1
0
mirror of https://github.com/kakwa/uts-server synced 2024-12-04 23:15:54 +01:00

adding a test pki

This commit is contained in:
kakwa 2016-08-26 19:11:17 +02:00
parent 560834d280
commit 61176c5972
46 changed files with 2826 additions and 0 deletions

8
tests/cfg/pki/build-ca Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
#
# Build a root certificate
#
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --initca $*

11
tests/cfg/pki/build-dh Executable file
View File

@ -0,0 +1,11 @@
#!/bin/sh
# Build Diffie-Hellman parameters for the server side
# of an SSL/TLS connection.
if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
$OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

7
tests/cfg/pki/build-inter Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Make an intermediate CA certificate/private key pair using a locally generated
# root certificate.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --inter $*

7
tests/cfg/pki/build-key Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Make a certificate/private key pair using a locally generated
# root certificate.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact $*

7
tests/cfg/pki/build-key-pass Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Similar to build-key, but protect the private key
# with a password.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pass $*

8
tests/cfg/pki/build-key-pkcs12 Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
# Make a certificate/private key pair using a locally generated
# root certificate and convert it to a PKCS #12 file including the
# the CA certificate as well.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --pkcs12 $*

10
tests/cfg/pki/build-key-server Executable file
View File

@ -0,0 +1,10 @@
#!/bin/sh
# Make a certificate/private key pair using a locally generated
# root certificate.
#
# Explicitly set nsCertType to server using the "server"
# extension in the openssl.cnf file.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --server $*

7
tests/cfg/pki/build-req Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Build a certificate signing request and private key. Use this
# when your root certificate and key is not available locally.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --csr $*

7
tests/cfg/pki/build-req-pass Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Like build-req, but protect your private key
# with a password.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --csr --pass $*

16
tests/cfg/pki/clean-all Executable file
View File

@ -0,0 +1,16 @@
#!/bin/sh
# Initialize the $KEY_DIR directory.
# Note that this script does a
# rm -rf on $KEY_DIR so be careful!
if [ "$KEY_DIR" ]; then
rm -rf "$KEY_DIR"
mkdir "$KEY_DIR" && \
chmod go-rwx "$KEY_DIR" && \
touch "$KEY_DIR/index.txt" && \
echo 01 >"$KEY_DIR/serial"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

39
tests/cfg/pki/inherit-inter Executable file
View File

@ -0,0 +1,39 @@
#!/bin/sh
# Build a new PKI which is rooted on an intermediate certificate generated
# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
# have independent vars settings, and must use a different KEY_DIR directory
# from the parent. This tool can be used to generate arbitrary depth
# certificate chains.
#
# To build an intermediate CA, follow the same steps for a regular PKI but
# replace ./build-key or ./pkitool --initca with this script.
# The EXPORT_CA file will contain the CA certificate chain and should be
# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
# will only contain the local intermediate CA -- it's needed by the easy-rsa
# scripts but not by OpenVPN directly.
EXPORT_CA="export-ca.crt"
if [ $# -ne 2 ]; then
echo "usage: $0 <parent-key-dir> <common-name>"
echo "parent-key-dir: the KEY_DIR directory of the parent PKI"
echo "common-name: the common name of the intermediate certificate in the parent PKI"
exit 1;
fi
if [ "$KEY_DIR" ]; then
cp "$1/$2.crt" "$KEY_DIR/ca.crt"
cp "$1/$2.key" "$KEY_DIR/ca.key"
if [ -e "$1/$EXPORT_CA" ]; then
PARENT_CA="$1/$EXPORT_CA"
else
PARENT_CA="$1/ca.crt"
fi
cp "$PARENT_CA" "$KEY_DIR/$EXPORT_CA"
cat "$KEY_DIR/ca.crt" >> "$KEY_DIR/$EXPORT_CA"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

98
tests/cfg/pki/keys/01.pem Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
Validity
Not Before: Aug 26 17:07:32 2016 GMT
Not After : Aug 24 17:07:32 2026 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=-h/name=EasyRSA/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b4:af:eb:bb:05:0d:4d:a8:a1:7b:65:79:1f:a2:
ad:8b:af:d5:2d:75:92:38:e7:0d:79:68:4a:6a:03:
0a:c6:3a:93:fd:e3:9a:e7:f5:18:8f:07:c7:c9:30:
aa:db:6c:7e:18:84:09:9c:69:32:5b:55:40:a1:1f:
1d:49:f1:cd:12:ec:aa:55:ad:fd:a0:13:60:d4:ed:
e6:6b:15:19:2a:a4:d5:a0:06:62:1c:36:f0:69:b5:
13:df:5d:5d:8a:90:2e:42:75:94:00:2f:61:d4:ef:
08:b7:37:fb:98:4e:b6:b9:4c:3b:cc:f2:05:21:8e:
1e:1d:8e:a9:dc:d1:e0:f8:2b:31:8b:db:cf:fd:66:
e2:ed:cb:da:b3:3e:e4:92:17:18:c1:31:9f:ae:35:
3c:c6:01:1e:35:fe:8c:74:6e:14:43:0b:bb:40:15:
32:3d:10:46:c6:f6:54:d8:26:ac:c2:98:ee:a0:66:
ed:81:69:3f:b8:2d:2b:f3:fa:3f:0d:6d:c4:9f:8c:
4d:82:f1:01:d6:66:1f:73:49:80:cd:73:bd:22:f1:
12:51:f1:fe:e6:8f:e0:be:32:99:74:50:3b:dc:8f:
ae:74:a0:58:64:b8:b7:40:b3:d5:f0:a8:19:20:cb:
7b:86:47:45:96:ae:f4:4a:f3:39:7d:ff:19:8e:50:
98:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
B4:F1:77:6A:ED:D2:67:AB:19:75:00:B5:DE:02:04:8C:F4:7E:4B:87
X509v3 Authority Key Identifier:
keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73
DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
serial:F9:2F:C6:8B:0E:F1:EB:9E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:-h
Signature Algorithm: sha256WithRSAEncryption
0b:b4:40:74:21:70:12:4f:e9:b5:30:d0:2c:64:d9:fc:1a:01:
ac:9e:79:cf:a7:92:c7:27:c4:d8:55:e7:3f:ec:f6:11:36:07:
17:44:53:4c:f4:09:78:93:5b:ec:31:3c:08:d8:15:49:00:b6:
fc:5f:f5:46:d5:4e:d0:7f:a0:c3:9d:6c:43:cf:52:fa:22:cf:
14:ff:8e:92:68:90:23:22:41:6d:b9:5e:65:c0:81:56:61:63:
e4:73:33:7d:5d:43:49:9d:bb:d9:48:58:d0:65:f9:e9:bf:90:
15:30:51:dc:e2:27:c4:5b:4d:e7:46:4c:49:05:3a:f7:9b:dc:
f3:70:56:b4:69:24:25:92:33:48:eb:fe:07:95:5c:eb:4d:e6:
45:a3:27:5e:75:59:62:a4:3e:18:66:30:17:58:15:87:f0:63:
b9:d6:bd:01:e2:a9:a8:de:34:0d:5b:ab:41:8f:7a:f4:5a:c1:
7c:fa:5c:7d:cf:ab:8a:cb:36:53:12:fc:97:11:c5:b8:d0:a8:
7d:fc:f2:2f:74:95:c5:c0:62:cc:57:2a:8e:1f:9d:72:90:7e:
9b:d5:5a:cf:26:ff:3e:3a:cb:80:c7:e7:c6:77:d9:ef:e1:a5:
42:8f:9e:f7:15:2b:62:9c:8c:6a:35:36:3e:08:71:c6:06:44:
eb:43:4f:02
-----BEGIN CERTIFICATE-----
MIIFWjCCBEKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV
BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3
DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDczMloXDTI2MDgy
NDE3MDczMlowgakxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15
T3JnYW5pemF0aW9uYWxVbml0MQswCQYDVQQDEwItaDEQMA4GA1UEKRMHRWFzeVJT
QTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtK/ruwUNTaihe2V5H6Kti6/VLXWSOOcNeWhK
agMKxjqT/eOa5/UYjwfHyTCq22x+GIQJnGkyW1VAoR8dSfHNEuyqVa39oBNg1O3m
axUZKqTVoAZiHDbwabUT311dipAuQnWUAC9h1O8Itzf7mE62uUw7zPIFIY4eHY6p
3NHg+Csxi9vP/Wbi7cvasz7kkhcYwTGfrjU8xgEeNf6MdG4UQwu7QBUyPRBGxvZU
2CaswpjuoGbtgWk/uC0r8/o/DW3En4xNgvEB1mYfc0mAzXO9IvESUfH+5o/gvjKZ
dFA73I+udKBYZLi3QLPV8KgZIMt7hkdFlq70SvM5ff8ZjlCYYwIDAQABo4IBfDCC
AXgwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBS08Xdq7dJnqxl1ALXeAgSM9H5LhzCB6wYD
VR0jBIHjMIHggBTjK+R0z5u8bm3mUh0RBPxmHyVKc6GBvKSBuTCBtjELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNV
BAoTDEZvcnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQx
GDAWBgNVBAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8G
CSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluggkA+S/Giw7x654wEwYDVR0l
BAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GA1UdEQQGMASCAi1oMA0GCSqG
SIb3DQEBCwUAA4IBAQALtEB0IXAST+m1MNAsZNn8GgGsnnnPp5LHJ8TYVec/7PYR
NgcXRFNM9Al4k1vsMTwI2BVJALb8X/VG1U7Qf6DDnWxDz1L6Is8U/46SaJAjIkFt
uV5lwIFWYWPkczN9XUNJnbvZSFjQZfnpv5AVMFHc4ifEW03nRkxJBTr3m9zzcFa0
aSQlkjNI6/4HlVzrTeZFoydedVlipD4YZjAXWBWH8GO51r0B4qmo3jQNW6tBj3r0
WsF8+lx9z6uKyzZTEvyXEcW40Kh9/PIvdJXFwGLMVyqOH51ykH6b1VrPJv8+OsuA
x+fGd9nv4aVCj573FStinIxqNTY+CHHGBkTrQ08C
-----END CERTIFICATE-----

