the system disregard local pathing
|
# This should come from the system disregard local pathing
|
||||||
RANDFILE = $dir/private/.rand
|
RANDFILE = $dir/private/.rand
|
||||||
|
|
||||||
# The root key and root certificate.
|
# The root key and root certificate.
|
||||||
private_key = $dir/../ca-ecc-key.pem
|
private_key = $dir/certs/ca-ecc-key.pem
|
||||||
certificate = $dir/../ca-ecc-cert.pem
|
certificate = $dir/certs/ca-ecc-cert.pem
|
||||||
|
|
||||||
# For certificate revocation lists.
|
# For certificate revocation lists.
|
||||||
crlnumber = $dir/../ecc/crlnumber
|
crlnumber = $dir/certs/ecc/crlnumber
|
||||||
crl_extensions = crl_ext
|
crl_extensions = crl_ext
|
||||||
default_crl_days = 1000
|
default_crl_days = 1000
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,110 @@
|
||||||
|
[ ca ]
|
||||||
|
# `man ca`
|
||||||
|
default_ca = CA_default
|
||||||
|
|
||||||
|
[ CA_default ]
|
||||||
|
# Directory and file locations relevant to where the script is executing
|
||||||
|
dir = .
|
||||||
|
certs = $dir/certs
|
||||||
|
new_certs_dir = $dir/certs
|
||||||
|
database = $dir/certs/ecc/index.txt
|
||||||
|
serial = $dir/certs/ecc/serial
|
||||||
|
# This should come from the system disregard local pathing
|
||||||
|
RANDFILE = $dir/private/.rand
|
||||||
|
|
||||||
|
# The root key and root certificate.
|
||||||
|
private_key = $dir/certs/ca-ecc384-key.pem
|
||||||
|
certificate = $dir/certs/ca-ecc384-cert.pem
|
||||||
|
|
||||||
|
# For certificate revocation lists.
|
||||||
|
crlnumber = $dir/certs/ecc/crlnumber
|
||||||
|
crl_extensions = crl_ext
|
||||||
|
default_crl_days = 1000
|
||||||
|
|
||||||
|
# SHA-384 is default
|
||||||
|
default_md = sha384
|
||||||
|
|
||||||
|
name_opt = ca_default
|
||||||
|
cert_opt = ca_default
|
||||||
|
default_days = 3650
|
||||||
|
preserve = no
|
||||||
|
policy = policy_loose
|
||||||
|
|
||||||
|
|
||||||
|
[ policy_strict ]
|
||||||
|
# The root CA should only sign intermediate certificates that match.
|
||||||
|
# See the POLICY FORMAT section of `man ca`.
|
||||||
|
countryName = match
|
||||||
|
stateOrProvinceName = match
|
||||||
|
organizationName = match
|
||||||
|
organizationalUnitName = optional
|
||||||
|
commonName = supplied
|
||||||
|
emailAddress = optional
|
||||||
|
|
||||||
|
[ policy_loose ]
|
||||||
|
# Allow the intermediate CA to sign a more diverse range of certificates.
|
||||||
|
# See the POLICY FORMAT section of the `ca` man page.
|
||||||
|
countryName = optional
|
||||||
|
stateOrProvinceName = optional
|
||||||
|
localityName = optional
|
||||||
|
organizationName = optional
|
||||||
|
organizationalUnitName = optional
|
||||||
|
commonName = supplied
|
||||||
|
emailAddress = optional
|
||||||
|
|
||||||
|
[ req ]
|
||||||
|
# Options for the `req` tool (`man req`).
|
||||||
|
default_bits = 2048
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
string_mask = utf8only
|
||||||
|
|
||||||
|
# SHA-384 is default
|
||||||
|
default_md = sha384
|
||||||
|
|
||||||
|
# Extension to add when the -x509 option is used.
|
||||||
|
x509_extensions = v3_ca
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
countryName = US
|
||||||
|
stateOrProvinceName = Washington
|
||||||
|
localityName = Seattle
|
||||||
|
0.organizationName = wolfSSL
|
||||||
|
organizationalUnitName = Development
|
||||||
|
commonName = www.wolfssl.com
|
||||||
|
emailAddress = info@wolfssl.com
|
||||||
|
|
||||||
|
[ v3_ca ]
|
||||||
|
# Extensions for a typical CA (`man x509v3_config`).
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid:always,issuer
|
||||||
|
basicConstraints = critical, CA:true
|
||||||
|
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||||
|
|
||||||
|
[ v3_intermediate_ca ]
