Lines Matching +full:key +full:-
3 # Primary root: root-cert
4 ./mkcert.sh genroot "Root CA" root-key root-cert
6 ./mkcert.sh genss "Root CA" root-key root-nonca
7 ./mkcert.sh genroot "Root CA" root-key2 root-cert2
8 ./mkcert.sh genroot "Root Cert 2" root-key root-name2
9 DAYS=-1 ./mkcert.sh genroot "Root CA" root-key root-expired
11 ./mkcert.sh genroot "Cross Root" cross-key cross-root
12 ./mkcert.sh genca "Root CA" root-key root-cross-cert cross-key cross-root
13 # trust variants: +serverAuth -serverAuth +clientAuth -clientAuth
14 openssl x509 -in root-cert.pem -trustout \
15 -addtrust serverAuth -out root+serverAuth.pem
16 openssl x509 -in root-cert.pem -trustout \
17 -addreject serverAuth -out root-serverAuth.pem
18 openssl x509 -in root-cert.pem -trustout \
19 -addtrust clientAuth -out root+clientAuth.pem
20 openssl x509 -in root-cert.pem -trustout \
21 -addreject clientAuth -out root-clientAuth.pem
22 # trust variants: +anyEKU -anyEKU
23 openssl x509 -in root-cert.pem -trustout \
24 -addtrust anyExtendedKeyUsage -out root+anyEKU.pem
25 openssl x509 -in root-cert.pem -trustout \
26 -addreject anyExtendedKeyUsage -out root-anyEKU.pem
27 # root-cert2 trust variants: +serverAuth -serverAuth +clientAuth
28 openssl x509 -in root-cert2.pem -trustout \
29 -addtrust serverAuth -out root2+serverAuth.pem
30 openssl x509 -in root-cert2.pem -trustout \
31 -addreject serverAuth -out root2-serverAuth.pem
32 openssl x509 -in root-cert2.pem -trustout \
33 -addtrust clientAuth -out root2+clientAuth.pem
34 # root-nonca trust variants: +serverAuth +anyEKU
35 openssl x509 -in root-nonca.pem -trustout \
36 -addtrust serverAuth -out nroot+serverAuth.pem
37 openssl x509 -in root-nonca.pem -trustout \
38 -addtrust anyExtendedKeyUsage -out nroot+anyEKU.pem
41 # MD5 self-signature
43 ./mkcert.sh genroot "Root CA" root-key root-cert-md5
44 # 768-bit key
46 ./mkcert.sh genroot "Root CA" root-key-768 root-cert-768
48 # primary client-EKU root: croot-cert
49 ./mkcert.sh genroot "Root CA" root-key croot-cert clientAuth
50 # trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
51 openssl x509 -in croot-cert.pem -trustout \
52 -addtrust serverAuth -out croot+serverAuth.pem
53 openssl x509 -in croot-cert.pem -trustout \
54 -addreject serverAuth -out croot-serverAuth.pem
55 openssl x509 -in croot-cert.pem -trustout \
56 -addtrust clientAuth -out croot+clientAuth.pem
57 openssl x509 -in croot-cert.pem -trustout \
58 -addreject clientAuth -out croot-clientAuth.pem
59 openssl x509 -in croot-cert.pem -trustout \
60 -addtrust anyExtendedKeyUsage -out croot+anyEKU.pem
61 openssl x509 -in croot-cert.pem -trustout \
62 -addreject anyExtendedKeyUsage -out croot-anyEKU.pem
64 # primary server-EKU root: sroot-cert
65 ./mkcert.sh genroot "Root CA" root-key sroot-cert serverAuth
66 # trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
67 openssl x509 -in sroot-cert.pem -trustout \
68 -addtrust serverAuth -out sroot+serverAuth.pem
69 openssl x509 -in sroot-cert.pem -trustout \
70 -addreject serverAuth -out sroot-serverAuth.pem
71 openssl x509 -in sroot-cert.pem -trustout \
72 -addtrust clientAuth -out sroot+clientAuth.pem
73 openssl x509 -in sroot-cert.pem -trustout \
74 -addreject clientAuth -out sroot-clientAuth.pem
75 openssl x509 -in sroot-cert.pem -trustout \
76 -addtrust anyExtendedKeyUsage -out sroot+anyEKU.pem
77 openssl x509 -in sroot-cert.pem -trustout \
78 -addreject anyExtendedKeyUsage -out sroot-anyEKU.pem
80 # Primary intermediate ca: ca-cert
81 ./mkcert.sh genca "CA" ca-key ca-cert root-key root-cert
83 ./mkcert.sh genee "CA" ca-key ca-nonca root-key root-cert
84 ./mkcert.sh gen_nonbc_ca "CA" ca-key ca-nonbc root-key root-cert
85 ./mkcert.sh genca "CA" ca-key2 ca-cert2 root-key root-cert
86 ./mkcert.sh genca "CA2" ca-key ca-name2 root-key root-cert
87 ./mkcert.sh genca "CA" ca-key ca-root2 root-key2 root-cert2
88 DAYS=-1 ./mkcert.sh genca "CA" ca-key ca-expired root-key root-cert
89 # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
90 openssl x509 -in ca-cert.pem -trustout \
91 -addtrust serverAuth -out ca+serverAuth.pem
92 openssl x509 -in ca-cert.pem -trustout \
93 -addreject serverAuth -out ca-serverAuth.pem
94 openssl x509 -in ca-cert.pem -trustout \
95 -addtrust clientAuth -out ca+clientAuth.pem
96 openssl x509 -in ca-cert.pem -trustout \
97 -addreject clientAuth -out ca-clientAuth.pem
98 # trust variants: +anyEKU, -anyEKU
99 openssl x509 -in ca-cert.pem -trustout \
100 -addtrust anyExtendedKeyUsage -out ca+anyEKU.pem
101 openssl x509 -in ca-cert.pem -trustout \
102 -addreject anyExtendedKeyUsage -out ca-anyEKU.pem
103 # ca-nonca trust variants: +serverAuth, +anyEKU
104 openssl x509 -in ca-nonca.pem -trustout \
105 -addtrust serverAuth -out nca+serverAuth.pem
106 openssl x509 -in ca-nonca.pem -trustout \
107 -addtrust anyExtendedKeyUsage -out nca+anyEKU.pem
112 ./mkcert.sh genca "CA" ca-key ca-cert-md5 root-key root-cert
113 openssl x509 -in ca-cert-md5.pem -trustout \
114 -addtrust anyExtendedKeyUsage -out ca-cert-md5-any.pem
115 # Issuer has 768-bit key
116 ./mkcert.sh genca "CA" ca-key ca-cert-768i root-key-768 root-cert-768
117 # CA has 768-bit key
119 ./mkcert.sh genca "CA" ca-key-768 ca-cert-768 root-key root-cert
121 ./mkcert.sh genca "CA" ca-key-ec-explicit ca-cert-ec-explicit root-key root-cert
123 ./mkcert.sh genca "CA" ca-key-ec-named ca-cert-ec-named root-key root-cert
125 # client intermediate ca: cca-cert
126 ./mkcert.sh genca -p clientAuth "CA" ca-key cca-cert root-key root-cert
127 # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, +anyEKU, -anyEKU
128 openssl x509 -in cca-cert.pem -trustout \
129 -addtrust serverAuth -out cca+serverAuth.pem
130 openssl x509 -in cca-cert.pem -trustout \
131 -addreject serverAuth -out cca-serverAuth.pem
132 openssl x509 -in cca-cert.pem -trustout \
133 -addtrust clientAuth -out cca+clientAuth.pem
134 openssl x509 -in cca-cert.pem -trustout \
135 -addreject clientAuth -out cca-clientAuth.pem
136 openssl x509 -in cca-cert.pem -trustout \
137 -addtrust anyExtendedKeyUsage -out cca+anyEKU.pem
138 openssl x509 -in cca-cert.pem -trustout \
139 -addreject anyExtendedKeyUsage -out cca-anyEKU.pem
141 # server intermediate ca: sca-cert
142 ./mkcert.sh genca -p serverAuth "CA" ca-key sca-cert root-key root-cert
143 # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, +anyEKU, -anyEKU
144 openssl x509 -in sca-cert.pem -trustout \
145 -addtrust serverAuth -out sca+serverAuth.pem
146 openssl x509 -in sca-cert.pem -trustout \
147 -addreject serverAuth -out sca-serverAuth.pem
148 openssl x509 -in sca-cert.pem -trustout \
149 -addtrust clientAuth -out sca+clientAuth.pem
150 openssl x509 -in sca-cert.pem -trustout \
151 -addreject clientAuth -out sca-clientAuth.pem
152 openssl x509 -in sca-cert.pem -trustout \
153 -addtrust anyExtendedKeyUsage -out sca+anyEKU.pem
154 openssl x509 -in sca-cert.pem -trustout \
155 -addreject anyExtendedKeyUsage -out sca-anyEKU.pem
157 # Primary leaf cert: ee-cert with default purpose: serverAuth
158 ./mkcert.sh genee server.example ee-key ee-cert ca-key ca-cert
159 # ee variants: expired, issuer-key2, issuer-name2, bad-pathlen
160 ./mkcert.sh genee server.example ee-key ee-expired ca-key ca-cert -days -1
161 ./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
162 ./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
163 ./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \
164 -extfile <(echo "basicConstraints=CA:false,pathlen:0") # bash needed here
166 ./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