99
tests/cfg/pki/keys/02.pem Normal file
View File

@ -0,0 +1,99 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
Validity
Not Before: Aug 26 17:08:14 2016 GMT
Not After : Aug 24 17:08:14 2026 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=ts.uts-server.org/name=EasyRSA/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:50:7a:93:b7:10:8e:d2:2e:31:30:f6:10:9f:
bc:d6:db:ab:f0:4c:96:46:d2:bf:b2:2a:a0:f6:f7:
5c:48:83:66:54:75:3e:a3:25:20:89:2d:f7:9a:c5:
32:12:b1:32:a0:99:27:f4:9c:f0:e8:a2:19:9b:83:
a6:e1:aa:42:0a:f4:0b:81:a2:9c:3e:f2:5a:1c:ad:
5e:f8:24:12:e9:ec:75:cc:43:7c:6b:16:9a:5f:aa:
9e:39:b5:9f:2c:3e:b0:3f:cd:31:7f:90:46:a9:60:
74:d3:e0:18:e8:ee:0e:71:bf:37:bc:fe:2b:94:33:
61:3d:01:02:ed:f8:b8:66:6a:9f:76:c0:06:c8:06:
2b:70:5e:87:d2:17:b7:cd:aa:40:1f:ae:af:a4:c7:
3f:60:bc:be:54:ee:30:4e:fe:8e:2d:32:27:5c:f9:
af:2f:f9:f1:d2:2b:08:b5:6d:89:8b:84:3e:e9:d4:
e8:0b:c4:d7:5f:07:4e:96:5c:a2:4b:63:ef:a8:49:
55:39:55:34:1d:b5:ce:8e:5d:13:69:8d:52:d5:1e:
30:f9:ed:73:0b:2b:7d:8c:e1:c0:93:a9:28:20:d7:
f0:ec:04:37:bf:4b:85:0e:e2:3a:e8:54:ad:d9:e3:
27:8f:c7:43:8e:65:e1:f9:51:f0:c3:96:f2:0e:8d:
83:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
FF:2D:69:50:05:46:A3:95:F4:A3:E0:2E:34:39:EF:9B:BC:E2:F0:86
X509v3 Authority Key Identifier:
keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73
DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
serial:F9:2F:C6:8B:0E:F1:EB:9E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:ts.uts-server.org
Signature Algorithm: sha256WithRSAEncryption
d2:ff:65:c8:fe:69:7d:fd:99:b9:4e:4c:c3:fe:ff:97:74:59:
a1:89:b6:47:b3:10:79:76:ee:7b:0b:26:7e:db:cd:fd:e1:52:
4b:94:78:3e:72:ba:8c:58:48:4f:67:ef:05:29:9e:7b:1a:07:
82:72:27:67:78:ef:43:e1:67:08:73:2c:11:e1:91:f4:4e:73:
5a:a8:09:61:9f:33:d1:33:c7:43:10:8b:a9:e8:16:63:97:e9:
81:63:74:f4:5a:b5:fc:88:46:a6:c9:c4:89:23:1d:ac:4a:02:
3f:29:ae:59:a2:6f:37:a1:27:e1:6e:34:c8:99:35:0b:50:5e:
bc:3d:64:01:7e:5e:4e:ee:79:48:a9:e6:26:bb:2d:f8:18:88:
ea:22:df:8e:7b:71:24:c1:6b:17:26:4c:96:0c:d0:d2:b4:29:
9a:1d:9a:ae:26:2b:aa:95:a9:9b:15:58:a6:9a:c4:5b:48:64:
ff:e0:e6:fb:53:37:0d:20:83:94:95:4e:5a:b9:3c:62:47:bc:
fb:6d:0a:eb:f2:b1:9c:d7:ee:30:9b:07:9f:1a:27:1f:e0:bb:
5e:36:4b:06:19:10:89:43:14:98:fc:cd:52:82:48:59:cc:77:
64:bd:ff:e7:b4:b1:00:ad:7a:94:c6:47:c7:f9:32:25:ad:2c:
14:e6:1c:df
-----BEGIN CERTIFICATE-----
MIIFeDCCBGCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV
BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3
DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDgxNFoXDTI2MDgy
NDE3MDgxNFowgbgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15
T3JnYW5pemF0aW9uYWxVbml0MRowGAYDVQQDExF0cy51dHMtc2VydmVyLm9yZzEQ
MA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9t
YWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA01B6k7cQjtIuMTD2
EJ+81tur8EyWRtK/siqg9vdcSINmVHU+oyUgiS33msUyErEyoJkn9Jzw6KIZm4Om
4apCCvQLgaKcPvJaHK1e+CQS6ex1zEN8axaaX6qeObWfLD6wP80xf5BGqWB00+AY
6O4Ocb83vP4rlDNhPQEC7fi4ZmqfdsAGyAYrcF6H0he3zapAH66vpMc/YLy+VO4w
Tv6OLTInXPmvL/nx0isItW2Ji4Q+6dToC8TXXwdOllyiS2PvqElVOVU0HbXOjl0T
aY1S1R4w+e1zCyt9jOHAk6koINfw7AQ3v0uFDuI66FSt2eMnj8dDjmXh+VHww5by
Do2DeQIDAQABo4IBizCCAYcwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFz
eS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT/LWlQBUajlfSj
4C40Oe+bvOLwhjCB6wYDVR0jBIHjMIHggBTjK+R0z5u8bm3mUh0RBPxmHyVKc6GB
vKSBuTCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5G
cmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdh
bml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UE
KRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluggkA
+S/Giw7x654wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMBwGA1Ud
EQQVMBOCEXRzLnV0cy1zZXJ2ZXIub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQDS/2XI
/ml9/Zm5TkzD/v+XdFmhibZHsxB5du57CyZ+28394VJLlHg+crqMWEhPZ+8FKZ57
GgeCcidneO9D4WcIcywR4ZH0TnNaqAlhnzPRM8dDEIup6BZjl+mBY3T0WrX8iEam
ycSJIx2sSgI/Ka5Zom83oSfhbjTImTULUF68PWQBfl5O7nlIqeYmuy34GIjqIt+O
e3EkwWsXJkyWDNDStCmaHZquJiuqlambFVimmsRbSGT/4Ob7UzcNIIOUlU5auTxi
R7z7bQrr8rGc1+4wmwefGicf4LteNksGGRCJQxSY/M1SgkhZzHdkvf/ntLEArXqU
xkfH+TIlrSwU5hzf
-----END CERTIFICATE-----

