START lib/libcrypto/CA 2024-10-05T19:19:09Z
==== clean ====
rm -f a.out [Ee]rrs mklog *.core y.tab.h *.pem *.serial *.txt *.attr *.old stamp-clean stamp-root.serial stamp-intermediate.serial stamp-root.txt stamp-intermediate.txt
==== root.serial ====
echo 1000 >root.serial
==== intermediate.serial ====
echo 1000 >intermediate.serial
==== root.txt ====
true >root.txt
==== intermediate.txt ====
true >intermediate.txt
==== run-verify-intermediate ====
# generate root rsa 4096 key
openssl genrsa -out root.key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................................................................................................................................
...............................................................
e is 65537 (0x010001)
# generate root cert
openssl req -batch -config /usr/src/regress/lib/libcrypto/CA/root.cnf -key root.key.pem -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem
# generate intermediate rsa 2048 key
openssl genrsa -out intermediate.key.pem 2048
Generating RSA private key, 2048 bit long modulus
......
.......................................
e is 65537 (0x010001)
# generate intermediate req
openssl req -batch -config /usr/src/regress/lib/libcrypto/CA/intermediate.cnf -new -sha256 -key intermediate.key.pem -out intermediate.csr.pem
# sign intermediate
openssl ca -batch -config /usr/src/regress/lib/libcrypto/CA/root.cnf -extensions v3_intermediate_ca -days 10 -notext -md sha256 -in intermediate.csr.pem -out intermediate.cert.pem
Using configuration from /usr/src/regress/lib/libcrypto/CA/root.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Oct 5 19:19:25 2024 GMT
Not After : Oct 15 19:19:25 2024 GMT
Subject:
countryName = CA
stateOrProvinceName = Alberta
organizationName = OpenBSD
organizationalUnitName = So and Sos
commonName = Regress Intermediate CA
emailAddress = evilsoandsos@openbsd.org
X509v3 extensions:
X509v3 Subject Key Identifier:
1B:F8:3D:08:AF:39:86:7C:DA:D1:C5:80:0A:22:F1:5A:AE:EB:AA:1C
X509v3 Authority Key Identifier:
keyid:07:2D:7C:BB:E0:27:0B:64:3A:CC:9D:73:EC:66:B8:F5:4F:4E:04:C2
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Name Constraints: critical
Permitted:
DNS:.openbsd.org
DNS:client
email:openbsd.org
email:@test.openbsd.org
URI:.openbsd.org
DirName: C = CA, O = OpenBSD
othername:<unsupported>
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
Certificate is to be certified until Oct 15 19:19:25 2024 GMT (10 days)
Write out database with 1 new entries
Data Base Updated
# validate intermediate CA
openssl verify -CAfile root.cert.pem intermediate.cert.pem
intermediate.cert.pem: OK
==== run-verify-server ====
cat intermediate.cert.pem root.cert.pem > chain.pem
# genrsa server
openssl genrsa -out server.key.pem 2048
Generating RSA private key, 2048 bit long modulus
..................................................................................................
...........
e is 65537 (0x010001)
# server req
openssl req -batch -config /usr/src/regress/lib/libcrypto/CA/intermediate.cnf -new -sha256 -subj '/CN=server.openbsd.org/OU=So and Sos/O=OpenBSD/C=CA' -key server.key.pem -out server.csr.pem
# server sign
openssl ca -batch -config /usr/src/regress/lib/libcrypto/CA/intermediate.cnf -extensions server_cert -days 5 -notext -md sha256 -in server.csr.pem -out server.cert.pem
Using configuration from /usr/src/regress/lib/libcrypto/CA/intermediate.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Oct 5 19:19:27 2024 GMT
Not After : Oct 10 19:19:27 2024 GMT
Subject:
countryName = CA
organizationName = OpenBSD
organizationalUnitName = So and Sos
commonName = server.openbsd.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
22:8B:DF:B6:67:63:62:4C:6B:E5:00:25:3C:57:8A:78:A1:59:F1:1F
X509v3 Authority Key Identifier:
keyid:1B:F8:3D:08:AF:39:86:7C:DA:D1:C5:80:0A:22:F1:5A:AE:EB:AA:1C
DirName:/C=CA/ST=Alberta/L=Edmonton/O=OpenBSD/OU=So and Sos/CN=Regress Root CA/emailAddress=evilsoandsos@openbsd.org
serial:10:00
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Oct 10 19:19:27 2024 GMT (5 days)
Write out database with 1 new entries
Data Base Updated
# validate server cert
openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem
server.cert.pem: OK
==== run-verify-client ====
# genrsa client
openssl genrsa -out client.key.pem 2048
Generating RSA private key, 2048 bit long modulus
...............................................................................................................................
......................
e is 65537 (0x010001)
# client req
openssl req -batch -config /usr/src/regress/lib/libcrypto/CA/intermediate.cnf -new -sha256 -subj '/CN=client/OU=So and Sos/O=OpenBSD/C=CA' -key client.key.pem -out client.csr.pem
# client sign
openssl ca -batch -config /usr/src/regress/lib/libcrypto/CA/intermediate.cnf -extensions usr_cert -days 5 -notext -md sha256 -in client.csr.pem -out client.cert.pem
Using configuration from /usr/src/regress/lib/libcrypto/CA/intermediate.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4097 (0x1001)
Validity
Not Before: Oct 5 19:19:30 2024 GMT
Not After : Oct 10 19:19:30 2024 GMT
Subject:
countryName = CA
organizationName = OpenBSD
organizationalUnitName = So and Sos
commonName = client
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
OpenSSL Generated Client Certificate
X509v3 Subject Key Identifier:
9F:69:1B:25:17:74:DC:7F:EC:39:2A:EB:58:E2:FE:CC:70:AC:BD:F4
X509v3 Authority Key Identifier:
keyid:1B:F8:3D:08:AF:39:86:7C:DA:D1:C5:80:0A:22:F1:5A:AE:EB:AA:1C
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
X509v3 Subject Alternative Name: critical
email:evilsoandsos@test.openbsd.org
Certificate is to be certified until Oct 10 19:19:30 2024 GMT (5 days)
Write out database with 1 new entries
Data Base Updated
# validate client cert
openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem
client.cert.pem: OK
PASS lib/libcrypto/CA Duration 0m20.39s