命令行证书生成
google.golang.org\grpc@v1.43.0\testdata\x509
#!/bin/bash # Create the server CA certs. openssl req -x509 \ -newkey rsa:4096 \ -nodes \ -days 3650 \ -keyout server_ca_key.pem \ -out server_ca_cert.pem \ -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server_ca/ \ -config ./openssl.cnf \ -extensions test_ca # Create the client CA certs. openssl req -x509 \ -newkey rsa:4096 \ -nodes \ -days 3650 \ -keyout client_ca_key.pem \ -out client_ca_cert.pem \ -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client_ca/ \ -config ./openssl.cnf \ -extensions test_ca # Generate two server certs. openssl genrsa -out server1_key.pem 4096 openssl req -new \ -key server1_key.pem \ -days 3650 \ -out server1_csr.pem \ -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server1/ \ -config ./openssl.cnf \ -reqexts test_server openssl x509 -req \ -in server1_csr.pem \ -CAkey server_ca_key.pem \ -CA server_ca_cert.pem \ -days 3650 \ -set_serial 1000 \ -out server1_cert.pem \ -extfile ./openssl.cnf \ -extensions test_server openssl verify -verbose -CAfile server_ca_cert.pem server1_cert.pem openssl genrsa -out server2_key.pem 4096 openssl req -new \ -key server2_key.pem \ -days 3650 \ -out server2_csr.pem \ -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-server2/ \ -config ./openssl.cnf \ -reqexts test_server openssl x509 -req \ -in server2_csr.pem \ -CAkey server_ca_key.pem \ -CA server_ca_cert.pem \ -days 3650 \ -set_serial 1000 \ -out server2_cert.pem \ -extfile ./openssl.cnf \ -extensions test_server openssl verify -verbose -CAfile server_ca_cert.pem server2_cert.pem # Generate two client certs. openssl genrsa -out client1_key.pem 4096 openssl req -new \ -key client1_key.pem \ -days 3650 \ -out client1_csr.pem \ -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \ -config ./openssl.cnf \ -reqexts test_client openssl x509 -req \ -in client1_csr.pem \ -CAkey client_ca_key.pem \ -CA client_ca_cert.pem \ -days 3650 \ -set_serial 1000 \ -out client1_cert.pem \ -extfile ./openssl.cnf \ -extensions test_client openssl verify -verbose -CAfile client_ca_cert.pem client1_cert.pem openssl genrsa -out client2_key.pem 4096 openssl req -new \ -key client2_key.pem \ -days 3650 \ -out client2_csr.pem \ -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client2/ \ -config ./openssl.cnf \ -reqexts test_client openssl x509 -req \ -in client2_csr.pem \ -CAkey client_ca_key.pem \ -CA client_ca_cert.pem \ -days 3650 \ -set_serial 1000 \ -out client2_cert.pem \ -extfile ./openssl.cnf \ -extensions test_client openssl verify -verbose -CAfile client_ca_cert.pem client2_cert.pem # Generate a cert with SPIFFE ID. openssl req -x509 \ -newkey rsa:4096 \ -keyout spiffe_key.pem \ -out spiffe_cert.pem \ -nodes \ -days 3650 \ -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \ -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1" # Generate a cert with SPIFFE ID and another SAN URI field(which doesn't meet SPIFFE specs). openssl req -x509 \ -newkey rsa:4096 \ -keyout multiple_uri_key.pem \ -out multiple_uri_cert.pem \ -nodes \ -days 3650 \ -subj /C=US/ST=CA/L=SVL/O=gRPC/CN=test-client1/ \ -addext "subjectAltName = URI:spiffe://foo.bar.com/client/workload/1, URI:https://bar.baz.com/client" # Cleanup the CSRs. rm *_csr.pem
google.golang.org\grpc@v1.43.0\testdata\x509\openssl.cnf
[req]
distinguished_name = req_distinguished_name
attributes = req_attributes
[req_distinguished_name]
[req_attributes]
[test_ca]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = critical,keyCertSign
[test_server]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement
subjectAltName = @server_alt_names
[server_alt_names]
DNS.1 = *.test.example.com
[test_client]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = critical,clientAuth