98
tests/cfg/pki/keys/03.pem Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
Validity
Not Before: Aug 26 17:08:43 2016 GMT
Not After : Aug 24 17:08:43 2026 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=tsa1/name=EasyRSA/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c8:00:8c:27:a0:52:ac:87:1f:e5:b4:1c:2d:be:
af:a0:8b:aa:ea:1b:8d:02:30:41:00:1b:3a:34:dc:
6f:04:5d:9f:c5:59:6f:a5:fa:d5:1e:3c:0e:22:52:
10:1e:7e:b2:48:b1:65:cd:0c:be:55:60:0e:98:d2:
34:8d:e9:9b:50:a2:98:92:6b:6a:09:db:9e:f6:f7:
80:22:d1:8b:f3:71:6e:bd:53:b3:fb:23:70:4e:01:
20:73:75:12:20:87:37:d3:ca:e5:0b:ff:ba:5e:bd:
ad:cd:ff:05:e2:91:31:7c:b1:99:34:ef:d2:6f:1e:
22:fe:77:e9:40:ac:8b:dc:f0:e8:23:04:f6:b7:b3:
60:34:2c:82:df:3c:3d:ca:14:52:d8:8a:57:1f:40:
1b:70:a2:ac:65:df:54:87:ba:7d:85:7b:d8:93:bd:
8e:85:fc:de:9a:0b:6a:88:52:b2:27:1b:0c:16:e0:
87:ba:7c:c9:94:a3:f7:10:79:88:0e:96:b4:a7:40:
76:00:58:b1:5a:ab:50:89:55:f6:f8:48:4f:76:66:
e5:1c:fa:bb:7a:59:57:df:33:57:7b:d4:0c:36:7f:
d6:6e:0a:40:a2:06:b7:c0:f2:31:f7:55:11:20:74:
cf:68:b2:b2:96:74:4c:58:a0:3e:ec:ee:8e:df:d1:
51:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
6D:48:DA:1F:19:A2:88:71:0F:3D:80:5D:AB:44:5C:F5:06:B5:BB:0B
X509v3 Authority Key Identifier:
keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73
DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
serial:F9:2F:C6:8B:0E:F1:EB:9E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:tsa1
Signature Algorithm: sha256WithRSAEncryption
a2:b6:e1:66:78:ff:d0:f1:53:58:2f:8a:26:0b:c1:7f:71:f8:
9a:d1:fa:70:f8:5b:b7:ce:da:79:92:52:0b:5f:d1:ed:c1:86:
eb:bc:29:f7:ed:0f:5b:c4:10:ab:a3:ce:9e:97:c8:a0:c8:5c:
af:bc:f2:58:77:00:59:69:85:2f:a1:16:92:45:b8:a9:3b:8d:
8c:bd:1a:bb:08:07:79:6d:6a:e9:8b:7c:fb:fb:0e:72:0a:e1:
fa:4c:ca:d5:d6:99:fc:2c:5f:1d:8a:28:38:da:bd:d4:88:36:
a2:a4:1a:e5:f9:77:72:e6:ed:13:62:31:19:79:ec:ad:9e:b5:
d1:92:7a:cf:f8:e0:ad:56:dd:5b:68:c6:64:c5:32:51:83:0e:
89:17:14:22:29:53:09:bb:49:06:3a:f1:02:8f:de:fc:94:59:
82:3d:d1:97:d8:70:53:ff:b5:0d:04:6f:2a:3f:30:50:7b:b1:
61:b3:a3:10:ee:94:dd:de:b8:ac:7c:0d:a4:af:f6:c2:8a:74:
dd:e8:95:db:ee:ab:d5:ef:68:0a:96:7c:46:05:93:12:93:d8:
84:5a:6d:38:ff:69:40:51:84:29:62:91:62:7b:af:17:18:b7:
bb:59:19:89:89:89:5d:75:54:92:bf:75:2f:7e:e4:fb:eb:a7:
ae:b5:a2:2f
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV
BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3
DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg0M1oXDTI2MDgy
NDE3MDg0M1owgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15
T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2ExMRAwDgYDVQQpEwdFYXN5
UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIAIwnoFKshx/ltBwtvq+gi6rqG40CMEEA
Gzo03G8EXZ/FWW+l+tUePA4iUhAefrJIsWXNDL5VYA6Y0jSN6ZtQopiSa2oJ2572
94Ai0YvzcW69U7P7I3BOASBzdRIghzfTyuUL/7peva3N/wXikTF8sZk079JvHiL+
d+lArIvc8OgjBPa3s2A0LILfPD3KFFLYilcfQBtwoqxl31SHun2Fe9iTvY6F/N6a
C2qIUrInGwwW4Ie6fMmUo/cQeYgOlrSnQHYAWLFaq1CJVfb4SE92ZuUc+rt6WVff
M1d71Aw2f9ZuCkCiBrfA8jH3VREgdM9osrKWdExYoD7s7o7f0VH/AgMBAAGjggF+
MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFG1I2h8ZoohxDz2AXatEXPUGtbsLMIHr
BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV
HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEdHNhMTAN
BgkqhkiG9w0BAQsFAAOCAQEAorbhZnj/0PFTWC+KJgvBf3H4mtH6cPhbt87aeZJS
C1/R7cGG67wp9+0PW8QQq6POnpfIoMhcr7zyWHcAWWmFL6EWkkW4qTuNjL0auwgH
eW1q6Yt8+/sOcgrh+kzK1daZ/CxfHYooONq91Ig2oqQa5fl3cubtE2IxGXnsrZ61
0ZJ6z/jgrVbdW2jGZMUyUYMOiRcUIilTCbtJBjrxAo/e/JRZgj3Rl9hwU/+1DQRv
Kj8wUHuxYbOjEO6U3d64rHwNpK/2wop03eiV2+6r1e9oCpZ8RgWTEpPYhFptOP9p
QFGEKWKRYnuvFxi3u1kZiYmJXXVUkr91L37k++unrrWiLw==
-----END CERTIFICATE-----

98
tests/cfg/pki/keys/04.pem Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
Validity
Not Before: Aug 26 17:08:44 2016 GMT
Not After : Aug 24 17:08:44 2026 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=tsa2/name=EasyRSA/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9b:34:5c:6b:ac:10:e9:63:50:cd:f5:f1:9e:80:
a8:be:ed:4f:21:25:7c:54:67:8f:f0:c1:16:57:ad:
1c:c7:14:90:8c:8d:1f:b4:e4:91:3b:fd:2c:44:a1:
c3:7d:1d:f5:cb:54:c2:45:a4:e3:e9:07:14:60:60:
63:07:d7:6d:92:2b:99:5a:c3:c1:91:87:92:b5:6d:
4b:d0:22:cd:62:13:34:9a:d1:c6:8f:e6:f6:df:50:
ba:1a:51:80:b8:2e:c9:dc:03:79:3d:97:a9:89:ce:
91:68:e4:dc:90:7d:f3:aa:74:2d:48:2b:40:f5:cf:
ba:d5:e8:07:d2:34:74:e0:31:c6:e1:0c:df:89:25:
c9:49:34:f6:0d:e8:1c:05:54:4c:eb:79:7b:04:bb:
e8:1e:f9:c3:dc:f8:d7:6f:d1:c3:77:a5:97:78:45:
1c:82:5a:52:a5:26:3e:4b:78:9e:6d:f8:75:3e:40:
b9:69:d6:e8:3f:ea:d7:6b:6e:e9:d3:a9:10:a4:92:
5e:96:e2:d8:f3:7e:2e:35:f2:81:85:b9:6d:9c:14:
02:38:c3:53:0f:a1:84:ef:c3:62:13:7f:10:0f:e4:
2e:43:4d:d0:48:06:5b:38:e4:49:e1:35:13:f6:d6:
83:1e:1c:f4:10:21:29:45:e3:48:47:01:9c:6a:4d:
b6:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
6E:12:12:1A:40:9F:52:2F:48:9C:B5:EE:DC:BF:20:B7:7A:30:02:DC
X509v3 Authority Key Identifier:
keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73
DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
serial:F9:2F:C6:8B:0E:F1:EB:9E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:tsa2
Signature Algorithm: sha256WithRSAEncryption
89:6d:03:f4:e6:29:77:ae:b4:82:de:7b:d6:39:56:10:2f:64:
f7:68:58:6e:3b:cf:9f:96:ab:a3:66:b0:53:80:98:88:c2:70:
3a:7e:de:d6:3f:69:ff:09:56:22:4f:b3:61:c3:43:ed:73:7f:
9f:29:10:31:31:ba:d6:78:a2:bc:7d:45:2c:5f:5a:8a:77:62:
3e:d8:38:fb:41:3c:54:8b:67:29:c5:d7:5a:a9:d3:a9:52:53:
81:eb:0b:55:9e:4e:f3:73:b5:f9:87:0d:a9:59:c4:2a:66:36:
47:bc:02:78:12:5b:12:7f:f5:c2:1c:a3:be:d0:bc:3e:72:1e:
96:f2:a4:16:71:d8:0f:af:76:1d:44:bd:1c:ef:e9:6a:09:00:
79:61:b1:20:83:61:1f:13:00:69:30:c6:ae:3b:31:a3:6c:db:
67:52:5d:ef:44:14:eb:53:b4:79:39:62:53:a6:d5:ea:96:ee:
2c:5f:38:9f:04:32:0c:39:24:e7:1c:04:79:ea:27:90:1f:e2:
b3:ed:93:a1:92:5c:c6:fa:d5:58:1f:9e:3a:a5:32:01:ce:b8:
61:f6:fa:bd:ff:37:1c:3f:30:54:8e:69:13:91:1b:95:6c:43:
c7:23:47:c8:2b:c1:97:00:d4:9b:46:52:ae:b4:dd:da:a6:13:
a5:6b:07:dc
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV
BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3
DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg0NFoXDTI2MDgy
NDE3MDg0NFowgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15
T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2EyMRAwDgYDVQQpEwdFYXN5
UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbNFxrrBDpY1DN9fGegKi+7U8hJXxUZ4/w
wRZXrRzHFJCMjR+05JE7/SxEocN9HfXLVMJFpOPpBxRgYGMH122SK5law8GRh5K1
bUvQIs1iEzSa0caP5vbfULoaUYC4LsncA3k9l6mJzpFo5NyQffOqdC1IK0D1z7rV
6AfSNHTgMcbhDN+JJclJNPYN6BwFVEzreXsEu+ge+cPc+Ndv0cN3pZd4RRyCWlKl
Jj5LeJ5t+HU+QLlp1ug/6tdrbunTqRCkkl6W4tjzfi418oGFuW2cFAI4w1MPoYTv
w2ITfxAP5C5DTdBIBls45EnhNRP21oMeHPQQISlF40hHAZxqTbYLAgMBAAGjggF+
MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFG4SEhpAn1IvSJy17ty/ILd6MALcMIHr
BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV
HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEdHNhMjAN
BgkqhkiG9w0BAQsFAAOCAQEAiW0D9OYpd660gt571jlWEC9k92hYbjvPn5aro2aw
U4CYiMJwOn7e1j9p/wlWIk+zYcND7XN/nykQMTG61niivH1FLF9aindiPtg4+0E8
VItnKcXXWqnTqVJTgesLVZ5O83O1+YcNqVnEKmY2R7wCeBJbEn/1whyjvtC8PnIe
lvKkFnHYD692HUS9HO/pagkAeWGxIINhHxMAaTDGrjsxo2zbZ1Jd70QU61O0eTli
U6bV6pbuLF84nwQyDDkk5xwEeeonkB/is+2ToZJcxvrVWB+eOqUyAc64Yfb6vf83
HD8wVI5pE5EblWxDxyNHyCvBlwDUm0ZSrrTd2qYTpWsH3A==
-----END CERTIFICATE-----

