Add Test CA and simple certs for testing

This commit is contained in:
John Smith 2021-11-22 09:02:41 -05:00
parent 190f0ed36b
commit c4cd54e020
41 changed files with 5081 additions and 0 deletions

20
files/ssl/certs/ca.crt Normal file
View File

@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIUInouaHzfe4GFGlCYFmIi0AvWHEowDQYJKoZIhvcNAQEL
BQAwGTEXMBUGA1UEAwwOVmVpbGlkIFRlc3QgQ0EwHhcNMjExMTIyMTM0OTE5WhcN
MzExMTIwMTM0OTE5WjAZMRcwFQYDVQQDDA5WZWlsaWQgVGVzdCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqKTFn4FCcKWysW8NbQZwysKUlwI9kc
S4CYy1+4eQC7Tn0eILG3+WfGCjAgRx72co+852NjsNnVwPVh8Xr7RdjyPscp4HTJ
jObVC93GofiAKFld2038A3/rsA5DoXyiUj2/nhBdw+aO1yiBXdEw7tIUZLUJ46Ku
QapuGXtL4xYXPAxhPhn5PY6xAWkar+6E9tv3g1BknxWlGmfulYaf1dAg2ra0Lswu
fiZfepPq9iwhiUlOSo3sWy7ObF+3TxWlQxMpGC1LiAmA4XEyWp2tDOV90B98yLQK
2pBhEexGaAJYy7DgZUNOV/WpjzLdDccXrQV9NoKXMOqsYC8MgDV2KjUCAwEAAaOB
kzCBkDAdBgNVHQ4EFgQUXX+NrxpW0/TKPdNt71AR92SZbwIwVAYDVR0jBE0wS4AU
XX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNVBAMMDlZlaWxpZCBUZXN0
IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAfL9k5ZrsnFTXrcBsCNhgqll0dwutbn36
RzpE6bKZwGAYU3irdFFM3+D2zxaN/H665yL07uLn+XxrgIEplHAao5NSSxeYDUJo
5BV5rmnOy+bSDrSfEGvV0OA/WWhPVFAtq2SQnC6GW5YbmzaHIoOunEv2EQrg8yKP
pgff16xi+XFuAsR7Z4Cpbkb687Z878a4UaSWP/knnJM8Tjjl2wwxxTbWOvK9hbG3
3+L4G6xxXbgvXw2VR8rIUMK44u0xXb3Vwq4dHU6HZZwTNaEs41vNVrCZV45hu8NX
ZmcNEdDTPZQ67n+R4pJnbxDFLbTFEU/NZiCjug0jtjzHeRxnAntDFw==
-----END CERTIFICATE-----

88
files/ssl/certs/test.crt Normal file
View File

@ -0,0 +1,88 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:ce:63:bd:90:f5:ab:de:6d:7f:d7:3e:f3:e6:bb
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Veilid Test CA
Validity
Not Before: Nov 22 13:52:16 2021 GMT
Not After : Feb 25 13:52:16 2024 GMT
Subject: CN=Veilid Test Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cb:2e:7a:47:81:be:6f:6b:53:37:51:c1:50:68:
5a:44:3d:ba:b9:9b:78:40:84:35:d4:0e:e8:41:a6:
0e:0a:b9:34:ae:97:a3:37:3e:81:ed:6c:0f:f8:8a:
8b:0b:1a:ed:06:97:57:6d:49:a5:ec:b4:c4:d8:6d:
d2:57:c3:87:89:99:ee:b0:d7:c5:82:a1:dc:d5:98:
b3:ef:10:da:c0:5c:38:a2:bb:15:3e:0e:5e:bc:a0:
cd:a1:f0:07:67:bb:57:3f:89:cc:72:4f:bb:c0:a7:
ed:ad:15:07:61:c2:b4:21:73:39:00:9b:8f:aa:04:
1b:c4:9d:d4:00:44:87:b1:79:b4:e1:4e:01:3c:ee:
a4:bb:f9:ad:5d:88:41:03:b4:bf:df:bf:71:24:ee:
0b:69:59:55:dd:43:d1:91:04:de:98:9c:54:f2:ee:
63:78:fe:76:19:bf:e6:5d:d6:58:81:3c:1b:02:3d:
5d:cc:70:4a:c1:84:06:f6:1a:db:16:b0:e0:30:b0:
3a:85:41:48:a1:88:c5:38:04:7b:03:c4:86:f0:da:
1a:ff:bc:d1:ac:7f:cd:0c:e8:5a:42:5e:43:7f:0d:
61:5d:41:67:0f:b8:07:47:21:93:44:b2:ab:fa:d8:
69:bb:b9:6d:a1:56:6d:23:54:aa:49:67:e7:57:c6:
e9:c7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
70:ED:B0:96:71:33:43:16:EF:32:FF:69:11:C9:F0:02:3F:6C:81:88
X509v3 Authority Key Identifier:
keyid:5D:7F:8D:AF:1A:56:D3:F4:CA:3D:D3:6D:EF:50:11:F7:64:99:6F:02
DirName:/CN=Veilid Test CA
serial:22:7A:2E:68:7C:DF:7B:81:85:1A:50:98:16:62:22:D0:0B:D6:1C:4A
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:Veilid Test Certificate
Signature Algorithm: sha256WithRSAEncryption
b8:fc:ac:62:d6:95:af:09:db:24:7d:82:2c:02:e1:d0:7b:f5:
69:03:a4:42:55:c6:0d:2a:f1:9d:0e:c4:9b:78:40:7d:0d:7d:
ec:66:f6:c4:6d:06:d0:5b:58:de:ba:e6:67:ea:af:41:a3:87:
b4:37:8b:a8:1f:51:ae:70:e0:0d:f5:51:0a:7a:b3:b3:1d:d1:
77:92:63:35:ae:50:9e:04:3d:04:6e:f1:60:c8:e3:8f:1f:75:
47:05:27:a0:ff:c5:1b:30:68:b2:f9:5b:e6:f2:81:0f:9b:f2:
e8:8c:9d:b6:57:b2:c1:29:e7:d0:d0:88:b3:ba:8e:78:2e:ef:
ce:03:a3:12:fa:b4:e9:4e:1f:de:1a:cb:77:72:6b:71:98:02:
37:d2:b4:02:f0:2c:08:67:ca:75:0d:af:81:bf:f8:57:f8:d9:
4a:93:4f:db:3c:e1:af:3e:ab:9c:fe:87:f0:3a:01:21:6a:5c:
99:83:e3:03:47:98:15:23:24:b3:ee:29:27:f4:f1:34:c1:e4:
f8:39:5a:92:da:c7:08:dc:71:87:1c:ff:67:e7:ef:24:bc:34:
e3:4e:e0:16:12:84:60:d4:7f:a2:c0:5b:85:a9:c5:ef:78:0b:
c3:64:cb:b4:05:eb:51:e5:c1:0f:60:da:5c:98:08:bf:5d:b9:
1d:33:a7:26
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIPEs5jvZD1q95tf9c+8+a7MA0GCSqGSIb3DQEBCwUAMBkx
FzAVBgNVBAMMDlZlaWxpZCBUZXN0IENBMB4XDTIxMTEyMjEzNTIxNloXDTI0MDIy
NTEzNTIxNlowIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpEPbq5
m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJme6w
18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQhczkA
m4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6YnFTy
7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw2hr/
vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunHAgMB
AAGjgckwgcYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUcO2wlnEzQxbvMv9pEcnwAj9s
gYgwVAYDVR0jBE0wS4AUXX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNV
BAMMDlZlaWxpZCBUZXN0IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjATBgNVHSUE
DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwIgYDVR0RBBswGYIXVmVpbGlkIFRl
c3QgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBALj8rGLWla8J2yR9giwC
4dB79WkDpEJVxg0q8Z0OxJt4QH0Nfexm9sRtBtBbWN665mfqr0Gjh7Q3i6gfUa5w
4A31UQp6s7Md0XeSYzWuUJ4EPQRu8WDI448fdUcFJ6D/xRswaLL5W+bygQ+b8uiM
nbZXssEp59DQiLO6jngu784DoxL6tOlOH94ay3dya3GYAjfStALwLAhnynUNr4G/
+Ff42UqTT9s84a8+q5z+h/A6ASFqXJmD4wNHmBUjJLPuKSf08TTB5Pg5WpLaxwjc
cYcc/2fn7yS8NONO4BYShGDUf6LAW4Wpxe94C8Nky7QF61HlwQ9g2lyYCL9duR0z
pyY=
-----END CERTIFICATE-----

View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyy56R4G+b2tTN1HBUGhaRD26uZt4QIQ11A7oQaYOCrk0rpej
Nz6B7WwP+IqLCxrtBpdXbUml7LTE2G3SV8OHiZnusNfFgqHc1Ziz7xDawFw4orsV
Pg5evKDNofAHZ7tXP4nMck+7wKftrRUHYcK0IXM5AJuPqgQbxJ3UAESHsXm04U4B
PO6ku/mtXYhBA7S/379xJO4LaVlV3UPRkQTemJxU8u5jeP52Gb/mXdZYgTwbAj1d
zHBKwYQG9hrbFrDgMLA6hUFIoYjFOAR7A8SG8Noa/7zRrH/NDOhaQl5Dfw1hXUFn
D7gHRyGTRLKr+thpu7ltoVZtI1SqSWfnV8bpxwIDAQABAoIBAQCae5MjbUWC56JU
7EdEQKNpQVoIp2mt/BgFTPRQfdYtVxX0LX0+krss7r3R5lzDq8xN96HUiWur5uHI
APAuJI+YEr8GHHii0zjZ+onMmg8ItNWm/QGwtjJXzxeqKZsnxqwWtkoJHBCP8d5n
fBapwOU+jaHokV6RESCfxLSdI33cdGcOgDAn4/lvcXZ4Pq0qbitFuZwBPpobHbp4
Mo94K7oh4KCt3FDMfZshkSF0wlquRIeUsI2uZUofybDa/j1RgEsqBZIrHqM6xXV1
/r13+mMZC4otE0qhBV9jTYffaxooOnae8/Ve0FgaPWpNm7AD6p7l4a3csIkcggMS
xx7cntR5AoGBAOvPgDDLJ7h+AgY7jAd13/eZ75NtuEWbSq4c4Kwwy1K17L+3isX/
RRkQ5qGTNsT6j1dddfwzX6Rhsi+JywczEdJdWgGNpFCIa8Ly2+47YLDpv0ZIISIZ
V0Ngg6dyuuQo7gFlLz9Dhe/If32/93gEW6HZOjn+GmQu53ZSDdHvukpjAoGBANyT
0GZzaP2ulV3Pk+9nJhC6eK2BZWF4ODXHsAgNUEyWZ4qDM71oDxyFbaWS2IDg7jz7
T2wVffRFDcx8oNXWbhWbejSBGHWI8HRk0Ki83K0r7Cj8Uhy53rQjGOsdLf3K9T9h
GGVcwMHlBGIvswqTnJKysvgcoh1Ir+6RqbfCmG5NAoGAaVa8UQ+vor7HcLlRCFQj
xJvDZfxxgMaqSbUkuEbjzQLvy4TWPTSXTWc7X5o/sSasub5KYmsgonHyA0Juq7yo
jWyeNGttp3wJh4CttnJX8y+3/lFiW7UuQi7vIPIjgqC2EXF99ajYQBE0wpvqlHZ9
6IL9e8KDT5WUWEq3WbzZXzkCgYB/0Md6FnZISdoTui0nFMZh+yvinpB4ookv4L6I
a+6T8rOc99oLbzkSdd7LiwQZ6j0i6R1krC+IVFtimvU39EFmE+oEcqoRsYBkcebX
YFkfn8wBE/Ug4DPEfnH6C7aS0gC68TCJy+2GbYbUvn8pKdAY0aQTUcQ+49fOjmmi
KgjaIQKBgQDoT0af/7a7LnY9dkbkz624HmNVyMPOa4/STrdxyy3NRhq/dysRW+At
x30nvCWpv0Z5BAyaUCrRWPGFxhv3/Z7qb4fx5uUbC3Jc04I5D6fwYqrQofGS8TMK
Lrg83o5Ag++pllu1IeWiGQPRbn7VZ+O6pISgpRpYBexXGyLJ6wtcAw==
-----END RSA PRIVATE KEY-----

