forked from grpc/grpc-go
/
create.sh
executable file
·123 lines (115 loc) · 5.24 KB
/
create.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/bin/bash
# Create the server CA certs.
openssl req -x509 \
-newkey rsa:4096 \
-nodes \
-days 3650 \
-keyout server_ca_key.pem \
-out server_ca_cert.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server_ca/ \
-config ./openssl.cnf \
-extensions test_ca
# Create the client CA certs.
openssl req -x509 \
-newkey rsa:4096 \
-nodes \
-days 3650 \
-keyout client_ca_key.pem \
-out client_ca_cert.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client_ca/ \
-config ./openssl.cnf \
-extensions test_ca
# Generate two server certs.
openssl genrsa -out server1_key.pem 4096
openssl req -new \
-key server1_key.pem \
-days 3650 \
-out server1_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server1/ \
-config ./openssl.cnf \
-reqexts test_server
openssl x509 -req \
-in server1_csr.pem \
-CAkey server_ca_key.pem \
-CA server_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out server1_cert.pem \
-extfile ./openssl.cnf \
-extensions test_server
openssl verify -verbose -CAfile server_ca_cert.pem server1_cert.pem
openssl genrsa -out server2_key.pem 4096
openssl req -new \
-key server2_key.pem \
-days 3650 \
-out server2_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server2/ \
-config ./openssl.cnf \
-reqexts test_server
openssl x509 -req \
-in server2_csr.pem \
-CAkey server_ca_key.pem \
-CA server_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out server2_cert.pem \
-extfile ./openssl.cnf \
-extensions test_server
openssl verify -verbose -CAfile server_ca_cert.pem server2_cert.pem
# Generate two client certs.
openssl genrsa -out client1_key.pem 4096
openssl req -new \
-key client1_key.pem \
-days 3650 \
-out client1_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-config ./openssl.cnf \
-reqexts test_client
openssl x509 -req \
-in client1_csr.pem \
-CAkey client_ca_key.pem \
-CA client_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out client1_cert.pem \
-extfile ./openssl.cnf \
-extensions test_client
openssl verify -verbose -CAfile client_ca_cert.pem client1_cert.pem
openssl genrsa -out client2_key.pem 4096
openssl req -new \
-key client2_key.pem \
-days 3650 \
-out client2_csr.pem \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client2/ \
-config ./openssl.cnf \
-reqexts test_client
openssl x509 -req \
-in client2_csr.pem \
-CAkey client_ca_key.pem \
-CA client_ca_cert.pem \
-days 3650 \
-set_serial 1000 \
-out client2_cert.pem \
-extfile ./openssl.cnf \
-extensions test_client
openssl verify -verbose -CAfile client_ca_cert.pem client2_cert.pem
# Generate a cert with SPIFFE ID.
openssl req -x509 \
-newkey rsa:4096 \
-keyout spiffe_key.pem \
-out spiffe_cert.pem \
-nodes \
-days 3650 \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1"
# Generate a cert with SPIFFE ID and another SAN URI field(which doesn't meet SPIFFE specs).
openssl req -x509 \
-newkey rsa:4096 \
-keyout multiple_uri_key.pem \
-out multiple_uri_cert.pem \
-nodes \
-days 3650 \
-subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \
-addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1, URI:https://bar.baz.com/client"
# Cleanup the CSRs.
rm *_csr.pem