98
tests/cfg/pki/keys/05.pem Normal file
View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
Validity
Not Before: Aug 26 17:08:56 2016 GMT
Not After : Aug 24 17:08:56 2026 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=clt1/name=EasyRSA/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d5:f2:1c:23:59:41:87:a7:68:06:7d:2f:5f:aa:
88:16:4a:91:59:11:7f:d9:28:d1:ec:d6:c9:bc:b0:
6b:90:ee:44:94:44:e7:d4:b9:11:48:f7:f1:ca:9e:
f8:ce:02:44:b2:7b:90:3d:e1:97:42:b1:02:fe:ab:
1c:2a:89:81:50:81:42:9f:7f:87:41:87:be:b5:bc:
c0:9f:33:81:26:81:86:24:a9:4c:72:6c:7f:e9:a8:
71:1f:aa:45:4a:38:bd:c8:57:c4:25:8c:47:14:d0:
e0:60:4b:07:ee:bb:52:b9:95:d3:66:24:c4:6b:79:
36:83:af:6b:b8:01:8f:67:f2:81:7f:3e:fe:c3:4f:
72:ac:06:65:43:39:0f:fc:5f:71:bc:5c:12:f6:36:
ef:27:61:a0:32:4c:d1:cd:e1:15:e2:64:b5:fd:fd:
54:d5:63:45:a1:96:9a:38:50:c5:b7:7e:0e:fb:96:
d9:a7:a7:4f:58:58:af:a1:17:50:fa:66:62:43:1e:
8a:38:6a:7c:54:3f:8d:5a:12:5c:e3:cc:95:55:25:
9b:ee:bc:33:40:3a:54:cb:39:3e:6c:17:30:79:fa:
24:ba:1c:5a:54:ff:b0:30:11:d4:aa:92:5a:d7:a6:
39:16:45:d7:74:fe:40:9c:d4:cd:f4:74:34:95:ef:
4a:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
DC:E2:70:D0:59:39:F5:F5:E0:48:E2:A9:5F:35:D2:98:34:EA:20:FB
X509v3 Authority Key Identifier:
keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73
DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
serial:F9:2F:C6:8B:0E:F1:EB:9E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:clt1
Signature Algorithm: sha256WithRSAEncryption
ad:80:83:dd:ac:17:9c:da:ca:71:c6:99:13:c7:b5:b7:b4:69:
a9:fa:0f:dd:fa:b6:4f:a2:19:10:3a:ea:7e:37:e1:a8:29:a0:
45:76:7e:d2:a8:08:17:f6:4a:ad:9e:31:ad:b1:b4:e5:5a:3f:
4a:e3:2f:e3:fa:37:0e:3d:04:ca:aa:9a:8d:4e:6f:a2:35:ae:
48:37:9e:a3:cc:83:21:34:34:2f:e2:71:c6:51:a1:5b:46:ad:
d5:10:26:ea:e2:4b:18:df:8e:e2:ab:ac:e3:3b:a2:a7:fb:99:
f2:0e:05:3b:76:38:f0:18:fd:44:93:c1:06:79:1d:d5:c3:a6:
bf:c1:0a:98:d8:81:9a:66:a9:85:42:c0:fe:dd:ff:ef:21:6e:
00:9f:68:0a:df:97:c8:5e:f3:d6:c1:fb:06:d6:40:3d:14:59:
a7:3a:f5:c9:70:fd:b1:93:88:5f:18:45:5d:58:97:60:6a:aa:
a6:6e:74:de:0e:ba:cc:9b:bf:35:3c:b3:f6:0c:1c:48:7c:5d:
70:73:db:73:db:28:a9:b8:bc:1a:1e:b8:1c:d5:36:03:f3:22:
91:d1:e7:8d:eb:36:00:f9:10:b2:16:2b:65:e4:6e:1a:9e:5f:
cd:f0:fd:9f:39:8f:71:35:de:5c:57:a8:1a:d0:fa:25:12:80:
fb:9a:da:bb
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV
BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3
DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg1NloXDTI2MDgy
NDE3MDg1NlowgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15
T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwRjbHQxMRAwDgYDVQQpEwdFYXN5
UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDV8hwjWUGHp2gGfS9fqogWSpFZEX/ZKNHs
1sm8sGuQ7kSUROfUuRFI9/HKnvjOAkSye5A94ZdCsQL+qxwqiYFQgUKff4dBh761
vMCfM4EmgYYkqUxybH/pqHEfqkVKOL3IV8QljEcU0OBgSwfuu1K5ldNmJMRreTaD
r2u4AY9n8oF/Pv7DT3KsBmVDOQ/8X3G8XBL2Nu8nYaAyTNHN4RXiZLX9/VTVY0Wh
lpo4UMW3fg77ltmnp09YWK+hF1D6ZmJDHoo4anxUP41aElzjzJVVJZvuvDNAOlTL
OT5sFzB5+iS6HFpU/7AwEdSqklrXpjkWRdd0/kCc1M30dDSV70qZAgMBAAGjggF+
MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNzicNBZOfX14EjiqV810pg06iD7MIHr
BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV
HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEY2x0MTAN
BgkqhkiG9w0BAQsFAAOCAQEArYCD3awXnNrKccaZE8e1t7RpqfoP3fq2T6IZEDrq
fjfhqCmgRXZ+0qgIF/ZKrZ4xrbG05Vo/SuMv4/o3Dj0EyqqajU5vojWuSDeeo8yD
ITQ0L+JxxlGhW0at1RAm6uJLGN+O4qus4zuip/uZ8g4FO3Y48Bj9RJPBBnkd1cOm
v8EKmNiBmmaphULA/t3/7yFuAJ9oCt+XyF7z1sH7BtZAPRRZpzr1yXD9sZOIXxhF
XViXYGqqpm503g66zJu/NTyz9gwcSHxdcHPbc9soqbi8Gh64HNU2A/MikdHnjes2
APkQshYrZeRuGp5fzfD9nzmPcTXeXFeoGtD6JRKA+5rauw==
-----END CERTIFICATE-----

30
tests/cfg/pki/keys/ca.crt Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIFEjCCA/qgAwIBAgIJAPkvxosO8eueMA0GCSqGSIb3DQEBCwUAMIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wHhcNMTYwODI2MTcwNjMx
WhcNMjYwODI0MTcwNjMxWjCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw
EwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsG
A1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3Rv
biBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
Lm15ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1NZs05qa
+/07CjD+XWYienpCY0MSwQIWfzdMMCYhj9XdLYVS78Qt543nQ+KFdlIUvXKZteMz
0eYhPrRuqO+IJqBY/c35HLbz1RWhPta7UzUY2iFK+b2ja55KJvpoTESXWhrX5dNS
qzkuoYScn8FDADWbT04kcJmJYwcCucZl++as8yNQrNgOeItZbj9xiFpkq8Xy0aQ0
U0G7+Ip1+Z3TNzP/sZ5Jg5CIuZhs7+pkoFqrEJhSpjAdAXb5ZdioLsqE7sDSyeVa
8RM6a9y3fVAGY45/oZ02i/cAoWz9Oe4702QnhxHwdwEBF3JOHwdDDhrZdF9PmCKB
4cMZ+8gCs8vIewIDAQABo4IBHzCCARswHQYDVR0OBBYEFOMr5HTPm7xubeZSHREE
/GYfJUpzMIHrBgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5
MIG2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5j
aXNjbzEVMBMGA1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXph
dGlvbmFsVW5pdDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdF
YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aL
DvHrnjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAP8mlnPOO15Xsl
DBAI3/PD7HbgPfQCq/7mOkW+QFFMOZ4HqZcgdVUM/yhkzpEQJBrQgYr4X1I48D8N
bdcG8JEEOXwgj/xu1M+buZIeh0vBQ1j4zNjzYhcho5kiUwW8vVvHyFhugfZUpQZL
WnR8GTP00/XuBNqTuXBnBzT8/MTBec4TDPfG7f0Tyosypvg9R8TYuZmYU8qdpVMA
W4JxpVGmCyUTi/7gQnntpUm7fbCwD166/phJXU5tuMyDdNuejd3mmkM4euHpL07m
CD5kizBstiHWRrb0vOzvZenZg8pCzJjSTJhfA1gPd4z1XUYN5HRWqqcE2UiR88b+
OChbJBgi
-----END CERTIFICATE-----

28
tests/cfg/pki/keys/ca.key Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDU1mzTmpr7/TsK
MP5dZiJ6ekJjQxLBAhZ/N0wwJiGP1d0thVLvxC3njedD4oV2UhS9cpm14zPR5iE+
tG6o74gmoFj9zfkctvPVFaE+1rtTNRjaIUr5vaNrnkom+mhMRJdaGtfl01KrOS6h
hJyfwUMANZtPTiRwmYljBwK5xmX75qzzI1Cs2A54i1luP3GIWmSrxfLRpDRTQbv4
inX5ndM3M/+xnkmDkIi5mGzv6mSgWqsQmFKmMB0Bdvll2KguyoTuwNLJ5VrxEzpr
3Ld9UAZjjn+hnTaL9wChbP057jvTZCeHEfB3AQEXck4fB0MOGtl0X0+YIoHhwxn7
yAKzy8h7AgMBAAECggEAPoNQaYJifRruqVqki2hBPjoEn8UGkBv94ZWrUgURHH8T
PJiJOJUlanp6b6zryEnpf49WaF74THFMWG+EhSf9lGLKYJmLzoxJ5883kg5d7N2O
lBrtO5cgla5jVzl7QtNupO93dDByeooMETKzEhUgicI1AMER4OSnvqdDfK8yKx8X
ej3/t/7zoH4+WCZuRuJs6yo8KdVckr0Kc7T/9aksr3mk8aq/o4FvBMBMswVki5UF
bw6veVmvvpW+Dy3Z8nmsov1QKi4GgHG0ZorgezwaUp7xVdzWsd1EpVNFWKBJ2s0G
WBn/A3ihTom8BUICqQNSfPVxUUKkR+CzuqeWN6QegQKBgQDym/+vHWuLlAQMNj1J
Cp0ql4DlaGQGCgyJBYObHTk7H03/D3ZyQj1olJ/NCYWY9txXyEVtqvGejKWkhyHR
VS1/K/EB4xkacTC0mXxn8CaN3wM2+ayIZCS1FVLILhvSSNhSThy2FoR5pZ1CVGmC
RooCO3g4B45TazTS8nyXk9qsQQKBgQDglcJ6xBgGeJDW5vOdwtH2lxgEKsou5XsV
tRJ7p7LvrKyi+ZcFCqZi1qIvlRR8fbsd25mFPRZXgxhDDMIFud9sxO1TSEDWslcK
cKYKBU0KCxqScZHmwv/P6IH1y68OW//85JUBYf53k4TesX5GQ+brx4a7+c3d9+EZ
GHA7nca1uwKBgQCFWFLHOB9lPzyeTa2PmOLbhxwUezUG0L0lDr/QINbU9RbUivYq
RNglxBK1CnfApGZlZTEr3togr+NXM+LVgMCZ9lfoFp80lmQTz4y+QBOgxKOqsr4u
1QQL96VhW151TQ6A5mgHeQblKa7uxyCatxSht3gTK6wBk5ocG6V5Vo3JQQKBgEHj
TeIsg4vqdTvHF/PRwz2gCFi4oQZvJtQwglKq2XE9bIyHwwmknTnkFEL3bsIzNOFG
mtyfFl3oRQbuyEFbzbOgdqv3R6Z1Pdn/QIcyFO78YPhTv2U/EkPRx8bv0dTZotlz
yk9Ui45TRij7U7uTkjzcFagyWnZjkbOGGu8yk6ifAoGBAJn8JqkQLryz/eAzM9vw
YIjEXxh4pqvflQtlD5rK+PSxceq7pDObaRyPx38Sv0G+usAPjSUGUiUaVwqhaqVG
pPKqCJtUtBpSHClZzHuUnh91BAE0c5V1zJI9GNCccKy94A1cIP9fApP7aqLn6uaP
rr/mnZBf1ip0YN6dTEtUh5iW
-----END PRIVATE KEY-----

View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
Validity
Not Before: Aug 26 17:08:56 2016 GMT
Not After : Aug 24 17:08:56 2026 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=clt1/name=EasyRSA/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d5:f2:1c:23:59:41:87:a7:68:06:7d:2f:5f:aa:
88:16:4a:91:59:11:7f:d9:28:d1:ec:d6:c9:bc:b0:
6b:90:ee:44:94:44:e7:d4:b9:11:48:f7:f1:ca:9e:
f8:ce:02:44:b2:7b:90:3d:e1:97:42:b1:02:fe:ab:
1c:2a:89:81:50:81:42:9f:7f:87:41:87:be:b5:bc:
c0:9f:33:81:26:81:86:24:a9:4c:72:6c:7f:e9:a8:
71:1f:aa:45:4a:38:bd:c8:57:c4:25:8c:47:14:d0:
e0:60:4b:07:ee:bb:52:b9:95:d3:66:24:c4:6b:79:
36:83:af:6b:b8:01:8f:67:f2:81:7f:3e:fe:c3:4f:
72:ac:06:65:43:39:0f:fc:5f:71:bc:5c:12:f6:36:
ef:27:61:a0:32:4c:d1:cd:e1:15:e2:64:b5:fd:fd:
54:d5:63:45:a1:96:9a:38:50:c5:b7:7e:0e:fb:96:
d9:a7:a7:4f:58:58:af:a1:17:50:fa:66:62:43:1e:
8a:38:6a:7c:54:3f:8d:5a:12:5c:e3:cc:95:55:25:
9b:ee:bc:33:40:3a:54:cb:39:3e:6c:17:30:79:fa:
24:ba:1c:5a:54:ff:b0:30:11:d4:aa:92:5a:d7:a6:
39:16:45:d7:74:fe:40:9c:d4:cd:f4:74:34:95:ef:
4a:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
DC:E2:70:D0:59:39:F5:F5:E0:48:E2:A9:5F:35:D2:98:34:EA:20:FB
X509v3 Authority Key Identifier:
keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73
DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
serial:F9:2F:C6:8B:0E:F1:EB:9E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:clt1
Signature Algorithm: sha256WithRSAEncryption
ad:80:83:dd:ac:17:9c:da:ca:71:c6:99:13:c7:b5:b7:b4:69:
a9:fa:0f:dd:fa:b6:4f:a2:19:10:3a:ea:7e:37:e1:a8:29:a0:
45:76:7e:d2:a8:08:17:f6:4a:ad:9e:31:ad:b1:b4:e5:5a:3f:
4a:e3:2f:e3:fa:37:0e:3d:04:ca:aa:9a:8d:4e:6f:a2:35:ae:
48:37:9e:a3:cc:83:21:34:34:2f:e2:71:c6:51:a1:5b:46:ad:
d5:10:26:ea:e2:4b:18:df:8e:e2:ab:ac:e3:3b:a2:a7:fb:99:
f2:0e:05:3b:76:38:f0:18:fd:44:93:c1:06:79:1d:d5:c3:a6:
bf:c1:0a:98:d8:81:9a:66:a9:85:42:c0:fe:dd:ff:ef:21:6e:
00:9f:68:0a:df:97:c8:5e:f3:d6:c1:fb:06:d6:40:3d:14:59:
a7:3a:f5:c9:70:fd:b1:93:88:5f:18:45:5d:58:97:60:6a:aa:
a6:6e:74:de:0e:ba:cc:9b:bf:35:3c:b3:f6:0c:1c:48:7c:5d:
70:73:db:73:db:28:a9:b8:bc:1a:1e:b8:1c:d5:36:03:f3:22:
91:d1:e7:8d:eb:36:00:f9:10:b2:16:2b:65:e4:6e:1a:9e:5f:
cd:f0:fd:9f:39:8f:71:35:de:5c:57:a8:1a:d0:fa:25:12:80:
fb:9a:da:bb
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV
BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3
DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg1NloXDTI2MDgy
NDE3MDg1NlowgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15
T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwRjbHQxMRAwDgYDVQQpEwdFYXN5
UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDV8hwjWUGHp2gGfS9fqogWSpFZEX/ZKNHs
1sm8sGuQ7kSUROfUuRFI9/HKnvjOAkSye5A94ZdCsQL+qxwqiYFQgUKff4dBh761
vMCfM4EmgYYkqUxybH/pqHEfqkVKOL3IV8QljEcU0OBgSwfuu1K5ldNmJMRreTaD
r2u4AY9n8oF/Pv7DT3KsBmVDOQ/8X3G8XBL2Nu8nYaAyTNHN4RXiZLX9/VTVY0Wh
lpo4UMW3fg77ltmnp09YWK+hF1D6ZmJDHoo4anxUP41aElzjzJVVJZvuvDNAOlTL
OT5sFzB5+iS6HFpU/7AwEdSqklrXpjkWRdd0/kCc1M30dDSV70qZAgMBAAGjggF+
MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNzicNBZOfX14EjiqV810pg06iD7MIHr
BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV
HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEY2x0MTAN
BgkqhkiG9w0BAQsFAAOCAQEArYCD3awXnNrKccaZE8e1t7RpqfoP3fq2T6IZEDrq
fjfhqCmgRXZ+0qgIF/ZKrZ4xrbG05Vo/SuMv4/o3Dj0EyqqajU5vojWuSDeeo8yD
ITQ0L+JxxlGhW0at1RAm6uJLGN+O4qus4zuip/uZ8g4FO3Y48Bj9RJPBBnkd1cOm
v8EKmNiBmmaphULA/t3/7yFuAJ9oCt+XyF7z1sH7BtZAPRRZpzr1yXD9sZOIXxhF
XViXYGqqpm503g66zJu/NTyz9gwcSHxdcHPbc9soqbi8Gh64HNU2A/MikdHnjes2
APkQshYrZeRuGp5fzfD9nzmPcTXeXFeoGtD6JRKA+5rauw==
-----END CERTIFICATE-----