167 # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
168 openssl x509 -in ee-cert.pem -trustout \
169 -addtrust serverAuth -out ee+serverAuth.pem
170 openssl x509 -in ee-cert.pem -trustout \
171 -addreject serverAuth -out ee-serverAuth.pem
172 openssl x509 -in ee-client.pem -trustout \
173 -addtrust clientAuth -out ee+clientAuth.pem
174 openssl x509 -in ee-client.pem -trustout \
175 -addreject clientAuth -out ee-clientAuth.pem
180 ./mkcert.sh genee server.example ee-key ee-cert-md5 ca-key ca-cert
181 # 768-bit issuer key
182 ./mkcert.sh genee server.example ee-key ee-cert-768i ca-key-768 ca-cert-768
183 # 768-bit leaf key
185 ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert
187 ./mkcert.sh genee server.example ee-key-ec-explicit ee-cert-ec-explicit ca-key-ec-named ca-cert-ec-…
189 ./mkcert.sh genee server.example ee-key-ec-named-explicit \
190 ee-cert-ec-named-explicit ca-key-ec-explicit ca-cert-ec-explicit
192 ./mkcert.sh genee server.example ee-key-ec-named-named \
193 ee-cert-ec-named-named ca-key-ec-named ca-cert-ec-named
194 # 1024-bit leaf key
196 ./mkcert.sh genee server.example ee-key-1024 ee-cert-1024 ca-key ca-cert
197 # 3072-bit leaf key
199 ./mkcert.sh genee server.example ee-key-3072 ee-cert-3072 ca-key ca-cert
200 # 4096-bit leaf key
202 ./mkcert.sh genee server.example ee-key-4096 ee-cert-4096 ca-key ca-cert
203 # 8192-bit leaf key
205 ./mkcert.sh genee server.example ee-key-8192 ee-cert-8192 ca-key ca-cert
207 # self-signed end-entity cert with explicit keyUsage not including KeyCertSign
208 openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext key…
210 # Proxy certificates, off of ee-client
212 ./mkcert.sh req pc1-key "0.CN = server.example" "1.CN = proxy 1" | \
213 ./mkcert.sh genpc pc1-key pc1-cert ee-key ee-client \
214 "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
215 ./mkcert.sh req pc2-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 2" | \
216 ./mkcert.sh genpc pc2-key pc2-cert pc1-key pc1-cert \
217 "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
220 ./mkcert.sh req bad-pc3-key "0.CN = server.example" "1.CN = proxy 3" | \
221 ./mkcert.sh genpc bad-pc3-key bad-pc3-cert pc1-key pc1-cert \
222 "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
224 ./mkcert.sh req bad-pc4-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 4" | \
225 ./mkcert.sh genpc bad-pc4-key bad-pc4-cert pc1-key pc1-cert \
226 "language = id-ppl-anyLanguage" "pathlen = 1" "policy = text:AB"
228 ./mkcert.sh req pc5-key "0.CN = server.example" "1.CN = proxy 1" "2.CN = proxy 5" | \
229 ./mkcert.sh genpc pc5-key pc5-cert pc1-key pc1-cert \
230 "language = id-ppl-anyLanguage" "pathlen = 0"
232 ./mkcert.sh req bad-pc6-key "0.CN = server.example" "1.CN = proxy 1" "2.+CN = proxy 6" | \
233 ./mkcert.sh genpc bad-pc6-key bad-pc6-cert pc1-key pc1-cert \
234 "language = id-ppl-anyLanguage" "pathlen = 0" "policy = text:AB"
246 NC=$NC ./mkcert.sh genca "Test NC CA 1" ncca1-key ncca1-cert root-key root-cert
255 NC=$NC ./mkcert.sh genca "Test NC CA 2" ncca2-key ncca2-cert root-key root-cert
265 NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \
266 ncca1-key ncca1-cert
270 ./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \
272 ./mkcert.sh geneealt alt1-key alt1-cert ncca1-key ncca1-cert \
277 # all DNS-like CNs allowed by CA1, no DNS SANs.
279 ./mkcert.sh req goodcn1-key "O = Good NC Test Certificate 1" \
281 "3.CN=not..dns" "4.CN=not@dns" "5.CN=not-.dns" "6.CN=not.dns." | \
282 ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \
285 # all DNS-like CNs allowed by CA1, no SANs
287 ./mkcert.sh req goodcn2-key "O = Good NC Test Certificate 1" \
289 ./mkcert.sh geneeconfig goodcn2-key goodcn2-cert ncca1-key ncca1-cert
291 # Some DNS-like CNs not permitted by CA1, no DNS SANs.
