blob: c063377d97d99fac25471d037685b119fed07c4c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem ca2-crl.pem ec-cert.pem
#
# Create Certificate Authority: ca1
# ('password' is used for the CA password.)
#
ca1-cert.pem: ca1.cnf
openssl req -new -x509 -days 9999 -config ca1.cnf -keyout ca1-key.pem -out ca1-cert.pem
#
# Create Certificate Authority: ca2
# ('password' is used for the CA password.)
#
ca2-cert.pem: ca2.cnf
openssl req -new -x509 -days 9999 -config ca2.cnf -keyout ca2-key.pem -out ca2-cert.pem
echo '01' > ca2-serial
touch ca2-database.txt
#
# agent1 is signed by ca1.
#
agent1-key.pem:
openssl genrsa -out agent1-key.pem 1024
agent1-csr.pem: agent1.cnf agent1-key.pem
openssl req -new -config agent1.cnf -key agent1-key.pem -out agent1-csr.pem
agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem
openssl x509 -req \
-days 9999 \
-passin "pass:password" \
-in agent1-csr.pem \
-CA ca1-cert.pem \
-CAkey ca1-key.pem \
-CAcreateserial \
-out agent1-cert.pem
agent1-verify: agent1-cert.pem ca1-cert.pem
openssl verify -CAfile ca1-cert.pem agent1-cert.pem
#
# agent2 has a self signed cert
#
# Generate new private key
agent2-key.pem:
openssl genrsa -out agent2-key.pem 1024
# Create a Certificate Signing Request for the key
agent2-csr.pem: agent2-key.pem agent2.cnf
openssl req -new -config agent2.cnf -key agent2-key.pem -out agent2-csr.pem
# Create a Certificate for the agent.
agent2-cert.pem: agent2-csr.pem agent2-key.pem
openssl x509 -req \
-days 9999 \
-in agent2-csr.pem \
-signkey agent2-key.pem \
-out agent2-cert.pem
agent2-verify: agent2-cert.pem
openssl verify -CAfile agent2-cert.pem agent2-cert.pem
#
# agent3 is signed by ca2.
#
agent3-key.pem:
openssl genrsa -out agent3-key.pem 1024
agent3-csr.pem: agent3.cnf agent3-key.pem
openssl req -new -config agent3.cnf -key agent3-key.pem -out agent3-csr.pem
agent3-cert.pem: agent3-csr.pem ca2-cert.pem ca2-key.pem
openssl x509 -req \
-days 9999 \
-passin "pass:password" \
-in agent3-csr.pem \
-CA ca2-cert.pem \
-CAkey ca2-key.pem \
-CAcreateserial \
-out agent3-cert.pem
agent3-verify: agent3-cert.pem ca2-cert.pem
openssl verify -CAfile ca2-cert.pem agent3-cert.pem
#
# agent4 is signed by ca2 (client cert)
#
agent4-key.pem:
openssl genrsa -out agent4-key.pem 1024
agent4-csr.pem: agent4.cnf agent4-key.pem
openssl req -new -config agent4.cnf -key agent4-key.pem -out agent4-csr.pem
agent4-cert.pem: agent4-csr.pem ca2-cert.pem ca2-key.pem
openssl x509 -req \
-days 9999 \
-passin "pass:password" \
-in agent4-csr.pem \
-CA ca2-cert.pem \
-CAkey ca2-key.pem \
-CAcreateserial \
-extfile agent4.cnf \
-extensions ext_key_usage \
-out agent4-cert.pem
agent4-verify: agent4-cert.pem ca2-cert.pem
openssl verify -CAfile ca2-cert.pem agent4-cert.pem
#
# Make CRL with agent4 being rejected
#
ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf
openssl ca -revoke agent4-cert.pem \
-keyfile ca2-key.pem \
-cert ca2-cert.pem \
-config ca2.cnf \
-passin 'pass:password'
openssl ca \
-keyfile ca2-key.pem \
-cert ca2-cert.pem \
-config ca2.cnf \
-gencrl \
-out ca2-crl.pem \
-passin 'pass:password'
ec-key.pem:
openssl ecparam -genkey -out ec-key.pem -name prime256v1
ec-csr.pem: ec-key.pem
openssl req -new -config ec.cnf -key ec-key.pem -out ec-csr.pem
ec-cert.pem: ec-csr.pem ec-key.pem
openssl x509 -req \
-days 9999 \
-in ec-csr.pem \
-signkey ec-key.pem \
-out ec-cert.pem
clean:
rm -f *.pem *.srl ca2-database.txt ca2-serial
test: agent1-verify agent2-verify agent3-verify agent4-verify
.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify
|
