wget/testenv/certs
Tim Rühsen 297c1e2ac3 Fix HTTPS testing for stricter OpenSSL
* testenv/certs/README: Amend cert creation extensions
* testenv/certs/ca-cert.pem: Created without OCSP signing purpose

Having the OCSP signing purpose set made newer versions of OpenSSL
fail due to stricter checking. Test version of OpenSSL was 1.1.0e.
2017-05-11 12:38:19 +02:00
..
ca-cert.pem Fix HTTPS testing for stricter OpenSSL 2017-05-11 12:38:19 +02:00
ca-key.pem Added new test Test--https-crl.py to check --crl-file 2014-11-11 15:07:20 +01:00
ca-template.cfg Fix some make syntax-check issues 2016-08-21 15:35:36 +02:00
make_ca.sh Add script to generate test certs non-interactive 2016-06-29 12:54:06 +02:00
README Fix HTTPS testing for stricter OpenSSL 2017-05-11 12:38:19 +02:00
server-cert.pem Added OpenSSL support for --crl-file 2014-11-12 10:00:51 +01:00
server-crl.pem Added OpenSSL support for --crl-file 2014-11-12 10:00:51 +01:00
server-key.pem Added new test Test--https-crl.py to check --crl-file 2014-11-11 15:07:20 +01:00
server-pubkey-sha256.base64 Add script to generate test certs non-interactive 2016-06-29 12:54:06 +02:00
server-pubkey.der Implement tests for new pinnedpubkey option 2016-04-11 16:25:09 +02:00
server-pubkey.pem Implement tests for new pinnedpubkey option 2016-04-11 16:25:09 +02:00
server-template.cfg Fix some make syntax-check issues 2016-08-21 15:35:36 +02:00

To create the server RSA private key:
$ certtool --generate-privkey --outfile server-key.pem --rsa


To create a self signed CA certificate:
$ certtool --generate-privkey --outfile ca-key.pem
$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
Common name: GNU Wget
UID:
Organizational unit name: Wget
Organization name: GNU
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 6080487640893163573):

Activation/Expiration time.
The certificate will expire in (days): -1

Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Enter the URI of the CRL distribution point:


To generate a server certificate using the private key only:
$ certtool --generate-certificate --load-privkey server-key.pem --outfile server-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
Common name: 127.0.0.1
UID:
Organizational unit name: Wget
Organization name: GNU
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 6080488276853553635):

Activation/Expiration time.
The certificate will expire in (days): -1

Extensions.
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: 127.0.0.1
Enter a dnsName of the subject of the certificate: localhost
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):


To create a CRL for the server certificate:
$ certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca-cert.pem --load-certificate server-cert.pem --outfile server-crl.pem
Generating a signed CRL...
Update times.
The certificate will expire in (days): -1
CRL Number (default: 6080006793650397145):

To generate a public key in PEM format:
$ openssl x509 -noout -pubkey < server-cert.pem > server-pubkey.pem

To generate a public key in DER format:
$ openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out server-pubkey.der

To generate a sha256 hash of the public key:
$ openssl x509 -noout -pubkey < server-cert.pem | openssl asn1parse -noout -inform pem -out /dev/stdout | openssl dgst -sha256 -binary | openssl base64
mHiEhWHvusnzP7COZk+SzSJ+Gl7nZT+ADx0PUnDD7mM=