30
files/ssl/keys/test.key Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIgpTGP+qhFisCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLU8ddNZ6jJ3BIIEyMB/nTIXTaUO
n8Oe/ld7JjX1jeiQUuXP9oEYT0Ehi5F5IIQ3zUDUrJujJP+iMniX1OafmzmtcQGc
pAmGLAyhJS3p5ILlzvZGjjF19QItKGDno/cwHjQMY0ldj1CfjdGf809DQRdo4q8H
2jlGUmtMs83DhsxrlWf9Stia/4s/L+zOvpTaVFXn7UMvVtM2LXWF7GdyRIx6a5w4
fXOA6FWGY4ZvSzfkadKJSgyGPEwOW51tLJ+BYZpstrSvgh3VWPtluH0zSFdlOH3t
N5V5aQzjoeJyP7uTU09Vzp3zjux1uijmzMHnF2LSw8kGmPRIfWKF91LNn12TUNQu
oQLkFWXYRIRBDcEKetr4zkOtvp/JPNOkX44D3Zexl2KhHBqG2hDyOQZ03QN+9H7h
PUE4MAHsfx7s62sr7TJ/GHC170ZDtgj6HZAjxjs5D7lkPmKSQoods7sCENMadZiX
G0ljz/FTHzpMhhpeaRFqQfE7B3F9K6yQttoxxjAhAX+mOD1ho6NSV7KDN1cESKXB
4+afwxGV/Gp3tEk6aAbEz8ntqS+lAE1iOXLzbKPmzFs5CCXDs3/EvvLRh3MPtNkz
LcNjFypDL4CCCrxlSVMWce6iouSWyiet+3iwr+YuDx+3U9iMYyTrtL0pQSGiC/3s
LZloWf7sWT5zab+KSnhxCu3BsazSqShIRsC1lLziJGQnING1m1bw6nG0gph2vzSJ
N/ewIANJkby6XP9e/vJipPyI7xHD2aHUQLBU+Zmc7GhZWgVoAfHs/OvqwmTG2wHX
10LVpDX6Fr3wBSqsdtPKH7hNBS2Y/Q/plJk/KwyZ7qlby1SMUYj86vtvcZRG4gn/
9Mp72//FqfMrvXaBSZKR3SdR6tZTjBY9w1hUJ/c1HfRQYPISgPU9zSSPgRZtrlwx
3/FPp6i2YnfpAFWn9zFkFcUCqdEIWjK50K+v+JAUnD+7aCaznA4/yCAonXGjZwcj
eVgk5TJ4OfCVx5JE+HLXDWJSU115rMOUYXm5Jpo/j+ZKakM3diU2opW5ocgrHUl2
OwinKMiSwVK2NiLZyv4jcCJdyZI+CqvxqIU9X1fDbJP0v9pm3ANzyii6gPaO57e3
NZfmrMSqdlIq93wNIi2oZD7hgKwTBj1p/zxOTbP+QY1Ku8oFfXcF9dh32BBL+cHa
aza+RkkGzJ+qBRF6Ub7FmcY/y6r+eOvof+c4drTE5icKP5lzpB85ZuUduF535p5d
Y4dy3MM2h/t4dk7xmWp5EAZRRvKBUd7SYyi3a+LyTtHGS8FKdRCENXQi47RUlAqO
RpzAgYhchqnRDup2Tmu+MtDTPoOht55haM38kXJZ4LxACzPpYHQ6E37BT77K3Qjh
HgLxi/Hr97ZxiuPl7Tq113ljEB5xX1RGgn+s3F+/xxFEJojvGdNJXFWtE2BMSBQb
JhFkCyVYsqztBt6kLAJosYA0HornidYYwznswe+d+3ruHicax99JEA2m9xnB3LGy
A9+SJCbhS9m+hO10KalW8nuUtX1lXP0ZmjuoYrLMLmv9ihH/CoxmHynMPgFVCXih
RRGQmuS+PYBIFs1EShT04Ic280QT00un90ydaUZS3uad9qt7gNbNJ3UW3XqyWf14
2Gscnl0IXL4gKNNUxKPeGg==
-----END ENCRYPTED PRIVATE KEY-----

33
files/test-ca/COPYING.md Normal file
View File

@ -0,0 +1,33 @@
Easy-RSA -- A Shell-based CA Utility
====================================
Copyright (C) 2013 by the Open-Source OpenVPN development community
Easy-RSA 3 license: GPLv2
-------------------------
All the Easy-RSA code contained in this project falls under a GPLv2 license with
full text available in the Licensing/ directory. Additional components used by
this project fall under additional licenses:
Additional licenses for external components
-------------------------------------------
The following components are under different licenses; while not part of the
Easy-RSA source code, these components are used by Easy-RSA or provided in
platform distributions as described below:
### OpenSSL
OpenSSL is not linked by Easy-RSA, nor is it currently provided in any release
package by Easy-RSA. However, Easy-RSA is tightly coupled with OpenSSL, so
effective use of this code will require your acceptance and installation of
OpenSSL.
### Additional Windows Components
The Windows binary package includes mksh/Win32 and unxutils binary components,
with full licensing details available in the distro/windows/Licensing/
subdirectory of this project. mksh/Win32 is under a MirOS license (with some
additional component licenses present there) and unxutils is under a GPLv2
license.

144
files/test-ca/ChangeLog Normal file
View File

@ -0,0 +1,144 @@
Easy-RSA 3 ChangeLog
3.0.8 (2020-09-09)
* Provide --version option (#372)
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning (#373)
* Fixed issue with ED/EC certificates were still signed by RSA (#374)
* Added support for export-p8 (#339)
* Clarified error message (#384)
* 2->3 upgrade now errors and prints message when vars isn't found (#377)
* Update OpenSSL Windows binaries to 1.1.1g
3.0.7 (2020-03-30)
* Include OpenSSL libs and binary for Windows 1.1.0j
* Remove RANDFILE environment variable (#261)
* Workaround for bug in win32 mktemp (#247, #305, PR #312)
* Handle IP address in SAN and renewals (#317)
* Workaround for ash and no set -o echo (#319)
* Shore up windows testing framework (#314)
* Provide upgrade mechanism for older versions of EasyRSA (#349)
* Add support for KDC certificates (#322)
* Add support for Edward Curves (#354, #350)
* Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars (#368)
* Add support for RID to SAN (#362)
3.0.6 (2019-02-01)
* Certificates that are revoked now move to a revoked subdirectory (#63)
* EasyRSA no longer clobbers non-EASYRSA environment variables (#277)
* More sane string checking, allowing for commas in CN (#267)
* Support for reasonCode in CRL (#280)
* Better handling for capturing passphrases (#230, others)
* Improved LibreSSL/MacOS support
* Adds support to renew certificates up to 30 days before expiration (#286)
- This changes previous behavior allowing for certificate creation using
duplicate CNs.
3.0.5 (2018-09-15)
* Fix #17 & #58: use AES256 for CA key
* Also, don't use read -s, use stty -echo
* Fix broken "nopass" option
* Add -r to read to stop errors reported by shellcheck (and to behave)
* Remove overzealous quotes around $pkcs_opts (more SC errors)
* Support for LibreSSL
* EasyRSA version will be reported in certificate comments
* Client certificates now expire in 3 year (1080 days) by default
3.0.4 (2018-01-21)
* Remove use of egrep (#154)
* Integrate with Travis-CI (#165)
* Remove "local" from variable assignment (#165)
* Other changes related to Travis-CI fixes
* Assign values to variables defined previously w/local
* Finally(?) fix the subjectAltName issues I presented earlier (really
fixes #168)
3.0.3 (2017-08-22)
* Include mktemp windows binary
* copy CSR extensions into signed certificate
3.0.2 (2017-08-21)
* Add missing windows binaries
3.0.1 (2015-10-25)
* Correct some packaging errors
3.0.0 (2015-09-07)
* cab4a07 Fix typo: Hellman
(ljani: Github)
* 171834d Fix typo: Default
(allo-: Github)
* 8b42eea Make aes256 default, replacing 3des
(keros: Github)
* f2f4ac8 Make -utf8 default
(roubert: Github)
3.0.0-rc2 (2014/07/27)
* 1551e5f docs: fix typo
(Josh Cepek <josh.cepek@usa.net>)
* 7ae44b3 Add KNOWN_ISSUES to stage next -rc release
(Josh Cepek <josh.cepek@usa.net>)
* a0d58b2 Update documentation
(Josh Cepek <josh.cepek@usa.net>)
* 5758825 Fix vars.example with proper path to extensions.temp
(Josh Cepek <josh.cepek@usa.net>)
* 89f369c Add support to change private key passphrases
(Josh Cepek <josh.cepek@usa.net>)
* 49d7c10 Improve docs: add Upgrade-Notes; add online support refs
(Josh Cepek <josh.cepek@usa.net>)
* fcc4547 Add build-dist packaging script; update Building docs
(Josh Cepek <josh.cepek@usa.net>)
* f74d08e docs: update Hacking.md with layout & git conventions
(Josh Cepek <josh.cepek@usa.net>)
* 0754f23 Offload temp file removal to a clean_temp() function
(Josh Cepek <josh.cepek@usa.net>)
* 1c90df9 Fix incorrect handling of invalid --use-algo option
(Josh Cepek <josh.cepek@usa.net>)
* c86289b Fix batch-mode handling with changes in e75ad75
(Josh Cepek <josh.cepek@usa.net>)
* e75ad75 refine how booleans are evaluated
(Eric F Crist <ecrist@secure-computing.net>)
* cc19823 Merge PKCS#7 feature from pull req #14
(Author: Luiz Angelo Daros de Luca <luizluca@tre-sc.gov.br>)
(Modified-By: Josh Cepek <josh.cepek@usa.net>)
* 8b1fe01 Support OpenSSL-0.9.8 with the EXTRA_EXTS feature
(Josh Cepek <josh.cepek@usa.net>)
* d5516d5 Windows: make builds easier by using a matching dir structure
(Josh Cepek <josh.cepek@usa.net>)
* dc2e6dc Windows: improve external checks and env-var help
(Josh Cepek <josh.cepek@usa.net>)
3.0.0-rc1 (2013/12/01)
* The 3.x release is a nearly complete re-write of the 2.x codebase
* Initial 3.x series code by Josh Cepek <josh.cepek@usa.net> -- continuing
maintenance by the OpenVPN community development team and associated
contributors
* Add ECDSA (elliptic curve) support, thanks to Steffan Karger
<steffan@karger.me>

