**Generating certificates and keys for testing mTLS-S2A** Create root CA ``` openssl req -x509 -sha256 -days 7305 -newkey rsa:2048 -keyout mds_root_key.pem -out mds_root_cert.pem ``` Generate private keys for server and client ``` openssl genrsa -out mds_server_key.pem 2048 openssl genrsa -out mds_client_key.pem 2048 ``` Generate CSRs for server and client ``` openssl req -key mds_server_key.pem -new -out mds_server.csr -config config.cnf openssl req -key mds_client_key.pem -new -out mds_client.csr -config config.cnf ``` Look at CSR ``` openssl req -noout -text -in mds_server.csr openssl req -noout -text -in mds_client.csr ``` Sign CSRs for server and client ``` openssl x509 -req -CA mds_root_cert.pem -CAkey mds_root_key.pem -in mds_server.csr -out mds_server_cert.pem -days 7305 -extfile config.cnf -extensions req_ext openssl x509 -req -CA mds_root_cert.pem -CAkey mds_root_key.pem -in mds_client.csr -out mds_client_cert.pem -days 7305 ``` Look at signed certs ``` openssl x509 -in mds_server_cert.pem -noout -text openssl x509 -in mds_client_cert.pem -noout -text ``` Verify server and client certs using root CA ``` openssl verify -CAfile mds_root_cert.pem mds_server_cert.pem openssl verify -CAfile mds_root_cert.pem mds_client_cert.pem ``` Create self-signed key/cert to test failure case ``` openssl genrsa -out self_signed_key.pem 2048 openssl req -new -key self_signed_key.pem -out self_signed.csr openssl x509 -req -in self_signed.csr -signkey self_signed_key.pem -out self_signed_cert.pem -days 7305 ```