View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC8TCCAdkCAQAwgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE
BxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsT
FE15T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwRjbHQxMRAwDgYDVQQpEwdF
YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDV8hwjWUGHp2gGfS9fqogWSpFZEX/Z
KNHs1sm8sGuQ7kSUROfUuRFI9/HKnvjOAkSye5A94ZdCsQL+qxwqiYFQgUKff4dB
h761vMCfM4EmgYYkqUxybH/pqHEfqkVKOL3IV8QljEcU0OBgSwfuu1K5ldNmJMRr
eTaDr2u4AY9n8oF/Pv7DT3KsBmVDOQ/8X3G8XBL2Nu8nYaAyTNHN4RXiZLX9/VTV
Y0Whlpo4UMW3fg77ltmnp09YWK+hF1D6ZmJDHoo4anxUP41aElzjzJVVJZvuvDNA
OlTLOT5sFzB5+iS6HFpU/7AwEdSqklrXpjkWRdd0/kCc1M30dDSV70qZAgMBAAGg
ADANBgkqhkiG9w0BAQsFAAOCAQEAk0u+mwQtAqx5g6BLXTgSwzcHGpxItbOasuIv
8BtQsVoIvbVzUu8v83BjJK2OfusTqgLQvDafAbCPn7LUbKFLW6/tHtsgdCDEuY1R
+1FuFmI16E2OukJc8A/rfkIrYl9uV5VKE3irU5rGF0EMWwfixxu8Vnv9VzTPEoL6
B8rqAKE6uFm9IKoJPeDb/nv73PhpPbU76qb/aYJ60Hh1jEXAe8THKxU1oH2z2DWx
4kYCncjjfhrwaQZQ9FHH8/gZ1Xjn55+fAz82rPPdZVtJM2PlGUzzLfaDn9En4tU9
vVt1/5NU4gZeUVuPH0wyjeNDSZmczX610k+Me4eccKspOtIL2A==
-----END CERTIFICATE REQUEST-----

View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV8hwjWUGHp2gG
fS9fqogWSpFZEX/ZKNHs1sm8sGuQ7kSUROfUuRFI9/HKnvjOAkSye5A94ZdCsQL+
qxwqiYFQgUKff4dBh761vMCfM4EmgYYkqUxybH/pqHEfqkVKOL3IV8QljEcU0OBg
Swfuu1K5ldNmJMRreTaDr2u4AY9n8oF/Pv7DT3KsBmVDOQ/8X3G8XBL2Nu8nYaAy
TNHN4RXiZLX9/VTVY0Whlpo4UMW3fg77ltmnp09YWK+hF1D6ZmJDHoo4anxUP41a
ElzjzJVVJZvuvDNAOlTLOT5sFzB5+iS6HFpU/7AwEdSqklrXpjkWRdd0/kCc1M30
dDSV70qZAgMBAAECggEAdX75pRAnxPBTWPz3P3rQMi3RlTDfHcwlPgTX1iCtcnLo
huUwzMq2i3Rf/f9AdSMZx0vE87co8x9znZkrZtENi8DxbdcD2SFLw1NeFhCbJSKN
ISU5Lr4XoaM4PUOtug1fbN+GgXiAsRXlo/yQ5rNJw1JdPwOCO+Pd5IQ6jFuO/m5X
T2ZpsmSeI0q8f5oe4mjKelyMJhbO4eBZiZg421Q7BkWqc+waeEaFWjppmaaiqA/7
sva3KSP/GyEyc3a62vsE2f0zqkc9xQo1s4GTgBt4AOWuOe6oDxhaNygU66LeOLUH
yL/qfbzd4c8kdZieeMC2vZU/6fmPfPJ0HsUjllXW4QKBgQDsB8w8ydfYai4c6yHF
ntaDZ32JYbPfWwQ+sI9AhlNfV8aSoO8Vhkn1aPgS+AYq+7SwV3CKJPeClRr88gU6
/utZ19uPRAckng0ZvdejUe6saMVLCG3FgskONc/a8wBv1JBuq37cQbrd+Fr+A6bU
5BwxoRMch/QMlg42DXBWTLSvPwKBgQDoC/o7gqs1XxYFsh54iYWnIBJUEu0XP15E
XACUf2UKSGEicRhjIDR45oMTFhGdh+43Etzkes/VavwNAqaNzggJPKUJz0SAbDmo
mhKAqAJE5u4e8V4P+3ZUpE20lpC8d4b0fm3JM7UP6IdH91e4lXyangZr875mZRrM
z+d1KgloJwKBgQCkUy17KN9wWUQvd/g0OMiKBbQdwHrVRu2mo4+oUZyb5WVnUkoB
x1OYWvNTaYAJzuHWX5oHY4M6U4rNjcXcc/vwudqvXKJIeQ0P3d7SYslzGSI6gezC
tLI7hXVnrwSf1vKTSixxNgXeYfkfnfU5hHKojsbad0COvq24LhUG0DJ/SwKBgQCg
xcOvPb6fsOzSL3H7M9U9UPRB+gb5B3epx1DDkmyQLkvWkCNEcsjIR3XjYHP+AHMl
B1WynACproFKBl8devWIaNM0M74TeGiOj4loSH+h+5paKANy8VgwFtKb34ISgoIn
nf003TWC+ynXy+CkTDZT7k8mtm9iBIUICLgmLmTsGwKBgFoLwh1kCjIKqmjSnZdS
OzTpAa49xDE0fkGXWCnW2E+KMIBZE/VOPh0MYj2YWThKqt5yEk+tPmxiyxvo5ohH
2GZKOzkcsOpZROaNfX/9edPDsL0VYHv0IDPDcoJyiEGANh0VwIqFUAX6Hmwzno6Q
nw7R4xO7SN9M9fxuexGrU3Ba
-----END PRIVATE KEY-----

View File

@ -0,0 +1,5 @@
V 260824170732Z 01 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=-h/name=EasyRSA/emailAddress=me@myhost.mydomain
V 260824170814Z 02 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=ts.uts-server.org/name=EasyRSA/emailAddress=me@myhost.mydomain
V 260824170843Z 03 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=tsa1/name=EasyRSA/emailAddress=me@myhost.mydomain
V 260824170844Z 04 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=tsa2/name=EasyRSA/emailAddress=me@myhost.mydomain
V 260824170856Z 05 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=clt1/name=EasyRSA/emailAddress=me@myhost.mydomain

View File

@ -0,0 +1 @@
unique_subject = yes

View File

@ -0,0 +1 @@
unique_subject = yes

View File

@ -0,0 +1,4 @@
V 260824170732Z 01 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=-h/name=EasyRSA/emailAddress=me@myhost.mydomain
V 260824170814Z 02 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=ts.uts-server.org/name=EasyRSA/emailAddress=me@myhost.mydomain
V 260824170843Z 03 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=tsa1/name=EasyRSA/emailAddress=me@myhost.mydomain
V 260824170844Z 04 unknown /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=tsa2/name=EasyRSA/emailAddress=me@myhost.mydomain

View File

@ -0,0 +1 @@
06

View File

@ -0,0 +1 @@
05

View File

@ -0,0 +1,99 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
Validity
Not Before: Aug 26 17:08:14 2016 GMT
Not After : Aug 24 17:08:14 2026 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=ts.uts-server.org/name=EasyRSA/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:50:7a:93:b7:10:8e:d2:2e:31:30:f6:10:9f:
bc:d6:db:ab:f0:4c:96:46:d2:bf:b2:2a:a0:f6:f7:
5c:48:83:66:54:75:3e:a3:25:20:89:2d:f7:9a:c5:
32:12:b1:32:a0:99:27:f4:9c:f0:e8:a2:19:9b:83:
a6:e1:aa:42:0a:f4:0b:81:a2:9c:3e:f2:5a:1c:ad:
5e:f8:24:12:e9:ec:75:cc:43:7c:6b:16:9a:5f:aa:
9e:39:b5:9f:2c:3e:b0:3f:cd:31:7f:90:46:a9:60:
74:d3:e0:18:e8:ee:0e:71:bf:37:bc:fe:2b:94:33:
61:3d:01:02:ed:f8:b8:66:6a:9f:76:c0:06:c8:06:
2b:70:5e:87:d2:17:b7:cd:aa:40:1f:ae:af:a4:c7:
3f:60:bc:be:54:ee:30:4e:fe:8e:2d:32:27:5c:f9:
af:2f:f9:f1:d2:2b:08:b5:6d:89:8b:84:3e:e9:d4:
e8:0b:c4:d7:5f:07:4e:96:5c:a2:4b:63:ef:a8:49:
55:39:55:34:1d:b5:ce:8e:5d:13:69:8d:52:d5:1e:
30:f9:ed:73:0b:2b:7d:8c:e1:c0:93:a9:28:20:d7:
f0:ec:04:37:bf:4b:85:0e:e2:3a:e8:54:ad:d9:e3:
27:8f:c7:43:8e:65:e1:f9:51:f0:c3:96:f2:0e:8d:
83:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
FF:2D:69:50:05:46:A3:95:F4:A3:E0:2E:34:39:EF:9B:BC:E2:F0:86
X509v3 Authority Key Identifier:
keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73
DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
serial:F9:2F:C6:8B:0E:F1:EB:9E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:ts.uts-server.org
Signature Algorithm: sha256WithRSAEncryption
d2:ff:65:c8:fe:69:7d:fd:99:b9:4e:4c:c3:fe:ff:97:74:59:
a1:89:b6:47:b3:10:79:76:ee:7b:0b:26:7e:db:cd:fd:e1:52:
4b:94:78:3e:72:ba:8c:58:48:4f:67:ef:05:29:9e:7b:1a:07:
82:72:27:67:78:ef:43:e1:67:08:73:2c:11:e1:91:f4:4e:73:
5a:a8:09:61:9f:33:d1:33:c7:43:10:8b:a9:e8:16:63:97:e9:
81:63:74:f4:5a:b5:fc:88:46:a6:c9:c4:89:23:1d:ac:4a:02:
3f:29:ae:59:a2:6f:37:a1:27:e1:6e:34:c8:99:35:0b:50:5e:
bc:3d:64:01:7e:5e:4e:ee:79:48:a9:e6:26:bb:2d:f8:18:88:
ea:22:df:8e:7b:71:24:c1:6b:17:26:4c:96:0c:d0:d2:b4:29:
9a:1d:9a:ae:26:2b:aa:95:a9:9b:15:58:a6:9a:c4:5b:48:64:
ff:e0:e6:fb:53:37:0d:20:83:94:95:4e:5a:b9:3c:62:47:bc:
fb:6d:0a:eb:f2:b1:9c:d7:ee:30:9b:07:9f:1a:27:1f:e0:bb:
5e:36:4b:06:19:10:89:43:14:98:fc:cd:52:82:48:59:cc:77:
64:bd:ff:e7:b4:b1:00:ad:7a:94:c6:47:c7:f9:32:25:ad:2c:
14:e6:1c:df
-----BEGIN CERTIFICATE-----
MIIFeDCCBGCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV
BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3
DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDgxNFoXDTI2MDgy
NDE3MDgxNFowgbgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15
T3JnYW5pemF0aW9uYWxVbml0MRowGAYDVQQDExF0cy51dHMtc2VydmVyLm9yZzEQ
MA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9t
YWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA01B6k7cQjtIuMTD2
EJ+81tur8EyWRtK/siqg9vdcSINmVHU+oyUgiS33msUyErEyoJkn9Jzw6KIZm4Om
4apCCvQLgaKcPvJaHK1e+CQS6ex1zEN8axaaX6qeObWfLD6wP80xf5BGqWB00+AY
6O4Ocb83vP4rlDNhPQEC7fi4ZmqfdsAGyAYrcF6H0he3zapAH66vpMc/YLy+VO4w
Tv6OLTInXPmvL/nx0isItW2Ji4Q+6dToC8TXXwdOllyiS2PvqElVOVU0HbXOjl0T
aY1S1R4w+e1zCyt9jOHAk6koINfw7AQ3v0uFDuI66FSt2eMnj8dDjmXh+VHww5by
Do2DeQIDAQABo4IBizCCAYcwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFz
eS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT/LWlQBUajlfSj
4C40Oe+bvOLwhjCB6wYDVR0jBIHjMIHggBTjK+R0z5u8bm3mUh0RBPxmHyVKc6GB
vKSBuTCBtjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5G
cmFuY2lzY28xFTATBgNVBAoTDEZvcnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdh
bml6YXRpb25hbFVuaXQxGDAWBgNVBAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UE
KRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluggkA
+S/Giw7x654wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMBwGA1Ud
EQQVMBOCEXRzLnV0cy1zZXJ2ZXIub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQDS/2XI
/ml9/Zm5TkzD/v+XdFmhibZHsxB5du57CyZ+28394VJLlHg+crqMWEhPZ+8FKZ57
GgeCcidneO9D4WcIcywR4ZH0TnNaqAlhnzPRM8dDEIup6BZjl+mBY3T0WrX8iEam
ycSJIx2sSgI/Ka5Zom83oSfhbjTImTULUF68PWQBfl5O7nlIqeYmuy34GIjqIt+O
e3EkwWsXJkyWDNDStCmaHZquJiuqlambFVimmsRbSGT/4Ob7UzcNIIOUlU5auTxi
R7z7bQrr8rGc1+4wmwefGicf4LteNksGGRCJQxSY/M1SgkhZzHdkvf/ntLEArXqU
xkfH+TIlrSwU5hzf
-----END CERTIFICATE-----

View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC/jCCAeYCAQAwgbgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE
BxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsT
FE15T3JnYW5pemF0aW9uYWxVbml0MRowGAYDVQQDExF0cy51dHMtc2VydmVyLm9y
ZzEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15
ZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA01B6k7cQjtIu
MTD2EJ+81tur8EyWRtK/siqg9vdcSINmVHU+oyUgiS33msUyErEyoJkn9Jzw6KIZ
m4Om4apCCvQLgaKcPvJaHK1e+CQS6ex1zEN8axaaX6qeObWfLD6wP80xf5BGqWB0
0+AY6O4Ocb83vP4rlDNhPQEC7fi4ZmqfdsAGyAYrcF6H0he3zapAH66vpMc/YLy+
VO4wTv6OLTInXPmvL/nx0isItW2Ji4Q+6dToC8TXXwdOllyiS2PvqElVOVU0HbXO
jl0TaY1S1R4w+e1zCyt9jOHAk6koINfw7AQ3v0uFDuI66FSt2eMnj8dDjmXh+VHw
w5byDo2DeQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAL+AN6jZ6QA2yxFk2rWy
4dqrDl+FGsxwIM9FTDD527+PgA0by8bPCLG+f/ep4HdH9CNJhmhArBcRLUs80b7H
fO8tvqDC7IE4Xahpc4sZHL2wJC0dVFsGtSk5wUmW9JnF2p0xy8EVF7aOYAalC1Lo
10y+6JqKZOyJOeLTjhmjpjtYI9qP8ss61Vw7Z8AkDJHelw/Bv2SYQ6uztDm8PvVW
aESnloNlAUmaqVqG+iDZ0ZaSyPy9Haf/O1kygyu7ganS+jXHm3T8LoCNYTCb03IV
zNVSP+N07sNfSGErhmMPi2MO5ahEJaTxfjo31MqvwOl4S45zjjnQoFc2HWEjX1OH
YlE=
-----END CERTIFICATE REQUEST-----