52
files/test-ca/README.md Normal file
View File

@ -0,0 +1,52 @@
# Overview
easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms,
this means to create a root certificate authority, and request and sign
certificates, including intermediate CAs and certificate revocation lists (CRL).
# Downloads
If you are looking for release downloads, please see the releases section on
GitHub. Releases are also available as source checkouts using named tags.
# Documentation
For 3.x project documentation and usage, see the [README.quickstart.md](README.quickstart.md) file or
the more detailed docs under the doc/ directory. The .md files are in Markdown
format and can be converted to html files as desired for release packages, or
read as-is in plaintext.
# Getting help using easy-rsa
Currently, Easy-RSA development co-exists with OpenVPN even though they are
separate projects. The following resources are good places as of this writing to
seek help using Easy-RSA:
The [openvpn-users mailing list](https://lists.sourceforge.net/lists/listinfo/openvpn-users)
is a good place to post usage or help questions.
You can also try IRC at Freenode/#openvpn for general support or Freenode/#easyrsa for development discussion.
# Branch structure
The easy-rsa master branch is currently tracking development for the 3.x release
cycle. Please note that, at any given time, master may be broken. Feel free to
create issues against master, but have patience when using the master branch. It
is recommended to use a release, and priority will be given to bugs identified in
the most recent release.
The prior 2.x and 1.x versions are available as release branches for
tracking and possible back-porting of relevant fixes. Branch layout is:
master <- 3.x, at present
v3.x.x pre-release branches, used for staging branches
release/2.x
release/1.x
LICENSING info for 3.x is in the [COPYING.md](COPYING.md) file
# Code style, standards
We are attempting to adhere to the POSIX standard, which can be found here:
https://pubs.opengroup.org/onlinepubs/9699919799/

View File

@ -0,0 +1,99 @@
Easy-RSA 3 Quickstart README
============================
This is a quickstart guide to using Easy-RSA version 3. Detailed help on usage
and specific commands can be found by running ./easyrsa -h. Additional
documentation can be found in the doc/ directory.
If you're upgrading from the Easy-RSA 2.x series, there are Upgrade-Notes
available, also under the doc/ path.
Setup and signing the first request
-----------------------------------
Here is a quick run-though of what needs to happen to start a new PKI and sign
your first entity certificate:
1. Choose a system to act as your CA and create a new PKI and CA:
./easyrsa init-pki
./easyrsa build-ca
2. On the system that is requesting a certificate, init its own PKI and generate
a keypair/request. Note that init-pki is used _only_ when this is done on a
separate system (or at least a separate PKI dir.) This is the recommended
procedure. If you are not using this recommended procedure, skip the next
import-req step.
./easyrsa init-pki
./easyrsa gen-req EntityName
3. Transport the request (.req file) to the CA system and import it. The name
given here is arbitrary and only used to name the request file.
./easyrsa import-req /tmp/path/to/import.req EntityName
4. Sign the request as the correct type. This example uses a client type:
./easyrsa sign-req client EntityName
5. Transport the newly signed certificate to the requesting entity. This entity
may also need the CA cert (ca.crt) unless it had a prior copy.
6. The entity now has its own keypair, signed cert, and the CA.
Signing subsequent requests
---------------------------
Follow steps 2-6 above to generate subsequent keypairs and have the CA return
signed certificates.
Revoking certs and creating CRLs
--------------------------------
This is a CA-specific task.
To permanently revoke an issued certificate, provide the short name used during
import:
./easyrsa revoke EntityName
To create an updated CRL that contains all revoked certs up to that point:
./easyrsa gen-crl
After generation, the CRL will need to be sent to systems that reference it.
Generating Diffie-Hellman (DH) params
-------------------------------------
After initializing a PKI, any entity can create DH params that needs them. This
is normally only used by a TLS server. While the CA PKI can generate this, it
makes more sense to do it on the server itself to avoid the need to send the
files to another system after generation.
DH params can be generated with:
./easyrsa gen-dh
Showing details of requests or certs
------------------------------------
To show the details of a request or certificate by referencing the short
EntityName, use one of the following commands. It is an error to call these
without a matching file.
./easyrsa show-req EntityName
./easyrsa show-cert EntityName
Changing private key passphrases
--------------------------------
RSA and EC private keys can be re-encrypted so a new passphrase can be supplied
with one of the following commands depending on the key type:
./easyrsa set-rsa-pass EntityName
./easyrsa set-ec-pass EntityName
Optionally, the passphrase can be removed completely with the 'nopass' flag.
Consult the command help for details.

View File

@ -0,0 +1,124 @@
Easy-RSA Advanced Reference
=============================
This is a technical reference for advanced users familiar with PKI processes. If
you need a more detailed description, see the `EasyRSA-Readme` or `Intro-To-PKI`
docs instead.
Configuration Reference
-----------------------
#### Configuration Sources
There are 3 possible ways to perform external configuration of Easy-RSA,
selected in the following order where the first defined result wins:
1. Command-line option
2. Environmental variable
3. 'vars' file, if one is present (see `vars Autodetection` below)
4. Built-in default
Note that not every possible config option can be set everywhere, although any
env-var can be added to the 'vars' file even if it's not shown by default.
#### vars Autodetection
A 'vars' file is a file named simply `vars` (without an extension) that
Easy-RSA will source for configuration. This file is specifically designed
*not* to replace variables that have been set with a higher-priority method
such as CLI opts or env-vars.
The following locations are checked, in this order, for a vars file. Only the
first one found is used:
1. The file referenced by the `--vars` CLI option
2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
3. The directory referenced by the `EASYRSA_PKI` env-var
4. The default PKI directory at `$PWD/pki`
4. The directory referenced by the `EASYRSA` env-var
5. The directory containing the easyrsa program
Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
file in all cases, including defining it subsequently as a global option.
#### OpenSSL Config
Easy-RSA is tightly coupled to the OpenSSL config file (.cnf) for the
flexibility the script provides. It is required that this file be available,
yet it is possible to use a different OpenSSL config file for a particular
PKI, or even change it for a particular invocation.
The OpenSSL config file is searched for in the following order:
1. The env-var `EASYRSA_SSL_CONF`
2. The 'vars' file (see `vars Autodetection` above)
3. The `EASYRSA_PKI` directory with a filename of `openssl-easyrsa.cnf`
4. The `EASYRSA` directory with a filename of `openssl-easyrsa.cnf`
Advanced extension handling
---------------------------
Normally the cert extensions are selected by the cert type given on the CLI
during signing; this causes the matching file in the x509-types subdirectory to
be processed for OpenSSL extensions to add. This can be overridden in a
particular PKI by placing another x509-types dir inside the `EASYRSA_PKI` dir
which will be used instead.
The file named `COMMON` in the x509-types dir is appended to every cert type;
this is designed for CDP usage, but can be used for any extension that should
apply to every signed cert.
Additionally, the contents of the env-var `EASYRSA_EXTRA_EXTS` is appended with
its raw text added to the OpenSSL extensions. The contents are appended as-is to
the cert extensions; invalid OpenSSL configs will usually result in failure.
Environmental Variables Reference
---------------------------------
A list of env-vars, any matching global option (CLI) to set/override it, and a
possible terse description is shown below:
* `EASYRSA` - should point to the Easy-RSA top-level dir, where the easyrsa
script is located.
* `EASYRSA_OPENSSL` - command to invoke openssl
* `EASYRSA_SSL_CONF` - the openssl config file to use
* `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific
files, defaults to `$PWD/pki`.
* `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to
alter the fields to include in the req DN
* `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode
* `EASYRSA_REQ_PROVINCE` (CLI: `--req-st`) - set the DN state/province with
org mode
* `EASYRSA_REQ_CITY` (CLI: `--req-city`) - set the DN city/locality with org
mode
* `EASYRSA_REQ_ORG` (CLI: `--req-org`) - set the DN organization with org mode
* `EASYRSA_REQ_EMAIL` (CLI: `--req-email`) - set the DN email with org mode
* `EASYRSA_REQ_OU` (CLI: `--req-ou`) - set the DN organizational unit with org
mode
* `EASYRSA_KEY_SIZE` (CLI: `--key-size`) - set the key size in bits to
generate
* `EASYRSA_ALGO` (CLI: `--use-algo`) - set the crypto alg to use: rsa or ec
* `EASYRSA_CURVE` (CLI: `--curve`) - define the named EC curve to use
* `EASYRSA_EC_DIR` - dir to store generated ecparams
* `EASYRSA_CA_EXPIRE` (CLI: `--days`) - set the CA expiration time in days
* `EASYRSA_CERT_EXPIRE` (CLI: `--days`) - set the issued cert expiration time
in days
* `EASYRSA_CRL_DAYS` (CLI: `--days`) - set the CRL 'next publish' time in days
* `EASYRSA_NS_SUPPORT` (CLI: `--ns-cert`) - string 'yes' or 'no' fields to
include the deprecated Netscape extensions
* `EASYRSA_NS_COMMENT` (CLI: `--ns-comment`) - string comment to include when
using the deprecated Netscape extensions
* `EASYRSA_TEMP_FILE` - a temp file to use when dynamically creating req/cert
extensions
* `EASYRSA_REQ_CN` (CLI: `--req-cn`) - default CN, necessary to set in BATCH
mode
* `EASYRSA_DIGEST` (CLI: `--digest`) - set a hash digest to use for req/cert
signing
* `EASYRSA_BATCH` (CLI: `--batch`) - enable batch (no-prompt) mode; set
env-var to non-zero string to enable (CLI takes no options)
* `EASYRSA_PASSIN` (CLI: `--passin`) - allows to specify a source for
password using any openssl password options like pass:1234 or env:var
* `EASYRSA_PASSOUT` (CLI: `--passout`) - allows to specify a source for
password using any openssl password options like pass:1234 or env:var
**NOTE:** the global options need to be provided before the actual commands.