293 ./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \
295 ./mkcert.sh geneealt badcn1-key badcn1-cert ncca1-key ncca1-cert \
300 ./mkcert.sh req alt2-key "O = Good NC Test Certificate 2" | \
301 ./mkcert.sh geneealt alt2-key alt2-cert ncca2-key ncca2-cert \
307 ./mkcert.sh req badalt1-key "O = Bad NC Test Certificate 1" | \
308 ./mkcert.sh geneealt badalt1-key badalt1-cert ncca1-key ncca1-cert \
314 ./mkcert.sh req badalt2-key 'O = Bad NC Test Certificate 2' | \
315 ./mkcert.sh geneealt badalt2-key badalt2-cert ncca2-key ncca2-cert \
321 ./mkcert.sh req badalt3-key "O = Bad NC Test Certificate 3" | \
322 ./mkcert.sh geneealt badalt3-key badalt1-cert ncca1-key ncca1-cert \
328 ./mkcert.sh req badalt4-key 'O = Bad NC Test Certificate 4' \
330 ./mkcert.sh geneealt badalt4-key badalt4-cert ncca1-key ncca1-cert \
335 ./mkcert.sh req badalt5-key "O = Bad NC Test Certificate 5" | \
336 ./mkcert.sh geneealt badalt5-key badalt5-cert ncca1-key ncca1-cert \
341 # No DNS-ID SANs and subject CN not allowed by CA1.
342 ./mkcert.sh req badalt6-key "O = Bad NC Test Certificate 6" \
344 ./mkcert.sh geneealt badalt6-key badalt6-cert ncca1-key ncca1-cert \
348 # No DNS-ID SANS and subject CN not allowed by CA1, BMPSTRING
349 REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
351 ./mkcert.sh geneealt badalt7-key badalt7-cert ncca1-key ncca1-cert \
357 ./mkcert.sh req alt3-key "O = Good NC Test Certificate 3" \
359 ./mkcert.sh geneealt alt3-key alt3-cert ncca3-key ncca3-cert \
366 ./mkcert.sh req badalt8-key "O = Bad NC Test Certificate 8" \
368 ./mkcert.sh geneealt badalt8-key badalt8-cert ncca3-key ncca3-cert \
375 ./mkcert.sh req badalt9-key "O = Bad NC Test Certificate 9" \
377 ./mkcert.sh geneealt badalt9-key badalt9-cert ncca3-key ncca3-cert \
384 ./mkcert.sh req badalt10-key "O = Bad NC Test Certificate 10" \
386 ./mkcert.sh geneealt badalt10-key badalt10-cert ncca3-key ncca3-cert \
391 # Certs for CVE-2022-4203 testcase
394 "Test NC CA othername" nccaothername-key nccaothername-cert \
395 root-key root-cert
397 ./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \
398 ./mkcert.sh geneealt bad-othername-key bad-othername-cert \
399 nccaothername-key nccaothername-cert \
402 # RSA-PSS signatures
404 ./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \
405 -sha1 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
407 ./mkcert.sh genee PSS-SHA256 ee-key ee-pss-sha256-cert ca-key ca-cert \
408 -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
409 # CA-PSS
410 ./mkcert.sh genca "CA-PSS" ca-pss-key ca-pss-cert root-key root-cert \
411 -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
412 ./mkcert.sh genee "EE-PSS" ee-key ee-pss-cert ca-pss-key ca-pss-cert \
413 -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
415 #./mkcert.sh genee "EE-PSS-wrong1.5" ee-key ee-pss-wrong1.5-cert ca-pss-key ca-pss-cert -sha256
418 "Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \
419 server-ecdsa-brainpoolP256r1-cert rootkey rootcert
421 openssl req -new -noenc -subj "/CN=localhost" \
422 -newkey rsa-pss -keyout server-pss-restrict-key.pem \
423 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \
424 ./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \
425 server-pss-restrict-cert rootkey rootcert
428 …sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_iss…
431 root-ed448-key root-ed448-cert
433 server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert
435 # non-critical unknown extension
436 ./mkcert.sh geneeextra server.example ee-key ee-cert-noncrit-unknown-ext ca-key ca-cert "1.2.3.4=DE…
439 ./mkcert.sh geneeextra server.example ee-key ee-cert-crit-unknown-ext ca-key ca-cert "1.2.3.4=criti…
441 # critical id-pkix-ocsp-no-check extension
442 ./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.…
445 ./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert
446 ./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1…
447 # We can create a cert with a duplicate policy oid - but its actually invalid!
448 ./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolici…