\r
rd ./demoCA /S/Q\r
mkdir ./demoCA\r
- echo "" > ./demoCA/index.txt\r
+ echo.>./demoCA/index.txt\r
echo 01 > ./demoCA/serial\r
mkdir ./demoCA/newcerts\r
\r
+OpenSSL will apply the options from the specified sections in openssl.cnf when creating certificates or certificate signing requests. Make sure your configuration in openssl.cnf is correct and rational for certificate constraints.\r
+The following sample sections were used when generating test certificates in this readme.\r
+ ...\r
+ [ req ]\r
+ default_bits = 2048\r
+ default_keyfile = privkey.pem\r
+ distinguished_name = req_distinguished_name\r
+ attributes = req_attributes\r
+ x509_extensions = v3_ca # The extensions to add to the self signed cert\r
+ ...\r
+ [ v3_ca ]\r
+ # Extensions for a typical Root CA.\r
+ subjectKeyIdentifier=hash\r
+ authorityKeyIdentifier=keyid:always,issuer\r
+ basicConstraints = critical,CA:true\r
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign\r
+ ...\r
+ [ v3_intermediate_ca ]\r
+ # Extensions for a typical intermediate CA.\r
+ subjectKeyIdentifier = hash\r
+ authorityKeyIdentifier = keyid:always,issuer\r
+ basicConstraints = critical, CA:true\r
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign\r
+ ...\r
+ [ usr_cert ]\r
+ # Extensions for user end certificates.\r
+ basicConstraints = CA:FALSE\r
+ nsCertType = client, email\r
+ subjectKeyIdentifier = hash\r
+ authorityKeyIdentifier = keyid,issuer\r
+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment\r
+ extendedKeyUsage = clientAuth, emailProtection\r
+ ...\r
+\r
* Generate the certificate chain:\r
\r
NOTE: User MUST set a UNIQUE "Common Name" on the different certificate\r
\r
Generate a self-signed root certificate:\r
\r
- openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt\r
+ openssl req -extensions v3_ca -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt\r
openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER\r
openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem\r
\r
Generate the intermediate certificate:\r
\r
openssl req -new -days 3650 -key TestSub.key -out TestSub.csr\r
- openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key\r
+ openssl ca -extensions v3_intermediate_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key\r
openssl x509 -in TestSub.crt -out TestSub.cer -outform DER\r
openssl x509 -inform DER -in TestSub.cer -outform PEM -out TestSub.pub.pem\r
\r
Generate User certificate:\r
\r
openssl req -new -days 3650 -key TestCert.key -out TestCert.csr\r
- openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key`\r
+ openssl ca -extensions usr_cert -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key\r
openssl x509 -in TestCert.crt -out TestCert.cer -outform DER\r
openssl x509 -inform DER -in TestCert.cer -outform PEM -out TestCert.pub.pem\r
\r
projects / mirror_edk2.git / blobdiff