View File

@ -0,0 +1,236 @@
Easy-RSA 3 Documentation Readme
===============================
This document explains how Easy-RSA 3 and each of its assorted features work.
If you are looking for a quickstart with less background or detail, an
implementation-specific How-to or Readme may be available in this (the `doc/`)
directory.
Easy-RSA Overview
-----------------
Easy-RSA is a utility for managing X.509 PKI, or Public Key Infrastructure. A
PKI is based on the notion of trusting a particular authority to authenticate a
remote peer; for more background on how PKI works, see the `Intro-To-PKI`
document.
The code is written in platform-neutral POSIX shell, allowing use on a wide
range of host systems. The official Windows release also comes bundled with the
programs necessary to use Easy-RSA. The shell code attempts to limit the number
of external programs it depends on. Crypto-related tasks use openssl as the
functional backend.
Feature Highlights
------------------
Here's a non-exhaustive list of the more notable Easy-RSA features:
* Easy-RSA is able to manage multiple PKIs, each with their own independent
configuration, storage directory, and X.509 extension handling.
* Multiple Subject Name (X.509 DN field) formatting options are supported. For
VPNs, this means a cleaner commonName only setup can be used.
* A single backend is used across all supported platforms, ensuring that no
platform is 'left out' of the rich features. Unix-alikes (BSD, Linux, etc)
and Windows are all supported.
* Easy-RSA's X.509 support includes CRL, CDP, keyUsage/eKu attributes, and
additional features. The included support can be changed or extended as an
advanced feature.
* Interactive and automated (batch) modes of operation
* Flexible configuration: features can be enabled through command-line
options, environment variables, a config file, or a combination of these.
* Built-in defaults allow Easy-RSA to be used without first editing a config
file.
Obtaining and Using Easy-RSA
----------------------------
#### Download and extraction (installation)
Easy-RSA's main program is a script, supported by a couple of config files. As
such, there is no formal "installation" required. Preparing to use Easy-RSA is
as simple as downloading the compressed package (.tar.gz for Linux/Unix or
.zip for Windows) and extract it to a location of your choosing. There is no
compiling or OS-dependent setup required.
You should install and run Easy-RSA as a non-root (non-Administrator) account
as root access is not required.
#### Running Easy-RSA
Invoking Easy-RSA is done through your preferred shell. Under Windows, you
will use the `EasyRSA Start.bat` program to provide a POSIX-shell environment
suitable for using Easy-RSA.
The basic format for running commands is:
./easyrsa command [ cmd-opts ]
where `command` is the name of a command to run, and `cmd-opts` are any
options to supply to the command. Some commands have mandatory or optional
cmd-opts. Note the leading `./` component of the command: this is required in
Unix-like environments and may be a new concept to some Windows users.
General usage and command help can be shown with:
./easyrsa help [ command ]
When run without any command, general usage and a list of available commands
are shown; when a command is supplied, detailed help output for that command
is shown.
Configuring Easy-RSA
--------------------
Easy-RSA 3 no longer needs any configuration file prior to operation, unlike
earlier versions. However, the `vars.example` file contains many commented
options that can be used to control non-default behavior as required. Reading
this file will provide an idea of the basic configuration available. Note that
a vars file must be named just `vars` (without an extension) to actively use it.
Additionally, some options can be defined at runtime with options on the
command-line. A full list can be shown with:
./easyrsa help options
Any of these options can appear before the command as required as shown below:
./easyrsa [options] command [ cmd-opts ]
For experts, additional configuration with env-vars and custom X.509 extensions
is possible. Consult the `EasyRSA-Advanced` documentation for details.
Getting Started: The Basics
---------------------------
Some of the terms used here will be common to those familiar with how PKI works.
Instead of describing PKI basics, please consult the document `Intro-To-PKI` if
you need a more basic description of how a PKI works.
#### Creating an Easy-RSA PKI
In order to do something useful, Easy-RSA needs to first initialize a
directory for the PKI. Multiple PKIs can be managed with a single installation
of Easy-RSA, but the default directory is called simply "pki" unless otherwise
specified.
To create or clear out (re-initialize) a new PKI, use the command:
./easyrsa init-pki
which will create a new, blank PKI structure ready to be used. Once created,
this PKI can be used to make a new CA or generate keypairs.
#### The PKI Directory Structure
An Easy-RSA PKI contains the following directory structure:
* private/ - dir with private keys generated on this host
* reqs/ - dir with locally generated certificate requests (for a CA imported
requests are stored here)
In a clean PKI no files exist yet, just the bare directories. Commands called
later will create the necessary files depending on the operation.
When building a CA, a number of new files are created by a combination of
Easy-RSA and (indirectly) openssl. The important CA files are:
* `ca.crt` - This is the CA certificate
* `index.txt` - This is the "master database" of all issued certs
* `serial` - Stores the next serial number (serial numbers increment)
* `private/ca.key` - This is the CA private key (security-critical)
* `certs_by_serial/` - dir with all CA-signed certs by serial number
* `issued/` - dir with issued certs by commonName
#### After Creating a PKI
Once you have created a PKI, the next useful step will be to either create a
CA, or generate keypairs for a system that needs them. Continue with the
relevant section below.
Using Easy-RSA as a CA
----------------------
#### Building the CA
In order to sign requests to produce certificates, you need a CA. To create a
new CA in a PKI you have created, run:
./easyrsa build-ca
Be sure to use a strong passphrase to protect the CA private key. Note that
you must supply this passphrase in the future when performing signing
operations with your CA, so be sure to remember it.
During the creation process, you will also select a name for the CA called the
Common Name (CN.) This name is purely for display purposes and can be set as
you like.
#### Importing requests to the CA
Once a CA is built, the PKI is intended to be used to import requests from
external systems that are requesting a signed certificate from this CA. In
order to sign the request, it must first be imported so Easy-RSA knows about
it. This request file must be a standard CSR in PKCS#10 format.
Regardless of the file name to import, Easy-RSA uses a "short name" defined
during import to refer to this request. Importing works like this:
./easyrsa import-req /path/to/request.req nameOfRequest
The nameOfRequest should normally refer to the system or person making the
request.
#### Signing a request
Once Easy-RSA has imported a request, it can be reviewed and signed. Every
certificate needs a "type" which controls what extensions the certificate gets
Easy-RSA ships with 3 possible types: `client`, `server`, and `ca`, described
below:
* client - A TLS client, suitable for a VPN user or web browser (web client)
* server - A TLS server, suitable for a VPN or web server
* ca - A intermediate CA, used when chaining multiple CAs together
./easyrsa sign-req <type> nameOfRequest
Additional types of certs may be defined by local sites as needed; see the
advanced documentation for details.
#### Revoking and publishing CRLs
If an issue certificate needs to be revoked, this can be done as follows:
./easyrsa revoke nameOfRequest
To generate a CRL suitable for publishing to systems that use it, run:
./easyrsa gen-crl
Note that this will need to be published or sent to systems that rely on an
up-to-date CRL as the certificate is still valid otherwise.
Using Easy-RSA to generate keypairs & requests
----------------------------------------------
Easy-RSA can generate a keypair and certificate request in PKCS#10 format. This
request is what a CA needs in order to generate and return a signed certificate.
Ideally you should never generate entity keypairs for a client or server in a
PKI you are using for your CA. It is best to separate this process and generate
keypairs only on the systems you plan to use them.
Easy-RSA can generate a keypair and request with the following command:
./easyrsa gen-req nameOfRequest
You will then be given a chance to modify the Subject details of your request.
Easy-RSA uses the short name supplied on the command-line by default, though you
are free to change it if necessary. After providing a passphrase and Subject
details, the keypair and request files will be shown.
In order to obtain a signed certificate, the request file must be sent to the
CA for signing; this step is obviously not required if a single PKI is used as
both the CA and keypair/request generation as the generated request is already
"imported."

View File

@ -0,0 +1,58 @@
Upgrading to Easy-RSA 3 from earlier versions
=========
People upgrading to Easy-RSA 3 from a 2.x version should note some important
changes starting with version 3. For a better overview of version 3 in general,
see the Readme in the doc/ directory.
List of important changes
----
* nsCertType extensions are no longer included by default. Use of such
"Netscape" attributes have been deprecated upstream and their use is
discouraged. Configure `EASYRSA_NS_SUPPORT` in vars if you want to enable
this legacy behavior.
Notably, this is important for OpenVPN deployments relying on the
`--ns-cert-type` directive. Either have OpenVPN use the preferred
`--remote-cert-tls` option, or enable legacy NS extensions.
* The default request Subject (or DN, Distinguished Name) includes just the
commonName. This is more suitable for VPNs and environments that don't wish
to include info about the Country/State/City/Org/OU in certs. Configure
`EASYRSA_DN` in vars if you want to enable the legacy behavior.
* The 3.0 release lacks PKCS#11 (smartcard/token) support. This is anticipated
to be supported in a future point-release to target each platform's need.
* The -utf8 option has been added for all supported commands. This should be
backwards compatible with ASCII strings.
* The default private key encryption has been changed from 3des to aes256.
Some new concepts
----
Easy-RSA 3 has some new concepts compared to the prior v2 series.
### Request-Import-Sign workflow
v3 is now designed to support keypairs generated on the target system where
they will be used, thus improving security as no keys need to be transferred
between hosts. The old workflow of generating everything in a single PKI is
still supported as well.
The recommended workflow when using Easy-RSA as a CA is to import requests,
sign them, and return the issued & CA certs. Each requesting system can use
Easy-RSA without a CA to generate keypairs & requests.
### "Org"-style DN flexibility
When using Easy-RSA in the "org" DN mode, it is no longer required to match
some of the field values. This improves flexibility, and enables easier remote
generation as the requester doesn't need to know the CA's values in advance.
Previously in v2, the Country, State, and Org values all had to match or a
request couldn't be signed. If you want the old behavior you can change the
OpenSSL config to require it or simply look over the DN at signing time.