|
||||||
|
# Extensions for a typical intermediate CA (`man x509v3_config`).
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid:always,issuer
|
||||||
|
basicConstraints = critical, CA:true, pathlen:0
|
||||||
|
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||||
|
|
||||||
|
[ usr_cert ]
|
||||||
|
# Extensions for client certificates (`man x509v3_config`).
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
nsCertType = client, email
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid,issuer
|
||||||
|
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
||||||
|
extendedKeyUsage = clientAuth, emailProtection
|
||||||
|
|
||||||
|
[ server_cert ]
|
||||||
|
# Extensions for server certificates (`man x509v3_config`).
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
nsCertType = server
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid,issuer:always
|
||||||
|
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement
|
||||||
|
extendedKeyUsage = serverAuth
|
||||||
|
|
||||||
|
[ crl_ext ]
|
||||||
|
# Extension for CRLs (`man x509v3_config`).
|
||||||
|
authorityKeyIdentifier=keyid:always
|
Binary file not shown.
|
@ -0,0 +1,22 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDkjCCAxigAwIBAgICEAAwCgYIKoZIzj0EAwMwgZcxCzAJBgNVBAYTAlVTMRMw
|
||||||
|
EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
|
||||||
|
b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
|
||||||
|
c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MTAx
|
||||||
|
OTEzNDA0M1oXDTQ4MTAxMTEzNDA0M1owgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
|
||||||
|
DApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGlj
|
||||||
|
MRIwEAYDVQQLDAlFQ0MzODRTcnYxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEf
|
||||||
|
MB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTB2MBAGByqGSM49AgEGBSuB
|
||||||
|
BAAiA2IABOrPk08sCbs5FA9WZMNAtN8OY67lcUsAzASX/+HpOJa7X5Gyasy1OV+P
|
||||||
|
cFnxAfZaKwFsaAvPVSWvbZhICqh0yakXoAzD+9MjaP4EPGNQiDu5T3xnNPc7qXPn
|
||||||
|
G8NRXiIY7KOCATUwggExMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMB0G
|
||||||
|
A1UdDgQWBBSCO/JlL/O0AMa8Bv15QnVLZdHOvDCBzAYDVR0jBIHEMIHBgBSr4MMm
|
||||||
|
TBjUcrvShIycCgWSgBJTUqGBnaSBmjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM
|
||||||
|
Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx
|
||||||
|
FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
|
||||||
|
HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQD8OQSkDqVshzAOBgNV
|
||||||
|
HQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYIKoZIzj0EAwMDaAAw
|
||||||
|
ZQIxAOia1gUcnnky9I/5RZ4A7r19gJvqudLrnujFOsHcaqvmGVe4tg1QSS2TDfzH
|
||||||
|
t5uKyQIwUAkNmwgdmhfE5ytISptkpxyWq3z8NWWPefjOmUpzBG/gVxX1Wvn+Wc2Z
|
||||||
|
WeMuU92v
|
||||||
|
-----END CERTIFICATE-----
|
Binary file not shown.
|
@ -0,0 +1,6 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCk5QboBhY+q4n4YEPA
|
||||||
|
YCXbunv+GTUIVWV24tzgAYtraN/Pb4ASznk36yuce8RoHHShZANiAATqz5NPLAm7
|
||||||
|
ORQPVmTDQLTfDmOu5XFLAMwEl//h6TiWu1+RsmrMtTlfj3BZ8QH2WisBbGgLz1Ul
|
||||||
|
r22YSAqodMmpF6AMw/vTI2j+BDxjUIg7uU98ZzT3O6lz5xvDUV4iGOw=
|
||||||
|
-----END PRIVATE KEY-----
|
|
@ -2364,3 +2364,17 @@
|
||||||
-v 3
|
-v 3
|
||||||
-l ECDHE-RSA-AES256-GCM-SHA384
|
-l ECDHE-RSA-AES256-GCM-SHA384
|
||||||
-H useSupCurve
|
-H useSupCurve
|
||||||
|
|
||||||
|
# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 with P-384 Certs and CA
|
||||||
|
-v 3
|
||||||
|
-l ECDHE-ECDSA-AES256-GCM-SHA384
|
||||||
|
-c ./certs/server-ecc384-cert.pem
|
||||||
|
-k ./certs/server-ecc384-key.pem
|
||||||
|
-A ./certs/ca-ecc384-cert.pem
|
||||||
|
|
||||||
|
# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 with P-384 Certs and CA
|
||||||
|
-v 3
|
||||||
|
-l ECDHE-ECDSA-AES256-GCM-SHA384
|
||||||
|
-c ./certs/client-ecc384-cert.pem
|
||||||
|
-k ./certs/client-ecc384-key.pem
|
||||||
|
-A ./certs/ca-ecc384-cert.pem
|
||||||
|
|
Loading…
Reference in New Issue