Corrected Test CA configuration

This commit is contained in:
Oleg Kalnichevski 2024-10-20 16:38:41 +02:00
parent 0564320d73
commit 221af7524f
8 changed files with 116 additions and 462 deletions

3
.gitignore vendored
View File

@ -10,3 +10,6 @@ target
**/log4j2-debug.xml **/log4j2-debug.xml
**/.checkstyle **/.checkstyle
*.bak *.bak
/test-CA/newcerts/
/test-CA/serial.txt*
/test-CA/index.txt*

View File

@ -1,16 +1,27 @@
= SSL key / cert material (optional) = SSL key / cert material
Execute in the project root
# Issue a certificate request # Issue a certificate request
--- ---
openssl req -config openssl.cnf -new -nodes -sha256 -days 36500 \ openssl req -config test-CA/openssl.cnf -new -nodes -sha256 -days 36500 \
-subj '/O=Apache Software Foundation/OU=HttpComponents Project/CN=test-httpd/emailAddress=dev@hc.apache.org/' \ -subj '/O=Apache Software Foundation/OU=HttpComponents Project/CN=localhost/emailAddress=dev@hc.apache.org/' \
-keyout server-key.pem -out server-certreq.pem -addext 'subjectAltName = DNS:localhost,DNS:test-httpd' \
-keyout httpclient5-testing/src/test/resources/docker/server-key.pem \
-out httpclient5-testing/src/test/resources/docker/server-certreq.pem
--- ---
# Verify the request # Verify the request
--- ---
openssl req -in server-certreq.pem -text -noout openssl req -in httpclient5-testing/src/test/resources/docker/server-certreq.pem -text -noout
--- ---
# Sign new certificate with the test CA key # Sign new certificate with the test CA key
--- ---
openssl ca -config openssl.cnf -days 36500 -out server-cert.pem -in server-certreq.pem && rm server-certreq.pem openssl ca -config test-CA/openssl.cnf -days 36500 \
-out httpclient5-testing/src/test/resources/docker/server-cert.pem \
-in httpclient5-testing/src/test/resources/docker/server-certreq.pem \
&& rm httpclient5-testing/src/test/resources/docker/server-certreq.pem
--- ---
# Create JKS store with the Test CA cert
keytool -import -trustcacerts -alias test-ca -file test-CA/ca-cert.pem -keystore httpcore5-testing/src/test/resources/test-ca.jks -storepass nopassword

View File

@ -1 +0,0 @@
V 21161223094143Z 01 unknown /O=Apache Software Foundation/OU=HttpComponents Project/CN=test-httpd/emailAddress=dev@hc.apache.org

View File

@ -1,355 +0,0 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir # default place for new certs.
certificate = ../../../test-CA/ca-cert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = ../../../test-CA/ca-key.pem # The private key
RANDFILE = ../../../test-CA/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Apache Software Foundation
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = HttpComponents Project
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = test-httpd
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = dev@hc.apache.org
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = test-httpd
DNS.2 = localhost
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)