View File

@ -0,0 +1,142 @@
Easy-RSA 3 Hacking Guide
===
This document is aimed at programmers looking to improve on the existing
codebase.
Compatibility
---
The `easyrsa` code is written in POSIX shell (and any cases where it is not is
considered a bug to be fixed.) The only exceptions are the `local` keyword and
the construct `export FOO=baz`, both well-supported.
As such, modifications to the code should also be POSIX; platform-specific code
should be placed under the `distro/` dir and listed by target platform.
Coding conventions
---
While there aren't strict syntax standards associated with the project, please
follow the existing format and flow when possible; however, specific exceptions
can be made if there is a significant reason or benefit.
Do try to:
* Keep variables locally-scoped when possible
* Comment sections of code for readability
* Use the conventions for prefixes on global variables
* Set editors for tab stops of 8 spaces
* Use tabs for code indents; use aligned spaces for console text
Keeping code, docs, and examples in sync
---
Changes that adjust, add, or remove features should have relevant docs, help
output, and examples updated at the same time.
Release versioning
---
A point-release bump (eg: 3.0 to 3.1) is required when the frontend interface
changes in a non-backwards compatible way. Always assume someone has an
automated process that relies on the current functionality for official
(non-beta, non-rc) releases. A possible exception exists for bugfixes that do
break backwards-compatibility; caution is to be used in such cases.
The addition of a new command may or may not require a point-release depending
on the significance of the feature; the same holds true for additional optional
arguments to commands.
Project layout
---
The project's files are structured as follows:
* `easyrsa3/` is the primary project code. On Linux/Unix-alikes, all the core
code and supporting files are stored here.
* `Licensing/` is for license docs.
* `build/` is for build information and scripts.
* `contrib/` is for externally-contributed files, such as useful external
scripts or interfaces for other systems/languages.
* `distro/` is for distro-specific supporting files, such as the Windows
frontend wrappers. Code components that are not platform-neutral should go
here.
* `doc/` is for documentation. Much of this is in Markdown format which can be
easily converted to HTML for easy viewing under Windows.
* `release-keys/` list current and former KeyIDs used to sign release packages
(not necessarily git tags) available for download.
* The top-level dir includes files for basic project info and reference
appropriate locations for more detail.
As a brief note, it is actually possible to take just the easyrsa3/ dir and end
up with a functional project; the remaining structure includes docs, build prep,
distro-specific wrappers, and contributed files.
Git conventions
---
As of Easy-RSA 3, the following git conventions should be used. These are mostly
useful for people with repo access in order to keep a standard meaning to commit
messages and merge actions.
### Signed-off-by: and related commit message lines
Committers with push access should ensure a `Signed-off-by:` line exists at
the end of the commit message with their name on it. This indicates that the
committer has reviewed the changes to the commit in question and approve of
the feature and code in question. It also helps verify the code came from an
acceptable source that won't cause issues with the license.
This can be automatically added by git using `git commit -s`.
Additional references can be included as well. If multiple people reviewed the
change, the committer may add their names in additional `Signed-off-by:`
lines; do get permission from that person before using their name, however ;)
The following references may be useful as well:
* `Signed-off-by:` -- discussed above, indicates review of the commit
* `Author:` -- references an author of a particular feature, in full or
significant part
* `Changes-by:` -- indicates the listed party contributed changes or
modifications to a feature
* `Acked-by:` -- indicates review of the feature, code, and/or functional
correctness
### Merging from external sources (forks, patches, etc)
Contributions can come in many forms: GitHub "pull requests" from cloned
repos, references to external repos, patches to the ML, or others. Those won't
necessary have `Signed-off-by:` lines or may contain less info in the commit
message than is desirable to explain the changes.
The committing author to this project should make a merge-commit in this case
with the appropriate details provided there. If additional code changes are
necessary, this can be done on a local branch prior to merging back into the
mainline branch.
This merge-commit should list involved contributors with `Author:` or similar
lines as required. The individual commits involved in a merge also retain the
original committer; regardless, the merge-commit message should give a clear
indication of what the entire set of commits does as a whole.
### Tagging
Tags should follow the convention:
vM.m.p
where `M` is the major version, `m` is the minor "point-release" version, and
`p` is the patch-level. Suffixes of `-rc#`, `-beta#`, etc can be added for
pre-release versions as required.
Currently tags are taken from the mainline development branch in question. The
ChangeLog should thus be updated prior to tagging. Tags should also be
annotated with an appropriate commit message and signed-off. This can be done
as shown below (don't use `-s` unless you intend to use GPG with git.)
git tag -a v1.2.3
Corresponding release downloads can be uploaded to release distribution points
as required.

View File

@ -0,0 +1,97 @@
Introduction to PKI
===================
This document is designed to give you a brief introduction into how a PKI, or
Public Key Infrastructure, works.
Terminology Used
----------------
To avoid confusion, the following terms will be used throughout the Easy-RSA
documentation. Short forms may be substituted for longer forms as convenient.
* **PKI**: Public Key Infrastructure. This describes the collection of files
and associations between the CA, keypairs, requests, and certificates.
* **CA**: Certificate Authority. This is the "master cert" at the root of a
PKI.
* **cert**: Certificate. A certificate is a request that has been signed by a
CA. The certificate contains the public key, some details describing the
cert itself, and a digital signature from the CA.
* **request**: Certificate Request (optionally 'req'.) This is a request for a
certificate that is then send to a CA for signing. A request contains the
desired cert information along with a digital signature from the private
key.
* **keypair**: A keypair is an asymmetric cryptographic pair of keys. These
keys are split into two parts: the public and private keys. The public key
is included in a request and certificate.
The CA
------
The heart of a PKI is the CA, or Certificate Authority, and this is also the
most security-sensitive. The CA private key is used to sign all issued
certificates, so its security is critical in keeping the entire PKI safe. For
this reason, it is highly recommended that the CA PKI structure be kept on a
system dedicated for such secure usage; it is not a great idea to keep the CA
PKI mixed in with one used to generate end-entity certificates, such as clients
or servers (VPN or web servers.)
To start a new PKI, the CA is first created on the secure environment.
Depending on security needs, this could be managed under a locked down account,
dedicated system, or even a completely offline system or using removable media
to improve security (after all, you can't suffer an online break-in if your
system or PKI is not online.) The exact steps to create a CA are described in a
separate section. When creating a new CA, the CA keypair (private and public
keys) are created, as well as the file structure necessary to support signing
issued certificates.
Once a CA has been created, it can receive certificate requests from
end-entities. These entity certificates are issued to consumers of X509
certificates, such as a client or server of a VPN, web, or email system. The
certificate requests and certificates are not security-sensitive, and can be
transferred in whatever means convenient, such as email, flash drive, etc. For
better security, it is a good idea to verify the received request matches the
sender's copy, such as by verifying the expected checksum against the sender's
original.
Keypairs and requests
---------------------
Individual end-entities do not need a full CA set up and will only need to
create a keypair and associated certificate request. The private key is not used
anywhere except on this entity, and should never leave that system. It is wise
to secure this private key with a strong passphrase, because if lost or stolen
the holder of the private key can make connections appearing as the certificate
holder.
Once a keypair is generated, the certificate request is created and digitally
signed using the private key. This request will be sent to a CA for signing, and
a signed certificate will be returned.
How requests become certificates
--------------------------------
After a CA signs the certificate request, a signed certificate is produced. In
this step, the CA's private key is used to digitally sign the entity's public
key so that any system trusting the CA certificate can implicitly trust the
newly issued certificate. This signed certificate is then sent back to the
requesting entity. The issued certificate is not security-sensitive and can be
sent over plaintext transmission methods.
Verifying an issued certificate
-------------------------------
After 2 entities have created keypairs, sent their requests to the CA, and
received a copy of their signed certificates and the CA's own certificate, they
can mutually authenticate with one-another. This process does not require the 2
entities to have previously exchanged any kind of security information directly.
During a TLS handshake each side of the connection presents their own cert chain
to the remote end. Each side checks the validity of the cert received against
their own copy of the CA cert. By trusting the CA root cert, the peer they are
talking to can be authenticated.
The remote end proves it "really is" the entity identified by the cert by
signing a bit of data using its own private key. Only the holder of the private
key is able to do this, allowing the remote end to verify the authenticity of
the system being connected to.

2579
files/test-ca/easyrsa Executable file

File diff suppressed because it is too large Load Diff

340
files/test-ca/gpl-2.0.txt Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

20
files/test-ca/mktemp.txt Normal file
View File

@ -0,0 +1,20 @@
Mktemp is distributed under the following ISC-style license:
Copyright (c) 1996-1997, 2000-2001, 2008, 2010
Todd C. Miller <Todd.Miller@courtesan.com>
Copyright (c) 1996, David Mazieres <dm@uun.org>
Copyright (c) 2008, Damien Miller <djm@openbsd.org>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
From https://www.mktemp.org/mktemp/license.html

View File

@ -0,0 +1,138 @@
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::EASYRSA_PKI # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs_by_serial # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = basic_exts # The extensions to add to the cert
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
crl_extensions = crl_ext
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL
default_md = $ENV::EASYRSA_DIGEST # use public key default MD
preserve = no # keep passed DN ordering
# This allows to renew certificates which have not been revoked
unique_subject = no
# A few different ways of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
# Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN
[ req ]
default_bits = $ENV::EASYRSA_KEY_SIZE
default_keyfile = privkey.pem
default_md = $ENV::EASYRSA_DIGEST
distinguished_name = $ENV::EASYRSA_DN
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
# A placeholder to handle the $EXTRA_EXTS feature:
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
####################################################################
# Easy-RSA DN (Subject) handling
# Easy-RSA DN for cn_only support:
[ cn_only ]
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::EASYRSA_REQ_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::EASYRSA_REQ_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
emailAddress = Email Address
emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
emailAddress_max = 64
####################################################################
# Easy-RSA cert extension handling
# This section is effectively unused as the main script sets extensions
# dynamically. This core section is left to support the odd usecase where
# a user calls openssl directly.
[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# The Easy-RSA CA extensions
[ easyrsa_ca ]
# PKIX recommendations:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This could be marked critical, but it's nice to support reading by any
# broken clients who attempt to do so.
basicConstraints = CA:true
# Limit key usage to CA tasks. If you really want to use the generated pair as
# a self-signed cert, comment this out.
keyUsage = cRLSign, keyCertSign
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
# nsCertType = sslCA
# CRL extensions.
[ crl_ext ]
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

View File

@ -0,0 +1 @@
1234

20
files/test-ca/pki/ca.crt Normal file
View File

@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIUInouaHzfe4GFGlCYFmIi0AvWHEowDQYJKoZIhvcNAQEL
BQAwGTEXMBUGA1UEAwwOVmVpbGlkIFRlc3QgQ0EwHhcNMjExMTIyMTM0OTE5WhcN
MzExMTIwMTM0OTE5WjAZMRcwFQYDVQQDDA5WZWlsaWQgVGVzdCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMqKTFn4FCcKWysW8NbQZwysKUlwI9kc
S4CYy1+4eQC7Tn0eILG3+WfGCjAgRx72co+852NjsNnVwPVh8Xr7RdjyPscp4HTJ
jObVC93GofiAKFld2038A3/rsA5DoXyiUj2/nhBdw+aO1yiBXdEw7tIUZLUJ46Ku
QapuGXtL4xYXPAxhPhn5PY6xAWkar+6E9tv3g1BknxWlGmfulYaf1dAg2ra0Lswu
fiZfepPq9iwhiUlOSo3sWy7ObF+3TxWlQxMpGC1LiAmA4XEyWp2tDOV90B98yLQK
2pBhEexGaAJYy7DgZUNOV/WpjzLdDccXrQV9NoKXMOqsYC8MgDV2KjUCAwEAAaOB
kzCBkDAdBgNVHQ4EFgQUXX+NrxpW0/TKPdNt71AR92SZbwIwVAYDVR0jBE0wS4AU
XX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNVBAMMDlZlaWxpZCBUZXN0
IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAfL9k5ZrsnFTXrcBsCNhgqll0dwutbn36
RzpE6bKZwGAYU3irdFFM3+D2zxaN/H665yL07uLn+XxrgIEplHAao5NSSxeYDUJo
5BV5rmnOy+bSDrSfEGvV0OA/WWhPVFAtq2SQnC6GW5YbmzaHIoOunEv2EQrg8yKP
pgff16xi+XFuAsR7Z4Cpbkb687Z878a4UaSWP/knnJM8Tjjl2wwxxTbWOvK9hbG3
3+L4G6xxXbgvXw2VR8rIUMK44u0xXb3Vwq4dHU6HZZwTNaEs41vNVrCZV45hu8NX
ZmcNEdDTPZQ67n+R4pJnbxDFLbTFEU/NZiCjug0jtjzHeRxnAntDFw==
-----END CERTIFICATE-----

View File

@ -0,0 +1,88 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:ce:63:bd:90:f5:ab:de:6d:7f:d7:3e:f3:e6:bb
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Veilid Test CA
Validity
Not Before: Nov 22 13:52:16 2021 GMT
Not After : Feb 25 13:52:16 2024 GMT
Subject: CN=Veilid Test Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cb:2e:7a:47:81:be:6f:6b:53:37:51:c1:50:68:
5a:44:3d:ba:b9:9b:78:40:84:35:d4:0e:e8:41:a6:
0e:0a:b9:34:ae:97:a3:37:3e:81:ed:6c:0f:f8:8a:
8b:0b:1a:ed:06:97:57:6d:49:a5:ec:b4:c4:d8:6d:
d2:57:c3:87:89:99:ee:b0:d7:c5:82:a1:dc:d5:98:
b3:ef:10:da:c0:5c:38:a2:bb:15:3e:0e:5e:bc:a0:
cd:a1:f0:07:67:bb:57:3f:89:cc:72:4f:bb:c0:a7:
ed:ad:15:07:61:c2:b4:21:73:39:00:9b:8f:aa:04:
1b:c4:9d:d4:00:44:87:b1:79:b4:e1:4e:01:3c:ee:
a4:bb:f9:ad:5d:88:41:03:b4:bf:df:bf:71:24:ee:
0b:69:59:55:dd:43:d1:91:04:de:98:9c:54:f2:ee:
63:78:fe:76:19:bf:e6:5d:d6:58:81:3c:1b:02:3d:
5d:cc:70:4a:c1:84:06:f6:1a:db:16:b0:e0:30:b0:
3a:85:41:48:a1:88:c5:38:04:7b:03:c4:86:f0:da:
1a:ff:bc:d1:ac:7f:cd:0c:e8:5a:42:5e:43:7f:0d:
61:5d:41:67:0f:b8:07:47:21:93:44:b2:ab:fa:d8:
69:bb:b9:6d:a1:56:6d:23:54:aa:49:67:e7:57:c6:
e9:c7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
70:ED:B0:96:71:33:43:16:EF:32:FF:69:11:C9:F0:02:3F:6C:81:88
X509v3 Authority Key Identifier:
keyid:5D:7F:8D:AF:1A:56:D3:F4:CA:3D:D3:6D:EF:50:11:F7:64:99:6F:02
DirName:/CN=Veilid Test CA
serial:22:7A:2E:68:7C:DF:7B:81:85:1A:50:98:16:62:22:D0:0B:D6:1C:4A
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:Veilid Test Certificate
Signature Algorithm: sha256WithRSAEncryption
b8:fc:ac:62:d6:95:af:09:db:24:7d:82:2c:02:e1:d0:7b:f5:
69:03:a4:42:55:c6:0d:2a:f1:9d:0e:c4:9b:78:40:7d:0d:7d:
ec:66:f6:c4:6d:06:d0:5b:58:de:ba:e6:67:ea:af:41:a3:87:
b4:37:8b:a8:1f:51:ae:70:e0:0d:f5:51:0a:7a:b3:b3:1d:d1:
77:92:63:35:ae:50:9e:04:3d:04:6e:f1:60:c8:e3:8f:1f:75:
47:05:27:a0:ff:c5:1b:30:68:b2:f9:5b:e6:f2:81:0f:9b:f2:
e8:8c:9d:b6:57:b2:c1:29:e7:d0:d0:88:b3:ba:8e:78:2e:ef:
ce:03:a3:12:fa:b4:e9:4e:1f:de:1a:cb:77:72:6b:71:98:02:
37:d2:b4:02:f0:2c:08:67:ca:75:0d:af:81:bf:f8:57:f8:d9:
4a:93:4f:db:3c:e1:af:3e:ab:9c:fe:87:f0:3a:01:21:6a:5c:
99:83:e3:03:47:98:15:23:24:b3:ee:29:27:f4:f1:34:c1:e4:
f8:39:5a:92:da:c7:08:dc:71:87:1c:ff:67:e7:ef:24:bc:34:
e3:4e:e0:16:12:84:60:d4:7f:a2:c0:5b:85:a9:c5:ef:78:0b:
c3:64:cb:b4:05:eb:51:e5:c1:0f:60:da:5c:98:08:bf:5d:b9:
1d:33:a7:26
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIPEs5jvZD1q95tf9c+8+a7MA0GCSqGSIb3DQEBCwUAMBkx
FzAVBgNVBAMMDlZlaWxpZCBUZXN0IENBMB4XDTIxMTEyMjEzNTIxNloXDTI0MDIy
NTEzNTIxNlowIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpEPbq5
m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJme6w
18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQhczkA
m4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6YnFTy
7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw2hr/
vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunHAgMB
AAGjgckwgcYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUcO2wlnEzQxbvMv9pEcnwAj9s
gYgwVAYDVR0jBE0wS4AUXX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNV
BAMMDlZlaWxpZCBUZXN0IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjATBgNVHSUE
DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwIgYDVR0RBBswGYIXVmVpbGlkIFRl
c3QgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBALj8rGLWla8J2yR9giwC
4dB79WkDpEJVxg0q8Z0OxJt4QH0Nfexm9sRtBtBbWN665mfqr0Gjh7Q3i6gfUa5w
4A31UQp6s7Md0XeSYzWuUJ4EPQRu8WDI448fdUcFJ6D/xRswaLL5W+bygQ+b8uiM
nbZXssEp59DQiLO6jngu784DoxL6tOlOH94ay3dya3GYAjfStALwLAhnynUNr4G/
+Ff42UqTT9s84a8+q5z+h/A6ASFqXJmD4wNHmBUjJLPuKSf08TTB5Pg5WpLaxwjc
cYcc/2fn7yS8NONO4BYShGDUf6LAW4Wpxe94C8Nky7QF61HlwQ9g2lyYCL9duR0z
pyY=
-----END CERTIFICATE-----

View File

@ -0,0 +1 @@
V 240225135216Z 12CE63BD90F5ABDE6D7FD73EF3E6BB unknown /CN=Veilid Test Certificate

View File

@ -0,0 +1 @@
unique_subject = no

View File

View File

View File

@ -0,0 +1,88 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:ce:63:bd:90:f5:ab:de:6d:7f:d7:3e:f3:e6:bb
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Veilid Test CA
Validity
Not Before: Nov 22 13:52:16 2021 GMT
Not After : Feb 25 13:52:16 2024 GMT
Subject: CN=Veilid Test Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cb:2e:7a:47:81:be:6f:6b:53:37:51:c1:50:68:
5a:44:3d:ba:b9:9b:78:40:84:35:d4:0e:e8:41:a6:
0e:0a:b9:34:ae:97:a3:37:3e:81:ed:6c:0f:f8:8a:
8b:0b:1a:ed:06:97:57:6d:49:a5:ec:b4:c4:d8:6d:
d2:57:c3:87:89:99:ee:b0:d7:c5:82:a1:dc:d5:98:
b3:ef:10:da:c0:5c:38:a2:bb:15:3e:0e:5e:bc:a0:
cd:a1:f0:07:67:bb:57:3f:89:cc:72:4f:bb:c0:a7:
ed:ad:15:07:61:c2:b4:21:73:39:00:9b:8f:aa:04:
1b:c4:9d:d4:00:44:87:b1:79:b4:e1:4e:01:3c:ee:
a4:bb:f9:ad:5d:88:41:03:b4:bf:df:bf:71:24:ee:
0b:69:59:55:dd:43:d1:91:04:de:98:9c:54:f2:ee:
63:78:fe:76:19:bf:e6:5d:d6:58:81:3c:1b:02:3d:
5d:cc:70:4a:c1:84:06:f6:1a:db:16:b0:e0:30:b0:
3a:85:41:48:a1:88:c5:38:04:7b:03:c4:86:f0:da:
1a:ff:bc:d1:ac:7f:cd:0c:e8:5a:42:5e:43:7f:0d:
61:5d:41:67:0f:b8:07:47:21:93:44:b2:ab:fa:d8:
69:bb:b9:6d:a1:56:6d:23:54:aa:49:67:e7:57:c6:
e9:c7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
70:ED:B0:96:71:33:43:16:EF:32:FF:69:11:C9:F0:02:3F:6C:81:88
X509v3 Authority Key Identifier:
keyid:5D:7F:8D:AF:1A:56:D3:F4:CA:3D:D3:6D:EF:50:11:F7:64:99:6F:02
DirName:/CN=Veilid Test CA
serial:22:7A:2E:68:7C:DF:7B:81:85:1A:50:98:16:62:22:D0:0B:D6:1C:4A
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:Veilid Test Certificate
Signature Algorithm: sha256WithRSAEncryption
b8:fc:ac:62:d6:95:af:09:db:24:7d:82:2c:02:e1:d0:7b:f5:
69:03:a4:42:55:c6:0d:2a:f1:9d:0e:c4:9b:78:40:7d:0d:7d:
ec:66:f6:c4:6d:06:d0:5b:58:de:ba:e6:67:ea:af:41:a3:87:
b4:37:8b:a8:1f:51:ae:70:e0:0d:f5:51:0a:7a:b3:b3:1d:d1:
77:92:63:35:ae:50:9e:04:3d:04:6e:f1:60:c8:e3:8f:1f:75:
47:05:27:a0:ff:c5:1b:30:68:b2:f9:5b:e6:f2:81:0f:9b:f2:
e8:8c:9d:b6:57:b2:c1:29:e7:d0:d0:88:b3:ba:8e:78:2e:ef:
ce:03:a3:12:fa:b4:e9:4e:1f:de:1a:cb:77:72:6b:71:98:02:
37:d2:b4:02:f0:2c:08:67:ca:75:0d:af:81:bf:f8:57:f8:d9:
4a:93:4f:db:3c:e1:af:3e:ab:9c:fe:87:f0:3a:01:21:6a:5c:
99:83:e3:03:47:98:15:23:24:b3:ee:29:27:f4:f1:34:c1:e4:
f8:39:5a:92:da:c7:08:dc:71:87:1c:ff:67:e7:ef:24:bc:34:
e3:4e:e0:16:12:84:60:d4:7f:a2:c0:5b:85:a9:c5:ef:78:0b:
c3:64:cb:b4:05:eb:51:e5:c1:0f:60:da:5c:98:08:bf:5d:b9:
1d:33:a7:26
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIPEs5jvZD1q95tf9c+8+a7MA0GCSqGSIb3DQEBCwUAMBkx
FzAVBgNVBAMMDlZlaWxpZCBUZXN0IENBMB4XDTIxMTEyMjEzNTIxNloXDTI0MDIy
NTEzNTIxNlowIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpEPbq5
m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJme6w
18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQhczkA
m4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6YnFTy
7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw2hr/
vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunHAgMB
AAGjgckwgcYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUcO2wlnEzQxbvMv9pEcnwAj9s
gYgwVAYDVR0jBE0wS4AUXX+NrxpW0/TKPdNt71AR92SZbwKhHaQbMBkxFzAVBgNV
BAMMDlZlaWxpZCBUZXN0IENBghQiei5ofN97gYUaUJgWYiLQC9YcSjATBgNVHSUE
DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwIgYDVR0RBBswGYIXVmVpbGlkIFRl
c3QgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBALj8rGLWla8J2yR9giwC
4dB79WkDpEJVxg0q8Z0OxJt4QH0Nfexm9sRtBtBbWN665mfqr0Gjh7Q3i6gfUa5w
4A31UQp6s7Md0XeSYzWuUJ4EPQRu8WDI448fdUcFJ6D/xRswaLL5W+bygQ+b8uiM
nbZXssEp59DQiLO6jngu784DoxL6tOlOH94ay3dya3GYAjfStALwLAhnynUNr4G/
+Ff42UqTT9s84a8+q5z+h/A6ASFqXJmD4wNHmBUjJLPuKSf08TTB5Pg5WpLaxwjc
cYcc/2fn7yS8NONO4BYShGDUf6LAW4Wpxe94C8Nky7QF61HlwQ9g2lyYCL9duR0z
pyY=
-----END CERTIFICATE-----

