1#!/bin/bash
2
3# Create the server CA certs.
4openssl req -x509 \
5 -newkey rsa:4096 \
6 -nodes \
7 -days 3650 \
8 -keyout server_ca_key.pem \
9 -out server_ca_cert.pem \
10 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server_ca/ \
11 -config ./openssl.cnf \
12 -extensions test_ca \
13 -sha256
14
15# Create the client CA certs.
16openssl req -x509 \
17 -newkey rsa:4096 \
18 -nodes \
19 -days 3650 \
20 -keyout client_ca_key.pem \
21 -out client_ca_cert.pem \
22 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client_ca/ \
23 -config ./openssl.cnf \
24 -extensions test_ca \
25 -sha256
26
27# Generate two server certs.
28openssl genrsa -out server1_key.pem 4096
29openssl req -new \
30 -key server1_key.pem \
31 -days 3650 \
32 -out server1_csr.pem \
33 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server1/ \
34 -config ./openssl.cnf \
35 -reqexts test_server
36openssl x509 -req \
37 -in server1_csr.pem \
38 -CAkey server_ca_key.pem \
39 -CA server_ca_cert.pem \
40 -days 3650 \
41 -set_serial 1000 \
42 -out server1_cert.pem \
43 -extfile ./openssl.cnf \
44 -extensions test_server \
45 -sha256
46openssl verify -verbose -CAfile server_ca_cert.pem server1_cert.pem
47
48openssl genrsa -out server2_key.pem 4096
49openssl req -new \
50 -key server2_key.pem \
51 -days 3650 \
52 -out server2_csr.pem \
53 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server2/ \
54 -config ./openssl.cnf \
55 -reqexts test_server
56openssl x509 -req \
57 -in server2_csr.pem \
58 -CAkey server_ca_key.pem \
59 -CA server_ca_cert.pem \
60 -days 3650 \
61 -set_serial 1000 \
62 -out server2_cert.pem \
63 -extfile ./openssl.cnf \
64 -extensions test_server \
65 -sha256
66openssl verify -verbose -CAfile server_ca_cert.pem server2_cert.pem
67
68# Generate two client certs.
69openssl genrsa -out client1_key.pem 4096
70openssl req -new \
71 -key client1_key.pem \
72 -days 3650 \
73 -out client1_csr.pem \
74 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
75 -config ./openssl.cnf \
76 -reqexts test_client
77openssl x509 -req \
78 -in client1_csr.pem \
79 -CAkey client_ca_key.pem \
80 -CA client_ca_cert.pem \
81 -days 3650 \
82 -set_serial 1000 \
83 -out client1_cert.pem \
84 -extfile ./openssl.cnf \
85 -extensions test_client \
86 -sha256
87openssl verify -verbose -CAfile client_ca_cert.pem client1_cert.pem
88
89openssl genrsa -out client2_key.pem 4096
90openssl req -new \
91 -key client2_key.pem \
92 -days 3650 \
93 -out client2_csr.pem \
94 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client2/ \
95 -config ./openssl.cnf \
96 -reqexts test_client
97openssl x509 -req \
98 -in client2_csr.pem \
99 -CAkey client_ca_key.pem \
100 -CA client_ca_cert.pem \
101 -days 3650 \
102 -set_serial 1000 \
103 -out client2_cert.pem \
104 -extfile ./openssl.cnf \
105 -extensions test_client \
106 -sha256
107openssl verify -verbose -CAfile client_ca_cert.pem client2_cert.pem
108
109# Generate a cert with SPIFFE ID.
110openssl req -x509 \
111 -newkey rsa:4096 \
112 -keyout spiffe_key.pem \
113 -out spiffe_cert.pem \
114 -nodes \
115 -days 3650 \
116 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
117 -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1" \
118 -sha256
119
120# Generate a cert with SPIFFE ID and another SAN URI field(which doesn't meet SPIFFE specs).
121openssl req -x509 \
122 -newkey rsa:4096 \
123 -keyout multiple_uri_key.pem \
124 -out multiple_uri_cert.pem \
125 -nodes \
126 -days 3650 \
127 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
128 -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1, URI:https://bar.baz.com/client" \
129 -sha256
130
131# Generate a cert with SPIFFE ID using client_with_spiffe_openssl.cnf
132openssl req -new \
133 -key client_with_spiffe_key.pem \
134 -out client_with_spiffe_csr.pem \
135 -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
136 -config ./client_with_spiffe_openssl.cnf \
137 -reqexts test_client
138openssl x509 -req \
139 -in client_with_spiffe_csr.pem \
140 -CAkey client_ca_key.pem \
141 -CA client_ca_cert.pem \
142 -days 3650 \
143 -set_serial 1000 \
144 -out client_with_spiffe_cert.pem \
145 -extfile ./client_with_spiffe_openssl.cnf \
146 -extensions test_client \
147 -sha256
148openssl verify -verbose -CAfile client_with_spiffe_cert.pem
149
150# Cleanup the CSRs.
151rm *_csr.pem
View as plain text