1**Generating certificates and keys for testing mTLS-S2A**
2
3Create root CA
4```
5openssl req -x509 -sha256 -days 7305 -newkey rsa:2048 -keyout mds_root_key.pem -out mds_root_cert.pem
6```
7
8Generate private keys for server and client
9```
10openssl genrsa -out mds_server_key.pem 2048
11openssl genrsa -out mds_client_key.pem 2048
12```
13
14Generate CSRs for server and client
15```
16openssl req -key mds_server_key.pem -new -out mds_server.csr -config config.cnf
17openssl req -key mds_client_key.pem -new -out mds_client.csr -config config.cnf
18```
19
20Look at CSR
21```
22openssl req -noout -text -in mds_server.csr
23openssl req -noout -text -in mds_client.csr
24```
25
26Sign CSRs for server and client
27```
28openssl x509 -req -CA mds_root_cert.pem -CAkey mds_root_key.pem -in mds_server.csr -out mds_server_cert.pem -days 7305 -extfile config.cnf -extensions req_ext
29openssl x509 -req -CA mds_root_cert.pem -CAkey mds_root_key.pem -in mds_client.csr -out mds_client_cert.pem -days 7305
30```
31
32Look at signed certs
33```
34openssl x509 -in mds_server_cert.pem -noout -text
35openssl x509 -in mds_client_cert.pem -noout -text
36```
37
38Verify server and client certs using root CA
39```
40openssl verify -CAfile mds_root_cert.pem mds_server_cert.pem
41openssl verify -CAfile mds_root_cert.pem mds_client_cert.pem
42```
43
44Create self-signed key/cert to test failure case
45```
46openssl genrsa -out self_signed_key.pem 2048
47openssl req -new -key self_signed_key.pem -out self_signed.csr
48openssl x509 -req -in self_signed.csr -signkey self_signed_key.pem -out self_signed_cert.pem -days 7305
49```
View as plain text