View File

@ -0,0 +1,138 @@
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::EASYRSA_PKI # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs_by_serial # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = basic_exts # The extensions to add to the cert
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
crl_extensions = crl_ext
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL
default_md = $ENV::EASYRSA_DIGEST # use public key default MD
preserve = no # keep passed DN ordering
# This allows to renew certificates which have not been revoked
unique_subject = no
# A few different ways of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
# Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN
[ req ]
default_bits = $ENV::EASYRSA_KEY_SIZE
default_keyfile = privkey.pem
default_md = $ENV::EASYRSA_DIGEST
distinguished_name = $ENV::EASYRSA_DN
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
# A placeholder to handle the $EXTRA_EXTS feature:
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
####################################################################
# Easy-RSA DN (Subject) handling
# Easy-RSA DN for cn_only support:
[ cn_only ]
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::EASYRSA_REQ_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::EASYRSA_REQ_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
emailAddress = Email Address
emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
emailAddress_max = 64
####################################################################
# Easy-RSA cert extension handling
# This section is effectively unused as the main script sets extensions
# dynamically. This core section is left to support the odd usecase where
# a user calls openssl directly.
[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# The Easy-RSA CA extensions
[ easyrsa_ca ]
# PKIX recommendations:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This could be marked critical, but it's nice to support reading by any
# broken clients who attempt to do so.
basicConstraints = CA:true
# Limit key usage to CA tasks. If you really want to use the generated pair as
# a self-signed cert, comment this out.
keyUsage = cRLSign, keyCertSign
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
# nsCertType = sslCA
# CRL extensions.
[ crl_ext ]
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

View File

@ -0,0 +1,30 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,63E22C921323D1B9A6C52515022B0A22
xeNTc40tJIc7hUflTNbz4ecGjv4Nk61jjBsT3cpqQmetpijltgve+T1JaEl2ValI
ToHsRfvOErhdBLlnkOOpxRK9kxZJQsH+nNxUdX16LoPLmAar70fpZDYmocVhZtm0
rjYu00eXapJV7mErWgRRg6Av8y4fMhDhhw8lhaWp+Wr91gv+EX9N8R7jXS5g58PW
v9PQ/WRDsf7PQX0BARRYLRl+fQs7JD6nlnzV9W8liEjQifQ0qmzaWYx0Yo53XRj4
+rw8CMnXFmU4pFM73qUskOmIDn56wf8Y8rADlTJJ28z+luiWwFotHP7ufiEaVXVr
kOmlh3/ZN5y6KVfyx9ef3AZ+M7ZyYn8NepD98zRIuhVTBCDZ1Spk61yZuhP8FYgV
gqJrwHxKSKHS0SJwM/o973iniQRIMDb40NXMZw5+nF1XWLqGesijdmLX4Dy/CQy0
HVMZ+w99bZtAyogmJLv78QI6VtXOcZdm+IQIcBMflTy2AgEywENDce5hXzTqOFSH
xtODTvbUD9XXjUEZCfv08fqHFYUnJ/8Sf0IWs4m52HirTOy7pBLXQi7fl1acM0Ky
sVJmAfTmxSHY4c0dIT3U9zfkxGFWoTrvthWl4q7ss+n7W2Z0CNaKkCyvOZEoZkFV
VTgDDaQN5BJ4bOAByiiRQ+lpkA2yVun606ASFfPNpbuD5cBa0Ei3mg6Wu/+4uGcl
YoucGY1b0+kvhdIibNZNFfCYzbEa/rKzYBKV8aVWleyDLHCGnqZh4JG4fItbXvXz
8c6Bis4h4+JhAWosDeMaumsAvwPw/ZQ1R0Xj9iFP2di0DSeTYGkoIn3P0/Yf+6ph
q9Nlr0w0uqtnAiclrpgXdeBwawmgHF66Gi6VAt5JQHeNEQO6U1KGJz8f97F+xILl
MSpUmxqBwe2lGCDILLqvAcj2kRKoOtuUQk+wSCArVxiKIeVwW7VX0I27s67Yi2CQ
q2k96R8k90s9M7hzuFdlkp2vZ46MHqR1QLlzI3vWP/zkFxkFUtuko9CYCjYnGxaY
VjoGyV1PoIbSGxu1/NR7b6aFGHHFI575L4gEr4lfa9iLK59GVcWvrzwuGRyrT2d2
LLm5SF3HGu9uFPVDvYux9HROhIAh6B70pnYxP3nMg3DoyJdoGrtg+vSni7mkBF9J
UOuQfqhC2KL93C1srunvPK5eLgRSPjRaHR045DQv+xPL0A7ciEtH4rgmZ1tZnU2W
BFlFiDPebrVfx3qWthrsUkykZCAYG0XypumU2LipGQV1kavABGwmII0BXPIPXJA0
UsBQOiZbGviBYvPAWTpi8c2Hd36XjEmwMXFgpDWZXXpiST9FWuAd49MMmepLy+JA
98V3oaU65rn6Iqplp1rYac8ey2StGxLzl3GIC0gzHZvD6xaJWuyvG60hT4ZL1Zsw
Ryo5NXMHvOxa5aCjkVTk5lf2a4AhAF+Fx2wIiAFxHrcplagVf7PLmqOgh+cJPhwD
juR3wfKmBA2Z8ldCmuvgxhw/uSdQv/nx6swgPI7u8g3YOIs1/HnLWRp5w0dylXSf
mxCcun42fcTY0OPyv1iC3EY/pHOTn4dInQNNhcCVExbqq4bFW836u5AfFBvBjbOA
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,30 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIgpTGP+qhFisCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECLU8ddNZ6jJ3BIIEyMB/nTIXTaUO
n8Oe/ld7JjX1jeiQUuXP9oEYT0Ehi5F5IIQ3zUDUrJujJP+iMniX1OafmzmtcQGc
pAmGLAyhJS3p5ILlzvZGjjF19QItKGDno/cwHjQMY0ldj1CfjdGf809DQRdo4q8H
2jlGUmtMs83DhsxrlWf9Stia/4s/L+zOvpTaVFXn7UMvVtM2LXWF7GdyRIx6a5w4
fXOA6FWGY4ZvSzfkadKJSgyGPEwOW51tLJ+BYZpstrSvgh3VWPtluH0zSFdlOH3t
N5V5aQzjoeJyP7uTU09Vzp3zjux1uijmzMHnF2LSw8kGmPRIfWKF91LNn12TUNQu
oQLkFWXYRIRBDcEKetr4zkOtvp/JPNOkX44D3Zexl2KhHBqG2hDyOQZ03QN+9H7h
PUE4MAHsfx7s62sr7TJ/GHC170ZDtgj6HZAjxjs5D7lkPmKSQoods7sCENMadZiX
G0ljz/FTHzpMhhpeaRFqQfE7B3F9K6yQttoxxjAhAX+mOD1ho6NSV7KDN1cESKXB
4+afwxGV/Gp3tEk6aAbEz8ntqS+lAE1iOXLzbKPmzFs5CCXDs3/EvvLRh3MPtNkz
LcNjFypDL4CCCrxlSVMWce6iouSWyiet+3iwr+YuDx+3U9iMYyTrtL0pQSGiC/3s
LZloWf7sWT5zab+KSnhxCu3BsazSqShIRsC1lLziJGQnING1m1bw6nG0gph2vzSJ
N/ewIANJkby6XP9e/vJipPyI7xHD2aHUQLBU+Zmc7GhZWgVoAfHs/OvqwmTG2wHX
10LVpDX6Fr3wBSqsdtPKH7hNBS2Y/Q/plJk/KwyZ7qlby1SMUYj86vtvcZRG4gn/
9Mp72//FqfMrvXaBSZKR3SdR6tZTjBY9w1hUJ/c1HfRQYPISgPU9zSSPgRZtrlwx
3/FPp6i2YnfpAFWn9zFkFcUCqdEIWjK50K+v+JAUnD+7aCaznA4/yCAonXGjZwcj
eVgk5TJ4OfCVx5JE+HLXDWJSU115rMOUYXm5Jpo/j+ZKakM3diU2opW5ocgrHUl2
OwinKMiSwVK2NiLZyv4jcCJdyZI+CqvxqIU9X1fDbJP0v9pm3ANzyii6gPaO57e3
NZfmrMSqdlIq93wNIi2oZD7hgKwTBj1p/zxOTbP+QY1Ku8oFfXcF9dh32BBL+cHa
aza+RkkGzJ+qBRF6Ub7FmcY/y6r+eOvof+c4drTE5icKP5lzpB85ZuUduF535p5d
Y4dy3MM2h/t4dk7xmWp5EAZRRvKBUd7SYyi3a+LyTtHGS8FKdRCENXQi47RUlAqO
RpzAgYhchqnRDup2Tmu+MtDTPoOht55haM38kXJZ4LxACzPpYHQ6E37BT77K3Qjh
HgLxi/Hr97ZxiuPl7Tq113ljEB5xX1RGgn+s3F+/xxFEJojvGdNJXFWtE2BMSBQb
JhFkCyVYsqztBt6kLAJosYA0HornidYYwznswe+d+3ruHicax99JEA2m9xnB3LGy
A9+SJCbhS9m+hO10KalW8nuUtX1lXP0ZmjuoYrLMLmv9ihH/CoxmHynMPgFVCXih
RRGQmuS+PYBIFs1EShT04Ic280QT00un90ydaUZS3uad9qt7gNbNJ3UW3XqyWf14
2Gscnl0IXL4gKNNUxKPeGg==
-----END ENCRYPTED PRIVATE KEY-----