View File

@ -1,35 +1,35 @@
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: 1 (0x1) Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Apache Software Foundation, OU=HttpComponents Project, CN=Test CA/emailAddress=dev@hc.apache.org Issuer: O=Apache Software Foundation, OU=HttpComponents Project, CN=Test CA/emailAddress=dev@hc.apache.org
Validity Validity
Not Before: Jan 16 09:41:43 2017 GMT Not Before: Oct 20 19:14:02 2024 GMT
Not After : Dec 23 09:41:43 2116 GMT Not After : Sep 26 19:14:02 2124 GMT
Subject: O=Apache Software Foundation, OU=HttpComponents Project, CN=test-httpd/emailAddress=dev@hc.apache.org Subject: O=Apache Software Foundation, OU=HttpComponents Project, CN=localhost/emailAddress=dev@hc.apache.org
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit) Public-Key: (2048 bit)
Modulus: Modulus:
00:da:55:cb:73:c3:42:cf:c1:4e:6e:d9:74:b8:f8: 00:9d:12:0f:d0:8a:7e:0a:e4:76:b8:08:af:3f:5f:
1c:3f:1a:de:8d:72:3a:c4:62:f7:eb:e4:72:5b:9b: 0f:b4:4c:70:24:22:4e:8f:8f:55:ec:ae:31:6c:e2:
9e:65:09:0e:f4:9b:f0:bd:29:d5:af:a9:d1:5f:82: 05:68:df:c5:c0:4d:e9:a5:ed:d9:4e:71:ed:e7:3c:
99:53:49:1f:7a:5c:6f:6c:0f:a2:48:68:c7:53:3e: 51:ac:0a:fe:21:96:7c:0c:7b:2f:fa:6f:4f:73:69:
9b:9f:b2:c2:eb:8f:6b:38:c4:6a:75:52:55:60:9d: 38:a0:25:a7:4c:d0:69:fc:a2:8d:94:cb:4f:9e:c7:
60:40:9b:a4:79:c6:c7:ae:1c:6c:d9:c8:b6:5b:cb: 1f:a3:b2:5b:94:5f:20:3c:61:4d:73:a6:9c:a4:7c:
d4:af:78:45:0e:57:62:04:48:1d:d2:f3:c1:98:ac: 72:25:26:ee:a6:d0:d8:f0:49:e7:b3:e0:f5:4d:de:
64:1f:ae:8d:30:78:ec:52:b3:03:6c:4b:1c:b1:87: 6e:54:80:b9:54:8c:37:9d:d2:c0:ac:8b:43:03:8d:
56:5e:a4:c3:3c:54:6b:05:22:95:30:c8:0c:d4:d4: 9c:c9:ac:91:f9:31:4f:6d:e9:2d:d5:de:b9:c4:34:
43:f0:eb:5b:58:29:5c:ce:98:97:cc:86:7a:8a:fd: de:67:3d:1a:4e:25:43:5e:ee:8e:01:67:d6:b2:4a:
70:0e:c0:55:57:21:2e:4a:f5:5d:be:ba:6e:76:99: 49:53:f9:d3:0c:93:5d:a9:1f:52:f7:23:93:1d:73:
6a:c7:9d:9f:5f:31:63:9c:ae:b5:03:75:6c:ec:d7: 3a:d4:e1:dd:2b:a2:d1:65:b1:ef:69:12:1a:fc:6b:
e8:75:6b:e4:5d:23:30:e7:c8:b9:86:ec:9d:73:e8: 24:7c:96:6b:d2:27:21:4e:38:04:af:e4:d1:f6:4e:
06:43:6a:66:51:57:84:bd:75:1b:c8:4d:6b:9c:11: b2:8a:a4:59:b6:c8:c5:21:d5:c0:d6:d8:7e:58:b2:
79:36:bf:dd:d4:a8:0d:ce:6b:c3:d7:7e:0e:f5:b0: 4e:3a:9e:6f:81:8a:1a:0e:0e:61:69:15:cb:7a:19:
78:c1:80:96:d5:45:73:ca:86:8e:7e:0f:85:43:6e: 1a:37:62:3b:96:b3:3b:20:11:b7:1e:a6:63:39:2b:
26:0d:20:3a:72:12:80:73:60:a2:90:a1:13:30:27: 0c:c2:2b:77:7b:0d:21:ef:42:26:71:ce:76:49:cb:
d5:35 68:33
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Basic Constraints: X509v3 Basic Constraints:
@ -37,52 +37,49 @@ Certificate:
Netscape Comment: Netscape Comment:
OpenSSL Generated Certificate OpenSSL Generated Certificate
