commit | ba5c9d36bc514b9b155f6729d066a2d1120ec7ea | [log] [tgz] |
---|---|---|
author | Zack Williams <zdw@opennetworking.org> | Sun Jun 05 21:49:18 2022 -0700 |
committer | Zack Williams <zdw@opennetworking.org> | Tue Aug 16 15:22:17 2022 -0700 |
tree | dcfaeaa8b64d32d56c6a2c91b92490bf81cf48eb | |
parent | ec61381b0991fc31466c3a6f6d52d814110ad334 [diff] |
Fix root CA expiration Make order-only prereqs the norm Change-Id: Ibd1af1f6204f5368160fdaabf4f5a79358eb4a52
Generates certificates and a PKI hierarchy, using a Makefile to drive the process. Please read through the variables at the top of the Makefile to learn how to gnerate artifacts. Also please look at the pki.cnf, which is an OpenSSL configuration file used to configure the process.
This Makefile will generate a 3-deep heirarchy of certificates:
root CA -> intermediate CA -> leaf
Note that also CRLs are generated, as well as "chain" (containing Root CA and IM CA) and "bundle" (containing IM CA and Leaf) versions of generated certs.
This repo requires the following tools to work correctly
make
openssl
Create a root CA Cert:
ROOT_CA_PASSPHRASE="<password>" make onf_pki/root_ca/ca.pem
Create an IM CA Cert:
IM_CA_PASSPHRASE="<password>" make onf_pki/im_ca/ca.pem
Create a server leaf cert (issued from IM CA):
LEAF_SAN="DNS:server.example.com" make onf_pki/certout/server.example.com.pem
Create a client leaf cert (issued from IM CA):
LEAF_PURPOSE=client_cert_ext LEAF_SAN="email:username@example.com" make onf_pki/certout/username.pem
Test that keys are valid for purpose:
LEAF_KEYPAIR=server.example.com make valid_server LEAF_KEYPAIR=username make valid_client
Revoking a leaf certificate
LEAF_KEYPAIR=server.example.com make revoke_leaf
This command uses the CA root, client key/cert to connect to a remote webserver
curl -v --cacert bundle.pem --key client.key --cert client.pem https://server:port/path
If you want to test an IP address that doesn't resolve with DNS but test the SAN, use:
curl -v --cacert ca.pem --key client.key --cert client.pem \ --resolve "server:port:<ip address>" https://server:port/path
https://pki-tutorial.readthedocs.io/en/latest/index.html https://www.keylength.com/
http://nginx.org/en/docs/http/configuring_https_servers.html https://ipxe.org/crypto
Implement Eliptic curves: