add example for DH certificate generation

ccd395cb · Dr. Stephen Henson · 0d609395 · ccd395cb · ccd395cb
隐藏空白更改
内联并排

Showing with 44 addition and 1 deletion

demos/certs/ca.cnf demos/certs/ca.cnf +12 -0

demos/certs/mkcerts.sh demos/certs/mkcerts.sh +32 -1

未找到文件。
--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -42,6 +42,18 @@ nsComment			= "OpenSSL Generated Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
+[ dh_cert ]
+# These extensions are added when 'ca' signs a request for an end entity
+# DH certificate
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, keyAgreement
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
 [ v3_ca ]

--- a/demos/certs/mkcerts.sh
+++ b/demos/certs/mkcerts.sh
 #!/bin/sh
-OPENSSL=openssl
+OPENSSL=../../apps/openssl
+OPENSSL_CONF=../../apps/openssl.cnf
+export OPENSSL_CONF
 # Root CA: create certificate directly
 CN="Test Root CA" $OPENSSL req -config ca.cnf -x509 -nodes \
@@ -23,3 +25,32 @@ CN="Test Client Cert" $OPENSSL req -config ca.cnf -nodes \
 # Sign using intermediate CA
 $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
 	-extfile ca.cnf -extensions usr_cert -CAcreateserial -out client.pem
+# Example creating a PKCS#3 DH certificate. 
+# First DH parameters
+[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
+# Now a DH private key
+$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem
+# Create DH public key file
+$OPENSSL pkey -in dhskey.pem -pubout -out dhspub.pem
+# Certificate request, key just reuses old one as it is ignored when the
+# request is signed.
+CN="Test Server DH Cert" $OPENSSL req -config ca.cnf -new \
+	-key skey.pem -out dhsreq.pem
+# Sign request: end entity DH extensions
+$OPENSSL x509 -req -in dhsreq.pem -CA root.pem -days 3600 \
+	-force_pubkey dhspub.pem \
+	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhserver.pem
+# DH client certificate
+$OPENSSL genpkey -paramfile dhp.pem -out dhckey.pem
+$OPENSSL pkey -in dhckey.pem -pubout -out dhcpub.pem
+CN="Test Client DH Cert" $OPENSSL req -config ca.cnf -new \
+	-key skey.pem -out dhcreq.pem
+$OPENSSL x509 -req -in dhcreq.pem -CA root.pem -days 3600 \
+	-force_pubkey dhcpub.pem \
+	-extfile ca.cnf -extensions dh_cert -CAcreateserial -out dhclient.pem