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
01:1E:40:80:D8:79:41:3D:8D:69:D6:E5:6C:DF:34:5D:8E:D7:07:D1 38:19:4F:BF:C1:71:41:FE:78:91:B0:09:39:8B:AD:D7:05:B9:D9:82
X509v3 Authority Key Identifier: X509v3 Authority Key Identifier:
keyid:03:E4:E7:DA:0F:64:DB:13:1E:BD:85:AB:76:BC:29:CA:2F:A7:C7:4B 03:E4:E7:DA:0F:64:DB:13:1E:BD:85:AB:76:BC:29:CA:2F:A7:C7:4B
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name: X509v3 Subject Alternative Name:
DNS:test-httpd, DNS:localhost DNS:localhost, DNS:test-httpd
Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption
88:be:99:32:13:9b:3f:89:59:65:19:2a:0e:1e:7d:9f:29:c5: Signature Value:
d6:7e:82:db:18:2c:cb:b9:71:ef:ac:8b:31:0e:7c:b1:f9:7a: 07:59:06:b5:60:2d:55:ce:09:bd:f1:46:19:ef:e5:90:fa:b8:
b5:60:2f:08:63:e1:1e:f5:d0:fe:e4:b7:4e:98:de:1b:01:22: bf:da:08:ac:cd:96:9e:06:e4:b2:dc:1c:92:bf:b4:c0:ee:84:
35:35:1c:ab:39:aa:25:d5:77:42:4c:eb:f6:d7:88:ba:14:27: d5:39:92:43:84:bc:c7:c9:ea:6d:c0:90:f5:0c:d3:df:09:c2:
05:ae:08:b8:80:69:3c:e1:c6:d3:d1:26:1e:76:c7:a9:b2:2b: c3:44:6b:5e:4d:fe:7f:6b:04:f9:58:9f:b3:e8:2f:ad:9a:09:
c3:2e:f6:27:db:3d:6c:2e:5c:ac:b1:2b:06:b0:8c:0b:74:3a: 91:b7:3c:dc:2b:ff:6c:db:9f:c8:63:aa:33:0e:3a:93:8e:2a:
72:dc:15:48:20:df:23:b1:2f:60:ba:e3:80:da:36:dc:aa:f6: 99:c4:c0:c0:5a:a1:d1:a2:79:ac:07:cf:f6:aa:f7:f3:7a:42:
87:4a:c9:82:74:40:4a:f9:cc:95:d9:2b:2b:20:c8:fd:b5:87: 9a:99:47:7c:9e:a3:7a:0c:bd:59:d1:07:18:de:f5:64:71:53:
14:f6:13:1b:38:e6:7e:13:84:0b:c1:24:fe:dd:18:0c:ca:df: 83:99:38:bf:12:30:8d:89:49:8d:4b:c9:58:03:5e:6d:86:58:
fb:71:5d:ea:aa:fb:ca:20:54:0b:7b:40:93:20:c5:4b:af:a6: f3:32:a9:e0:24:18:0f:60:79:5a:54:8b:9e:be:9d:68:41:24:
89:86:2f:49:d7:83:0e:4e:47:be:5f:f9:34:f9:38:7f:25:18: 4b:2b:f8:d0:21:74:9e:bc:ea:f9:0c:c0:f9:56:e2:2c:ff:69:
05:0c:26:5e:aa:4c:c6:70:d2:27:5d:20:ef:8a:51:b6:86:8c: 71:03:5c:76:d2:ea:f6:9c:05:4f:d2:28:7c:99:a1:5d:aa:ab:
66:26:3d:36:8b:b0:b9:e0:cb:17:22:a5:b6:30:a0:c4:ae:9f: 9b:31:82:ce:11:69:08:1c:5a:2c:86:92:4c:82:86:9a:ed:9f:
80:fb:7b:f1:55:f8:2f:61:b8:1e:f8:eb:2c:86:a3:53:6c:bd: f4:fe:c6:0b:df:1b:15:38:13:9c:3b:46:75:d8:ce:b0:ae:6e:
c5:af:a2:1f 64:3f:1b:b4:0b:1a:fb:bc:67:f4:aa:8e:e3:42:e1:3e:6e:e7:
5f:98:64:2e
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIBATANBgkqhkiG9w0BAQsFADB6MSMwIQYDVQQKDBpBcGFj MIIEEjCCAvqgAwIBAgIBADANBgkqhkiG9w0BAQsFADB6MSMwIQYDVQQKDBpBcGFj
aGUgU29mdHdhcmUgRm91bmRhdGlvbjEfMB0GA1UECwwWSHR0cENvbXBvbmVudHMg aGUgU29mdHdhcmUgRm91bmRhdGlvbjEfMB0GA1UECwwWSHR0cENvbXBvbmVudHMg
UHJvamVjdDEQMA4GA1UEAwwHVGVzdCBDQTEgMB4GCSqGSIb3DQEJARYRZGV2QGhj UHJvamVjdDEQMA4GA1UEAwwHVGVzdCBDQTEgMB4GCSqGSIb3DQEJARYRZGV2QGhj
