8 KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2
9 KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3
10 PKINIT_KDC_EKU=1.3.6.1.5.2.3.5
11 PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4
12 TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1
13 TLS_CLIENT_EKU=1.3.6.1.5.5.7.3.2
14 EMAIL_PROTECTION_EKU=1.3.6.1.5.5.7.3.4
15 # Add TLS EKUs to these if we're testing with NSS and we still have to
16 # piggy-back on the TLS trust settings.
17 KDC_EKU_LIST=$PKINIT_KDC_EKU
18 CLIENT_EKU_LIST=$PKINIT_CLIENT_EKU
20 cat > openssl.cnf << EOF
23 distinguished_name = \$ENV::SUBJECT
26 CN = test CA certificate
31 OU = Insecure PKINIT Kerberos test CA
32 CN = pkinit test suite CA; do not use otherwise
47 subjectKeyIdentifier = hash
48 authorityKeyIdentifier = keyid:always,issuer:always
49 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
50 basicConstraints = critical,CA:TRUE
53 0.component=GeneralString:krbtgt
54 1.component=GeneralString:$REALM
57 nametype=EXPLICIT:0,INTEGER:$NAMETYPE
58 components=EXPLICIT:1,SEQUENCE:components_kdc
61 realm=EXPLICIT:0,GeneralString:$REALM
62 princ=EXPLICIT:1,SEQUENCE:princ_kdc
65 subjectKeyIdentifier = hash
66 authorityKeyIdentifier = keyid:always,issuer:always
67 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
68 basicConstraints = critical,CA:FALSE
69 subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_kdc
70 extendedKeyUsage = $KDC_EKU_LIST
73 component=GeneralString:user
76 nametype=EXPLICIT:0,INTEGER:$NAMETYPE
77 components=EXPLICIT:1,SEQUENCE:components_client
80 realm=EXPLICIT:0,GeneralString:$REALM
81 princ=EXPLICIT:1,SEQUENCE:princ_client
84 subjectKeyIdentifier = hash
85 authorityKeyIdentifier = keyid:always,issuer:always
86 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
87 basicConstraints = critical,CA:FALSE
88 subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client
89 extendedKeyUsage = $CLIENT_EKU_LIST
92 subjectKeyIdentifier = hash
93 authorityKeyIdentifier = keyid:always,issuer:always
94 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
95 basicConstraints = critical,CA:FALSE
96 subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM
97 extendedKeyUsage = $CLIENT_EKU_LIST
100 subjectKeyIdentifier = hash
101 authorityKeyIdentifier = keyid:always,issuer:always
102 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
103 basicConstraints = critical,CA:FALSE
104 subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user
105 extendedKeyUsage = $CLIENT_EKU_LIST
108 subjectKeyIdentifier = hash
109 authorityKeyIdentifier = keyid:always,issuer:always
110 keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
111 basicConstraints = critical,CA:FALSE
112 subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM
113 extendedKeyUsage = $CLIENT_EKU_LIST
116 # Generate a private key.
117 openssl genrsa $KEYSIZE > privkey.pem
118 openssl rsa -in privkey.pem -out privkey-enc.pem -des3 -passout pass:encrypted
120 # Generate a "CA" certificate.
121 SUBJECT=ca openssl req -config openssl.cnf -new -x509 -extensions exts_ca \
122 -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem
124 # Generate a KDC certificate.
125 SUBJECT=kdc openssl req -config openssl.cnf -new -key privkey.pem -out kdc.csr
126 SUBJECT=kdc openssl x509 -extfile openssl.cnf -extensions exts_kdc \
127 -set_serial 2 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
128 -out kdc.pem -in kdc.csr
130 # Generate a client certificate and PKCS#12 bundles.
131 SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \
133 SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_client \
134 -set_serial 3 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
135 -out user.pem -in user.csr
136 openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user.p12 \
138 openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user-enc.p12 \
139 -passout pass:encrypted
141 # Generate a client certificate and PKCS#12 bundles with a UPN SAN.
142 SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \
144 SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn_client \
145 -set_serial 4 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
146 -out user-upn.pem -in user-upn.csr
147 openssl pkcs12 -export -in user-upn.pem -inkey privkey.pem -out user-upn.p12 \
150 SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \
152 SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn2_client \
153 -set_serial 5 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
154 -out user-upn2.pem -in user-upn2.csr
155 openssl pkcs12 -export -in user-upn2.pem -inkey privkey.pem \
156 -out user-upn2.p12 -passout pass:
158 SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \
160 SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \
161 -set_serial 6 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \
162 -out user-upn3.pem -in user-upn3.csr
163 openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \
164 -out user-upn3.p12 -passout pass:
166 # Generate a client certificate and PKCS#12 bundle with no PKINIT extensions.
167 SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \
169 SUBJECT=user openssl x509 -set_serial 7 -days $DAYS -req -CA ca.pem \
170 -CAkey privkey.pem -out generic.pem -in generic.csr
171 openssl pkcs12 -export -in generic.pem -inkey privkey.pem -out generic.p12 \
175 rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr