script to regenerate server/client keys

2 files changed, 137 insertions, 0 deletions

diff --git a/test/keys/keygen/.gitignore b/test/keys/keygen/.gitignore
new file mode 100644
index 000000000..d48d8c110
--- /dev/null
+++ b/test/keys/keygen/.gitignore
@@ -0,0 +1,6 @@
+/*.crt
+/*.key
+/*.p12
+/*.pem
+/*.cfg
+/*.csr
diff --git a/test/keys/keygen/make-serverkey.sh b/test/keys/keygen/make-serverkey.sh
new file mode 100644
index 000000000..618b0f45c
--- /dev/null
+++ b/test/keys/keygen/make-serverkey.sh
@@ -0,0 +1,131 @@
+#!/bin/bash
+
+# tested with git bash on Windows
+# probably needs a bit of tweaking for other environments
+
+# re the "//SKIP=this" in sub see at https://stackoverflow.com/a/54924640/499466
+
+echo init folder
+rm *.p12 2> /dev/null
+rm *.pem 2> /dev/null
+rm *.crt 2> /dev/null
+rm *.key 2> /dev/null
+rm *.cfg 2> /dev/null
+rm *.csr 2> /dev/null
+
+#cp ../*.key .
+
+echo writing config
+echo '[ req ]' > my.cfg
+echo 'default_bits= 4096' >> my.cfg
+echo 'distinguished_name=req' >> my.cfg
+echo 'x509_extensions = v3_ca' >> my.cfg
+echo 'req_extensions = v3_req' >> my.cfg
+echo '' >> my.cfg
+echo '[ v3_req ]' >> my.cfg
+echo 'basicConstraints = CA:FALSE' >> my.cfg
+echo 'keyUsage = nonRepudiation, digitalSignature, keyEncipherment' >> my.cfg
+echo 'subjectAltName=@alternate_names' >> my.cfg
+echo '' >> my.cfg
+echo '[ alternate_names ]' >> my.cfg
+echo 'IP.1=127.0.0.1' >> my.cfg
+echo 'IP.2=::1' >> my.cfg
+echo 'IP.3=::ffff:127.0.0.1' >> my.cfg
+echo 'DNS.1=localhost' >> my.cfg
+echo '' >> my.cfg
+echo '[ v3_ca ]' >> my.cfg
+echo 'subjectKeyIdentifier=hash' >> my.cfg
+echo 'authorityKeyIdentifier=keyid:always,issuer' >> my.cfg
+echo 'basicConstraints = critical, CA:TRUE, pathlen:0' >> my.cfg
+echo 'keyUsage = critical, cRLSign, keyCertSign, nonRepudiation, digitalSignature, keyEncipherment' >> my.cfg
+echo 'extendedKeyUsage = serverAuth, clientAuth' >> my.cfg
+echo 'subjectAltName=@alternate_names' >> my.cfg
+echo '' >> my.cfg
+
+echo
+echo step 1a
+winpty openssl req \
+	-new \
+	-x509 \
+	-nodes  \
+	-days 3000 \
+	-out server.crt \
+	-keyout server.key \
+	-subj '//SKIP=this/CN=localhost/emailAddress=dev@thrift.apache.org/OU=Apache Thrift/O=The Apache Software Foundation/L=Forest Hill/ST=Maryland/C=US' \
+	-extensions v3_ca \
+	-config my.cfg
+
+echo
+echo step 1b
+openssl x509 -in server.crt -text > CA.pem
+
+echo
+echo step 1c
+cat server.crt server.key > server.pem
+
+echo
+echo step 2
+echo 'Use "thrift" as password (without the quotes)'
+winpty openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12
+
+echo
+echo step 3
+winpty openssl genrsa -out client.key
+
+
+echo
+echo step 4
+winpty openssl req \
+	-new \
+    -subj '//SKIP=this/CN=localhost/emailAddress=dev@thrift.apache.org/OU=Apache Thrift/O=The Apache Software Foundation/L=Forest Hill/ST=Maryland/C=US' \
+	-key client.key \
+	-out client.csr
+
+echo
+echo step 5
+winpty openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt
+
+
+echo
+echo step 6
+winpty openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
+
+
+echo
+echo step 7
+winpty openssl pkcs12 -in client.p12 -out client.pem -clcerts
+
+
+echo
+echo step 8a
+openssl genrsa -out client_v3.key
+
+echo
+echo step 8b
+winpty openssl req \
+	-new \
+	-subj '//SKIP=this/CN=localhost/emailAddress=dev@thrift.apache.org/OU=Apache Thrift/O=The Apache Software Foundation/L=Forest Hill/ST=Maryland/C=US' \
+	-key client_v3.key \
+	-out client_v3.csr \
+	-extensions v3_req \
+	-config my.cfg
+
+	
+echo
+echo step 9
+winpty openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile my.cfg
+
+echo
+echo cleanup
+rm *.cfg 2> /dev/null
+rm *.csr 2> /dev/null
+
+echo
+echo test
+openssl s_client -connect localhost:9090 &
+openssl s_server -accept 9090 -www 
+
+echo
+echo done
+
+