View File

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICZzCCAU8CAQAwIjEgMB4GA1UEAwwXVmVpbGlkIFRlc3QgQ2VydGlmaWNhdGUw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLLnpHgb5va1M3UcFQaFpE
Pbq5m3hAhDXUDuhBpg4KuTSul6M3PoHtbA/4iosLGu0Gl1dtSaXstMTYbdJXw4eJ
me6w18WCodzVmLPvENrAXDiiuxU+Dl68oM2h8Adnu1c/icxyT7vAp+2tFQdhwrQh
czkAm4+qBBvEndQARIexebThTgE87qS7+a1diEEDtL/fv3Ek7gtpWVXdQ9GRBN6Y
nFTy7mN4/nYZv+Zd1liBPBsCPV3McErBhAb2GtsWsOAwsDqFQUihiMU4BHsDxIbw
2hr/vNGsf80M6FpCXkN/DWFdQWcPuAdHIZNEsqv62Gm7uW2hVm0jVKpJZ+dXxunH
AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAGe/0bWdwO5YGGfyQ5Gq+CTsEc1AW
f5G6uUk55qK1AqpECy3K9YAdDDf3JKLkaVeWlT275TyLcU2qx+kzSIUdGDpvpFui
E/vSfGcfZka7z2DSQfnsHvTy8odgMINPvcdZ6k8+ZsqLWPl6HE10QB0HqT7J1UVm
/WZkwXKSWWMbDkXZXuGLIYxp7O+ZbweJLMBzWVCarwL7o4D0oWLj16Yta2s2Wn/5
zkW9U4vM6W99t+xrZEfDo3reqYsr6i82cESUY0liTDFryYCF7BSmAbw4WPtWS8Qz
DxVp8krxG0RlA/RGfwPYz828SCmgERijp9vHKUtQqx97OCo85Hw4kYtvJQ==
-----END CERTIFICATE REQUEST-----

View File

@ -0,0 +1,138 @@
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /home/jsmith/code/veilid/files/test-ca/pki # Where everything is kept
certs = /home/jsmith/code/veilid/files/test-ca/pki # Where the issued certs are kept
crl_dir = /home/jsmith/code/veilid/files/test-ca/pki # Where the issued crl are kept
database = /home/jsmith/code/veilid/files/test-ca/pki/index.txt # database index file.
new_certs_dir = /home/jsmith/code/veilid/files/test-ca/pki/certs_by_serial # default place for new certs.
certificate = /home/jsmith/code/veilid/files/test-ca/pki/ca.crt # The CA certificate
serial = /home/jsmith/code/veilid/files/test-ca/pki/serial # The current serial number
crl = /home/jsmith/code/veilid/files/test-ca/pki/crl.pem # The current CRL
private_key = /home/jsmith/code/veilid/files/test-ca/pki/private/ca.key # The private key
RANDFILE = /home/jsmith/code/veilid/files/test-ca/pki/.rand # private random number file
x509_extensions = basic_exts # The extensions to add to the cert
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
crl_extensions = crl_ext
default_days = 825 # how long to certify for
default_crl_days= 180 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# This allows to renew certificates which have not been revoked
unique_subject = no
# A few different ways of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
# Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = cn_only
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
# A placeholder to handle the $EXTRA_EXTS feature:
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
####################################################################
# Easy-RSA DN (Subject) handling
# Easy-RSA DN for cn_only support:
[ cn_only ]
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = ChangeMe
# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = Locality Name (eg, city)
localityName_default = San Francisco
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Copyleft Certificate Co
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = My Organizational Unit
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = ChangeMe
emailAddress = Email Address
emailAddress_default = me@example.net
emailAddress_max = 64
####################################################################
# Easy-RSA cert extension handling
# This section is effectively unused as the main script sets extensions
# dynamically. This core section is left to support the odd usecase where
# a user calls openssl directly.
[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# The Easy-RSA CA extensions
[ easyrsa_ca ]
# PKIX recommendations:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This could be marked critical, but it's nice to support reading by any
# broken clients who attempt to do so.
basicConstraints = CA:true
# Limit key usage to CA tasks. If you really want to use the generated pair as
# a self-signed cert, comment this out.
keyUsage = cRLSign, keyCertSign
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
# nsCertType = sslCA
# CRL extensions.
[ crl_ext ]
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

1
files/test-ca/pki/serial Normal file
View File

@ -0,0 +1 @@
12CE63BD90F5ABDE6D7FD73EF3E6BC

View File

@ -0,0 +1 @@
0012ce63bd90f5abde6d7fd73ef3e6bb

221
files/test-ca/vars.example Normal file
View File

@ -0,0 +1,221 @@
# Easy-RSA 3 parameter settings
# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
# this file in place -- instead, you should copy the entire easy-rsa directory
# to another location so future upgrades don't wipe out your changes.
# HOW TO USE THIS FILE
#
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
# this file 'vars' if you want it to be used as a configuration file. If you do
# not, it WILL NOT be automatically read when you call easyrsa commands.
#
# It is not necessary to use this config file unless you wish to change
# operational defaults. These defaults should be fine for many uses without the
# need to copy and edit the 'vars' file.
#
# All of the editable settings are shown commented and start with the command
# 'set_var' -- this means any set_var command that is uncommented has been
# modified by the user. If you're happy with a default, there is no need to
# define the value to its default.
# NOTES FOR WINDOWS USERS
#
# Paths for Windows *MUST* use forward slashes, or optionally double-escaped
# backslashes (single forward slashes are recommended.) This means your path to
# the openssl binary might look like this:
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
# A little housekeeping: DON'T EDIT THIS SECTION
#
# Easy-RSA 3.x doesn't source into the environment directly.
# Complain if a user tries to do this:
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
# DO YOUR EDITS BELOW THIS POINT
# This variable is used as the base location of configuration files needed by
# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
# may override this default.
#
# The default value of this variable is the location of the easyrsa script
# itself, which is also where the configuration files are located in the
# easy-rsa tree.
#set_var EASYRSA "${0%/*}"
# If your OpenSSL command is not in the system PATH, you will need to define the
# path to it here. Normally this means a full path to the executable, otherwise
# you could have left it undefined here and the shown default would be used.
#
# Windows users, remember to use paths with forward-slashes (or escaped
# back-slashes.) Windows users should declare the full path to the openssl
# binary here if it is not in their system PATH.
#set_var EASYRSA_OPENSSL "openssl"
#
# This sample is in Windows syntax -- edit it for your path if not using PATH:
#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
# Edit this variable to point to your soon-to-be-created key directory. By
# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
# directory you are currently in).
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! (Interactive mode will prompt before acting.)
#set_var EASYRSA_PKI "$PWD/pki"
# Define directory for temporary subdirectories.
#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI"
# Define X509 DN mode.
# This is used to adjust what elements are included in the Subject field as the DN
# (this is the "Distinguished Name.")
# Note that in cn_only mode the Organizational fields further below aren't used.
#
# Choices are:
# cn_only - use just a CN value
# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
#set_var EASYRSA_DN "cn_only"
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate. Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"
# Choose a size in bits for your keypairs. The recommended value is 2048. Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)
#set_var EASYRSA_KEY_SIZE 2048
# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
# * rsa
# * ec
# * ed
#set_var EASYRSA_ALGO rsa
# Define the named curve, used in ec & ed modes:
#set_var EASYRSA_CURVE secp384r1
# In how many days should the root CA key expire?
#set_var EASYRSA_CA_EXPIRE 3650
# In how many days should certificates expire?
#set_var EASYRSA_CERT_EXPIRE 825
# How many days until the next CRL publish date? Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
#set_var EASYRSA_CRL_DAYS 180
# How many days before its expiration date a certificate is allowed to be
# renewed?
#set_var EASYRSA_CERT_RENEW 30
# Random serial numbers by default, set to no for the old incremental serial numbers
#
#set_var EASYRSA_RAND_SN "yes"
# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature. If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no". When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.
#set_var EASYRSA_NS_SUPPORT "no"
# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
# A temp file used to stage cert extensions during signing. The default should
# be fine for most users; however, some users might want an alternative under a
# RAM-based FS, such as /dev/shm or /tmp on some systems.
#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
# !!
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
# PLAY WITH THEM AT YOUR OWN RISK
# !!
# Broken shell command aliases: If you have a largely broken shell that is
# missing any of these POSIX-required commands used by Easy-RSA, you will need
# to define an alias to the proper path for the command. The symptom will be
# some form of a 'command not found' error from your shell. This means your
# shell is BROKEN, but you can hack around it here if you really need. These
# shown values are not defaults: it is up to you to know what you're doing if
# you touch these.
#
#alias awk="/alt/bin/awk"
#alias cat="/alt/bin/cat"
# X509 extensions directory:
# If you want to customize the X509 extensions used, set the directory to look
# for extensions here. Each cert type you sign must have a matching filename,
# and an optional file named 'COMMON' is included first when present. Note that
# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
# fallback to $EASYRSA for the 'x509-types' dir. You may override this
# detection with an explicit dir here.
#
#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
# If you want to generate KDC certificates, you need to set the realm here.
#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM"
# OpenSSL config file:
# If you need to use a specific openssl config file, you can reference it here.
# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
# specific and you cannot just use a standard config file, so this is an
# advanced feature.
#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
# Default CN:
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.
#set_var EASYRSA_REQ_CN "ChangeMe"
# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
#set_var EASYRSA_DIGEST "sha256"
# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
# in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode.
#set_var EASYRSA_BATCH ""

View File

@ -0,0 +1,7 @@
# X509 extensions added to every signed cert
# This file is included for every cert signed, and by default does nothing.
# It could be used to add values every cert should have, such as a CDP as
# demonstrated in the following example:
#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl

View File

@ -0,0 +1,13 @@
# X509 extensions for a ca
# Note that basicConstraints will be overridden by Easy-RSA when defining a
# CA_PATH_LEN for CA path length limits. You could also do this here
# manually as in the following example in place of the existing line:
#
# basicConstraints = CA:TRUE, pathlen:1
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign, keyCertSign

View File

@ -0,0 +1,8 @@
# X509 extensions for a client
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = clientAuth
keyUsage = digitalSignature

View File

@ -0,0 +1,8 @@
# X509 extensions for a client
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = codeSigning
keyUsage = digitalSignature

View File

@ -0,0 +1,8 @@
# X509 extensions for email
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = emailProtection
keyUsage = digitalSignature,keyEncipherment,nonRepudiation

View File

@ -0,0 +1,21 @@
# X509 extensions for a KDC server certificate
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = 1.3.6.1.5.2.3.5
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
issuerAltName = issuer:copy
subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm = EXP:0,GeneralString:${ENV::EASYRSA_KDC_REALM}
principal_name = EXP:1,SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type = EXP:0,INTEGER:1
name_string = EXP:1,SEQUENCE:kdc_principals
[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::EASYRSA_KDC_REALM}

View File

@ -0,0 +1,8 @@
# X509 extensions for a server
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth
keyUsage = digitalSignature,keyEncipherment

View File

@ -0,0 +1,8 @@
# X509 extensions for a client/server
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth
keyUsage = digitalSignature,keyEncipherment