LmFwYWNoZS5vcmcwIBcNMTcwMTE2MDk0MTQzWhgPMjExNjEyMjMwOTQxNDNaMH0x LmFwYWNoZS5vcmcwIBcNMjQxMDIwMTkxNDAyWhgPMjEyNDA5MjYxOTE0MDJaMHwx
IzAhBgNVBAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9uMR8wHQYDVQQLDBZI IzAhBgNVBAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9uMR8wHQYDVQQLDBZI
dHRwQ29tcG9uZW50cyBQcm9qZWN0MRMwEQYDVQQDDAp0ZXN0LWh0dHBkMSAwHgYJ dHRwQ29tcG9uZW50cyBQcm9qZWN0MRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkq
KoZIhvcNAQkBFhFkZXZAaGMuYXBhY2hlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD hkiG9w0BCQEWEWRldkBoYy5hcGFjaGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC
ggEPADCCAQoCggEBANpVy3PDQs/BTm7ZdLj4HD8a3o1yOsRi9+vkclubnmUJDvSb AQ8AMIIBCgKCAQEAnRIP0Ip+CuR2uAivP18PtExwJCJOj49V7K4xbOIFaN/FwE3p
8L0p1a+p0V+CmVNJH3pcb2wPokhox1M+m5+ywuuPazjEanVSVWCdYECbpHnGx64c pe3ZTnHt5zxRrAr+IZZ8DHsv+m9Pc2k4oCWnTNBp/KKNlMtPnscfo7JblF8gPGFN
bNnItlvL1K94RQ5XYgRIHdLzwZisZB+ujTB47FKzA2xLHLGHVl6kwzxUawUilTDI c6acpHxyJSbuptDY8Enns+D1Td5uVIC5VIw3ndLArItDA42cyayR+TFPbekt1d65
DNTUQ/DrW1gpXM6Yl8yGeor9cA7AVVchLkr1Xb66bnaZasedn18xY5yutQN1bOzX xDTeZz0aTiVDXu6OAWfWskpJU/nTDJNdqR9S9yOTHXM61OHdK6LRZbHvaRIa/Gsk
6HVr5F0jMOfIuYbsnXPoBkNqZlFXhL11G8hNa5wReTa/3dSoDc5rw9d+DvWweMGA fJZr0ichTjgEr+TR9k6yiqRZtsjFIdXA1th+WLJOOp5vgYoaDg5haRXLehkaN2I7
ltVFc8qGjn4PhUNuJg0gOnISgHNgopChEzAn1TUCAwEAAaOBqzCBqDAJBgNVHRME lrM7IBG3HqZjOSsMwit3ew0h70Imcc52SctoMwIDAQABo4GeMIGbMAkGA1UdEwQC
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0 MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
ZTAdBgNVHQ4EFgQUAR5AgNh5QT2NadblbN80XY7XB9EwHwYDVR0jBBgwFoAUA+Tn MB0GA1UdDgQWBBQ4GU+/wXFB/niRsAk5i63XBbnZgjAfBgNVHSMEGDAWgBQD5Ofa
2g9k2xMevYWrdrwpyi+nx0swCwYDVR0PBAQDAgXgMCAGA1UdEQQZMBeCCnRlc3Qt D2TbEx69hat2vCnKL6fHSzAgBgNVHREEGTAXgglsb2NhbGhvc3SCCnRlc3QtaHR0
aHR0cGSCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAiL6ZMhObP4lZZRkq cGQwDQYJKoZIhvcNAQELBQADggEBAAdZBrVgLVXOCb3xRhnv5ZD6uL/aCKzNlp4G
Dh59nynF1n6C2xgsy7lx76yLMQ58sfl6tWAvCGPhHvXQ/uS3TpjeGwEiNTUcqzmq 5LLcHJK/tMDuhNU5kkOEvMfJ6m3AkPUM098JwsNEa15N/n9rBPlYn7PoL62aCZG3
JdV3Qkzr9teIuhQnBa4IuIBpPOHG09EmHnbHqbIrwy72J9s9bC5crLErBrCMC3Q6 PNwr/2zbn8hjqjMOOpOOKpnEwMBaodGieawHz/aq9/N6QpqZR3yeo3oMvVnRBxje
ctwVSCDfI7EvYLrjgNo23Kr2h0rJgnRASvnMldkrKyDI/bWHFPYTGzjmfhOEC8Ek 9WRxU4OZOL8SMI2JSY1LyVgDXm2GWPMyqeAkGA9geVpUi56+nWhBJEsr+NAhdJ68
/t0YDMrf+3Fd6qr7yiBUC3tAkyDFS6+miYYvSdeDDk5Hvl/5NPk4fyUYBQwmXqpM 6vkMwPlW4iz/aXEDXHbS6vacBU/SKHyZoV2qq5sxgs4RaQgcWiyGkkyChprtn/T+
xnDSJ10g74pRtoaMZiY9NouwueDLFyKltjCgxK6fgPt78VX4L2G4HvjrLIajU2y9 xgvfGxU4E5w7RnXYzrCubmQ/G7QLGvu8Z/SqjuNC4T5u51+YZC4=
xa+iHw==
-----END CERTIFICATE----- -----END CERTIFICATE-----

View File

@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDaVctzw0LPwU5u MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCdEg/Qin4K5Ha4
2XS4+Bw/Gt6NcjrEYvfr5HJbm55lCQ70m/C9KdWvqdFfgplTSR96XG9sD6JIaMdT CK8/Xw+0THAkIk6Pj1XsrjFs4gVo38XATeml7dlOce3nPFGsCv4hlnwMey/6b09z
PpufssLrj2s4xGp1UlVgnWBAm6R5xseuHGzZyLZby9SveEUOV2IESB3S88GYrGQf aTigJadM0Gn8oo2Uy0+exx+jsluUXyA8YU1zppykfHIlJu6m0NjwSeez4PVN3m5U
ro0weOxSswNsSxyxh1ZepMM8VGsFIpUwyAzU1EPw61tYKVzOmJfMhnqK/XAOwFVX gLlUjDed0sCsi0MDjZzJrJH5MU9t6S3V3rnENN5nPRpOJUNe7o4BZ9aySklT+dMM
IS5K9V2+um52mWrHnZ9fMWOcrrUDdWzs1+h1a+RdIzDnyLmG7J1z6AZDamZRV4S9 k12pH1L3I5MdczrU4d0rotFlse9pEhr8ayR8lmvSJyFOOASv5NH2TrKKpFm2yMUh
dRvITWucEXk2v93UqA3Oa8PXfg71sHjBgJbVRXPKho5+D4VDbiYNIDpyEoBzYKKQ 1cDW2H5Ysk46nm+BihoODmFpFct6GRo3YjuWszsgEbcepmM5KwzCK3d7DSHvQiZx
oRMwJ9U1AgMBAAECggEBAIEr4wthCUUKs5GHW7QXLfbzuZlrbHNFrjHEXRfvkJ1r znZJy2gzAgMBAAECggEAB11ucmfcCyS1UGHP3dfWQ60F4RvetSqSa9urI6Dhgg5k
54o2PA5eEsszp+hexsFscJAe4djHwxYdz1djogSwaPueRSw3oFg61sIrOYffzUYy FmVQ3F/vvZboAdy5M6j8S5Tj0i4AjOylPBMl/ZRmaNqo7ZitrNlvrVFG8YUOeEGR
oW5T6N5MDf9vLyyE9i4O6rFnzSVCC1Z9H1tTFLsJv58Jw8utAJPTYvjpd4xY0Vwe oGMrn42jcK8JJybRL+9BDNtaSvv0ZKdWYw36IrXEcdkNAcox5TvBq081NQsT32Jp
SqT/ZdIB9Cb+3R46+yJdcUWFUqpzKXOWZ1JH1b3nOpaLeyXJX0Xau7oyTxh/8hjg 2/dZB6yDlxTD8NVf1mzaeO0v+VxbRvPQ7HY9o0F1FVxBot/NjidU/fQwSSg2lFNq
+2DV9VI9LEKqzIV96iSsMzk28y9Iio7OW4x/vEDdpf9izmCSU8o2zLNHGBSvnUxM K+u9q5W2e0Ca2KYEV7tHpOJMmMKH6kOYjM+UiQpPWXiuClcf+LbCsj4v3a5MrlsM
wHH3pO96fmOBwq/vQkwZ7I2Y+LiL0nrukUiGpaxBz0ECgYEA95LdkhdS+Ou8hEJt fdDFMnddn6cvM3RP/lpELCqSgkzTM3srAFydY6wMEQKBgQDPUOQaxo/xPYVAGW/Q
o9cILbTP+vK4NzhKhA1tRsWylNjuv8Bp/MwM1OvRInEwl05VenG3Fbm2AsDerQEQ THbQjfA7fZweWNT2EmB3PsDA/79TtkKgFF/kuSoq5AOYcQOP3Q0qZF9DjeIhL0tK
b+aFPK+l78ZMlRZ945my9Q+jk3qYxmhl0j7mz+GdYt0MoKRyDe30wkk/cCPpwdhe WZxV9Y24q/EfnLpZOjui+SHu+RA6paFYveKcy7Mj3E5A/D3qKwDIPYX/K195LaEd
GF8Tvk7EjfGoDFiuf8wCyMEF9+UCgYEA4cQrtQLztRBZBeO+r0Wx1r6AjEKNBMPl Pll5hiWcwWIqj1bEerqPSIvSqQKBgQDB9JeR/kPvnNFXnXtUQ/o0w42GKr1Gx5HW
FYHh9qfAsRqF452xa331ftNjyPV2vmGdjVTU0FQgbf6ZSK5kCqyVTk9QHZdt65ds iiNllS5OwOGKXif8+T+liJ2eUFJ5lFb6eZhTSdWEUqygDDE00XDwnjUQm4tvBK/3
vqdpOS9FocWZOV6qTaIVoSJY804ZZJKVB+97HrFOHxPnOn0uJvtk/3x0awOoSu0I vfAkpT6RDtLZ7rIWXHXN+45MTl6LhSBYNphZK6UFY4JvtJSweRbXl8OnK1peENTE
TCU/MXNk8xECgYEAn48aGlPJ+AAGqb8eZp/p93s3J+dS7tPqwpzctuYnqGL/zLm4 OOvvpRNJewKBgBwc1QHIgUZuWD5r9Jyjcc0wIi5/Bweadi50KX6iFNNXGuPIKFq6
FWN1Sa0KRoZo6Ltlv9qWQvxD4BZp7VpoO5Z4fJo/+f710IiEbjHa8rI3nI9A827J yJIkhdJRHyex05DTofBosf5gJBTp6+TGKAwEA1bSgh0OTLrCycl8zRwxzACX6zw0
YO2FWKlyBAuvXcFeeLfKLYWDy0R6HaLTUiXE1bxyVYFP61Ukcd0MVlKBBDkCgYAM a6FlggJP4pCvY9n4QN/mb+A9SnINPPbROKLhDQKnup8Y1uRH3DqH1OYZAoGBAKO6
KC0WVS9cW6H/kDDvbThTUPTJGLhRPl8ylkjdqFDW+I+nHxGzsResGaPw6U7Yl5cN MPT5+ilcbM+UThbNJ3rBFUgL7inAsFi11bmb3DJ42iuu3fzL/zFiiQOqdGTTlzTr
SjkfcrhAVApbAJEAhiSQD/NHdKUFn6TKa2deHe6I9IP4s+FFxumVQK07hMQXR1Fh zm2Ip2iDTdvxTtxybO+B7fOuCl9WSqFMwlp877sOE2oK+GSt+ng+gVni0ibe43Xz
GQMvNur2/3JfEuiOTtE0dLYsIQlJ55Ofzg2mEwmnkQKBgQCjtelLDrPJn8x/7NzW 6Fll4XESFnrrqpTqMyEdqPkGPMupU6KtFmX/KK/fAoGAdYADpMf467obKaUPOvR+
L4/5xv3zHsjKxpvyn6jmP0s9wz2Dxeh4VzMudflw3y0l02bMLyPacQcaU9l5DKgP wPUjCQlopCK6wCFE2kuEv3e64NOpN7VJ1GHzro4DsaxndBHhG3+Pml3fnoclZgYP
WRGD7a9Yig0dx/gHCjX+QMdKvgNR6Pi7iJiD15THsZB3L1ZpzjNGr/ENxn/Xx6VC 9LVY/rduV+2xwP6GVd5iLSFKtaXPGVxkGPKEgX6842Z6i7BLUQZQyWHr19UEkgFj
bCjMxWkkzDr0xYCRr3FzQ1iEkg== RB0YbKKxrC01hpdKKHWMlHU=
-----END PRIVATE KEY----- -----END PRIVATE KEY-----

View File

@ -52,7 +52,7 @@ default_ca = CA_default # The default ca section
#################################################################### ####################################################################
[ CA_default ] [ CA_default ]
dir = ./demoCA # Where everything is kept dir = ./test-CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file. database = $dir/index.txt # database index file.
@ -60,13 +60,13 @@ database = $dir/index.txt # database index file.
# several ctificates with same subject. # several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate certificate = $dir/ca-cert.pem # The CA certificate
serial = $dir/serial # The current serial number serial = $dir/serial.txt # The current serial number
crlnumber = $dir/crlnumber # the current crl number crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL # must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key private_key = $dir/ca-key.pem# The private key
RANDFILE = $dir/private/.rand # private random number file RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert x509_extensions = usr_cert # The extentions to add to the cert
@ -76,7 +76,7 @@ name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution. # Extension copying option: use with caution.
# copy_extensions = copy copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL. # so this is commented out by default to leave a V1 CRL.
@ -95,8 +95,8 @@ policy = policy_match
# For the CA policy # For the CA policy
[ policy_match ] [ policy_match ]
countryName = match countryName = optional
stateOrProvinceName = match stateOrProvinceName = optional
organizationName = match organizationName = match
organizationalUnitName = optional organizationalUnitName = optional
commonName = supplied commonName = supplied