1About This Directory 2------------- 3This testdata directory contains the certificates used in the tests of package advancedtls. 4 5How to Generate Test Certificates Using OpenSSL 6------------- 7 8Supposing we are going to create a `subject_cert.pem` that is trusted by `ca_cert.pem`, here are the 9commands we run: 10 111. Generate the private key, `ca_key.pem`, and the cert `ca_cert.pem`, for the CA: 12 13 ``` 14 $ openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -nodes -days $DURATION_DAYS 15 ``` 16 172. Generate a private key `subject_key.pem` for the subject: 18 19 ``` 20 $ openssl genrsa -out subject_key.pem 4096 21 ``` 22 233. Generate a CSR `csr.pem` using `subject_key.pem`: 24 25 ``` 26 $ openssl req -new -key subject_key.pem -out csr.pem 27 ``` 28 For some cases, we might want to add some extra SAN fields in `subject_cert.pem`. 29 In those cases, we can create a configuration file(for example, localhost-openssl.cnf), and do the following: 30 ``` 31 $ openssl req -new -key subject_key.pem -out csr.pem -config $CONFIG_FILE_NAME 32 ``` 33 344. Use `ca_key.pem` and `ca_cert.pem` to sign `csr.pem`, and get a certificate, `subject_cert.pem`, for the subject: 35 36 This step requires some additional configuration steps and please check out [this answer from StackOverflow](https://stackoverflow.com/a/21340898) for more. 37 38 ``` 39 $ openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out subject_cert.pem -in csr.pem -keyfile ca_key.pem -cert ca_cert.pem 40 ``` 41 Please see an example configuration template at `openssl-ca.cnf`. 425. Verify the `subject_cert.pem` is trusted by `ca_cert.pem`: 43 44 45 ``` 46 $ openssl verify -verbose -CAfile ca_cert.pem subject_cert.pem 47 48 ```