mirror of
https://github.com/MariaDB/server.git
synced 2025-07-29 05:21:33 +03:00
MDEV-18019, MDEV-18135: Renew test OpenSSL certs at level 3 security
Touch attribute file to fix errors like:
Can't open ./demoCA/index.txt.attr for reading,
No such file or directory
140553384993216:error:02001002:system library:
fopen:No such file or directory:../crypto/bio/bss_file.c:72:
fopen('./demoCA/index.txt.attr','r')
140553384993216:error:2006D080:BIO routines:
BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
Check that the request matches the signature
This commit is contained in:
Otto Kekäläinen
@ -9,21 +9,26 @@ cd std_data/
|
||||
rm -rf demoCA
|
||||
mkdir demoCA demoCA/newcerts
|
||||
touch demoCA/index.txt
|
||||
touch demoCA/index.txt.attr
|
||||
echo 01 > demoCA/serial
|
||||
echo 01 > demoCA/crlnumber
|
||||
|
||||
# Use rsa:3072 at minimum for all keys to be future compatible with next OpenSSL releases
|
||||
# See level 3 in https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_security_level.html
|
||||
# Following industry practice, jump directly to rsa:4096 instead of just rsa:3072.
|
||||
|
||||
# CA certificate, self-signed
|
||||
openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text
|
||||
openssl req -x509 -newkey rsa:4096 -keyout cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text
|
||||
|
||||
# server certificate signing request and private key. Note the very long subject (for MDEV-7859)
|
||||
openssl req -newkey rsa:2048 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'
|
||||
openssl req -newkey rsa:4096 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name'
|
||||
# convert the key to yassl compatible format
|
||||
openssl rsa -in server-key.pem -out server-key.pem
|
||||
# sign the server certificate with CA certificate
|
||||
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -in demoCA/server-req.pem
|
||||
|
||||
# server certificate with different validity period (MDEV-7598)
|
||||
openssl req -newkey rsa:2048 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
|
||||
openssl req -newkey rsa:4096 -keyout server-new-key.pem -out demoCA/server-new-req.pem -days 7301 -nodes -subj '/CN=server-new/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
|
||||
openssl rsa -in server-new-key.pem -out server-new-key.pem
|
||||
openssl ca -keyfile cakey.pem -days 7301 -batch -cert cacert.pem -policy policy_anything -out server-new-cert.pem -in demoCA/server-new-req.pem
|
||||
|
||||
@ -36,11 +41,11 @@ openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_
|
||||
cat > demoCA/sanext.conf <<EOF
|
||||
subjectAltName=IP:127.0.0.1, DNS:localhost
|
||||
EOF
|
||||
openssl req -newkey rsa:2048 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
|
||||
openssl req -newkey rsa:4096 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
|
||||
openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -in demoCA/serversan-req.pem
|
||||
|
||||
# client cert
|
||||
openssl req -newkey rsa:2048 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
|
||||
openssl req -newkey rsa:4096 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
|
||||
openssl rsa -in client-key.pem -out client-key.pem
|
||||
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -in demoCA/client-req.pem
|
||||
|
||||
|
||||
Reference in New Issue
Block a user