Index: net/data/ssl/scripts/generate-test-certs.sh |
diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh |
index d62bb988a5ddc2730068b83e4a0ce1e036d2cdc2..fe690073a31457d6924fd690ce4b83374035cc61 100755 |
--- a/net/data/ssl/scripts/generate-test-certs.sh |
+++ b/net/data/ssl/scripts/generate-test-certs.sh |
@@ -67,7 +67,7 @@ CA_COMMON_NAME="Test Root CA" \ |
try openssl ca \ |
-batch \ |
-extensions user_cert \ |
- -days 3650 \ |
+ -days 1000 \ |
Ryan Sleevi
2014/11/04 21:48:27
Why was this change necessary? Unrelated? Why didn
palmer
2014/11/07 19:16:14
Yeah, reverted. I think it was from when I was try
|
-in out/ok_cert.req \ |
-out out/ok_cert.pem \ |
-config ca.cnf |
@@ -124,7 +124,48 @@ try openssl req -x509 -days 3650 -extensions req_san_sanity \ |
SUBJECT_NAME="req_punycode_dn" \ |
try openssl req -x509 -days 3650 -extensions req_punycode \ |
-config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
- -out ../certificates/punycodetest.pem |
+ -out ../certificates/punycodetest.pem |
+ |
+## Reject intranet hosts |
Ryan Sleevi
2014/11/04 21:48:27
Reject intranet hostnames in "publicly" trusted ce
palmer
2014/11/07 19:16:14
Done.
|
+SUBJECT_NAME="req_dn" \ |
+ try openssl req -x509 -days $((365 * 3)) \ |
+ -config ../scripts/ee.cnf -newkey rsa:2048 -text \ |
+ -out ../certificates/reject_intranet_hosts.pem |
+ |
+## Validity too long |
+try openssl req -config ../scripts/ee.cnf \ |
+ -newkey rsa:2048 -text -out ../certificates/11_year_validity.req |
+CA_COMMON_NAME="Test Root CA" \ |
+ try openssl ca \ |
+ -batch \ |
+ -extensions user_cert \ |
+ -startdate 141030000000Z \ |
+ -days $((365 * 11)) \ |
Ryan Sleevi
2014/11/04 21:48:27
ಠ_ಠ
KISS. This is /bin/sh style we're dealing wit
palmer
2014/11/07 19:16:14
Done.
|
+ -in ../certificates/11_year_validity.req \ |
+ -out ../certificates/11_year_validity.pem \ |
+ -config ca.cnf |
+try openssl req -config ../scripts/ee.cnf \ |
+ -newkey rsa:2048 -text -out ../certificates/40_months_after_2015_04.req |
+CA_COMMON_NAME="Test Root CA" \ |
+ try openssl ca \ |
+ -batch \ |
+ -extensions user_cert \ |
+ -startdate 150402000000Z \ |
+ -enddate 180901000000Z \ |
+ -in ../certificates/40_months_after_2015_04.req \ |
+ -out ../certificates/40_months_after_2015_04.pem \ |
+ -config ca.cnf |
+try openssl req -config ../scripts/ee.cnf \ |
+ -newkey rsa:2048 -text -out ../certificates/61_months_after_2012_07.req |
+CA_COMMON_NAME="Test Root CA" \ |
+ try openssl ca \ |
+ -batch \ |
+ -extensions user_cert \ |
+ -startdate 141030000000Z \ |
+ -days $((30 * 61)) \ |
Ryan Sleevi
2014/11/04 21:48:27
Ditto
palmer
2014/11/07 19:16:14
Done and on line 131 too.
|
+ -in ../certificates/61_months_after_2012_07.req \ |
+ -out ../certificates/61_months_after_2012_07.pem \ |
+ -config ca.cnf |
# Regenerate CRLSets |
## Block a leaf cert directly by SPKI |