View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDTUHqTtxCO0i4x
MPYQn7zW26vwTJZG0r+yKqD291xIg2ZUdT6jJSCJLfeaxTISsTKgmSf0nPDoohmb
g6bhqkIK9AuBopw+8locrV74JBLp7HXMQ3xrFppfqp45tZ8sPrA/zTF/kEapYHTT
4Bjo7g5xvze8/iuUM2E9AQLt+Lhmap92wAbIBitwXofSF7fNqkAfrq+kxz9gvL5U
7jBO/o4tMidc+a8v+fHSKwi1bYmLhD7p1OgLxNdfB06WXKJLY++oSVU5VTQdtc6O
XRNpjVLVHjD57XMLK32M4cCTqSgg1/DsBDe/S4UO4jroVK3Z4yePx0OOZeH5UfDD
lvIOjYN5AgMBAAECggEBAKa35h3I3v1vghY5ZMn03U4+/kaWhjHWcHum+lwfCOYF
FaUo44Rf9G2GoMWxMzJgL2tZqpZphABmdAGoOu/sHjL6HGHo45EeME5T0ovAGlQI
xV+lFvJ+YMl9mVw6mRyVUQTlZVoZgEZ93W6UbdLIjwjbLqSje8pvRxaUR7Vs+D+E
DBBiAGWu74HKNzQ8GvoEZ/1tjI6/EZUrNY6tIJ7I4XyVoiPWnoXlOp0tmgJZLpRv
sTAmUlPoy/gYSxrMY0Ld/ar+gPscSl4KCiCjdH76BjAoTYCb3QyM1olNDOMSbXoP
tvpb3IFAwxs82yn+clpGXAu9v76jU0Sw8HODO0+HVAECgYEA99W+rbtLL0OPIyEY
6JzeEMf4WoIdwl/lzFFIKmZuEJEjrrFTRktiWuBp1V1BAfrUw3UWj2D0OXo45mQA
WVSO9Ked6yMbd98lELkc/n6GXvrDBfgyXyWwsGh9GJXZ+Apn41Ze1p6n0zEel1Fk
MN0AaleCHPf7Y5ZbVbf23d1nXbkCgYEA2ka3nNdhiHwZEfoB2mtF1Sonn301hdCk
Wgvz+ehRv9Z2tSU+mpROjIZ5Th68UuXIeiPLxXN01Z5cdQjNwNpjBiXFpTHRBdXg
woh9snV/ABTJRYUqPabUVMLb8kRL0D4PZy3CLjH92hvKmSYG+WofYNUU1zrbAx1h
RA2JucWUM8ECgYEAxmbdxBUJJmguQZAwcZ+LAuIjRsmda0r8GyoC3LatbCPU7ffV
U5PrxBadgwqpjR0xkNu+WL/kI9Ndk8sAoILaAq/g8ylixv7jnFSlCnNdvNGAqNm9
8X+pyD+Nzc3A9hnWex9cwvG2JpLPC5JD4/44Y+l0Jx66qEnpCmFAhvLE2jkCgYAs
dpdUhbNCgDUDKnBSM+PnxkyH+pN6jMPN6/1o/OAaOe+4ervD9U4C5imztiMap+As
sToDIL+9/CJNXNu82z+ssukN+5XeoHDGb9NbFQAn3hQZ60RthpxeH8t6EFt5Mgsl
M3cIvfo+AcdFZy+oguudaAp0xXJzsfpsSG2zwAGugQKBgQCkpLHyZLCD2ciOYg4f
V3NqpxviGAYx1FBSr6S97xA1dD7SnH8Mrv/ldxsK0ScGJVFjrGEFiU19HWoIYE9a
4//CVir2hxQ5Z8Ejp9ugTxbKcUukVoHbIw0PnWMJShQNbaGonn8pFJH7BJUZ0eI+
UhK6b0mz4qIixnYJBxuczj8WGA==
-----END PRIVATE KEY-----

View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
Validity
Not Before: Aug 26 17:08:43 2016 GMT
Not After : Aug 24 17:08:43 2026 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=tsa1/name=EasyRSA/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c8:00:8c:27:a0:52:ac:87:1f:e5:b4:1c:2d:be:
af:a0:8b:aa:ea:1b:8d:02:30:41:00:1b:3a:34:dc:
6f:04:5d:9f:c5:59:6f:a5:fa:d5:1e:3c:0e:22:52:
10:1e:7e:b2:48:b1:65:cd:0c:be:55:60:0e:98:d2:
34:8d:e9:9b:50:a2:98:92:6b:6a:09:db:9e:f6:f7:
80:22:d1:8b:f3:71:6e:bd:53:b3:fb:23:70:4e:01:
20:73:75:12:20:87:37:d3:ca:e5:0b:ff:ba:5e:bd:
ad:cd:ff:05:e2:91:31:7c:b1:99:34:ef:d2:6f:1e:
22:fe:77:e9:40:ac:8b:dc:f0:e8:23:04:f6:b7:b3:
60:34:2c:82:df:3c:3d:ca:14:52:d8:8a:57:1f:40:
1b:70:a2:ac:65:df:54:87:ba:7d:85:7b:d8:93:bd:
8e:85:fc:de:9a:0b:6a:88:52:b2:27:1b:0c:16:e0:
87:ba:7c:c9:94:a3:f7:10:79:88:0e:96:b4:a7:40:
76:00:58:b1:5a:ab:50:89:55:f6:f8:48:4f:76:66:
e5:1c:fa:bb:7a:59:57:df:33:57:7b:d4:0c:36:7f:
d6:6e:0a:40:a2:06:b7:c0:f2:31:f7:55:11:20:74:
cf:68:b2:b2:96:74:4c:58:a0:3e:ec:ee:8e:df:d1:
51:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
6D:48:DA:1F:19:A2:88:71:0F:3D:80:5D:AB:44:5C:F5:06:B5:BB:0B
X509v3 Authority Key Identifier:
keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73
DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
serial:F9:2F:C6:8B:0E:F1:EB:9E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:tsa1
Signature Algorithm: sha256WithRSAEncryption
a2:b6:e1:66:78:ff:d0:f1:53:58:2f:8a:26:0b:c1:7f:71:f8:
9a:d1:fa:70:f8:5b:b7:ce:da:79:92:52:0b:5f:d1:ed:c1:86:
eb:bc:29:f7:ed:0f:5b:c4:10:ab:a3:ce:9e:97:c8:a0:c8:5c:
af:bc:f2:58:77:00:59:69:85:2f:a1:16:92:45:b8:a9:3b:8d:
8c:bd:1a:bb:08:07:79:6d:6a:e9:8b:7c:fb:fb:0e:72:0a:e1:
fa:4c:ca:d5:d6:99:fc:2c:5f:1d:8a:28:38:da:bd:d4:88:36:
a2:a4:1a:e5:f9:77:72:e6:ed:13:62:31:19:79:ec:ad:9e:b5:
d1:92:7a:cf:f8:e0:ad:56:dd:5b:68:c6:64:c5:32:51:83:0e:
89:17:14:22:29:53:09:bb:49:06:3a:f1:02:8f:de:fc:94:59:
82:3d:d1:97:d8:70:53:ff:b5:0d:04:6f:2a:3f:30:50:7b:b1:
61:b3:a3:10:ee:94:dd:de:b8:ac:7c:0d:a4:af:f6:c2:8a:74:
dd:e8:95:db:ee:ab:d5:ef:68:0a:96:7c:46:05:93:12:93:d8:
84:5a:6d:38:ff:69:40:51:84:29:62:91:62:7b:af:17:18:b7:
bb:59:19:89:89:89:5d:75:54:92:bf:75:2f:7e:e4:fb:eb:a7:
ae:b5:a2:2f
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV
BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3
DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg0M1oXDTI2MDgy
NDE3MDg0M1owgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15
T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2ExMRAwDgYDVQQpEwdFYXN5
UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIAIwnoFKshx/ltBwtvq+gi6rqG40CMEEA
Gzo03G8EXZ/FWW+l+tUePA4iUhAefrJIsWXNDL5VYA6Y0jSN6ZtQopiSa2oJ2572
94Ai0YvzcW69U7P7I3BOASBzdRIghzfTyuUL/7peva3N/wXikTF8sZk079JvHiL+
d+lArIvc8OgjBPa3s2A0LILfPD3KFFLYilcfQBtwoqxl31SHun2Fe9iTvY6F/N6a
C2qIUrInGwwW4Ie6fMmUo/cQeYgOlrSnQHYAWLFaq1CJVfb4SE92ZuUc+rt6WVff
M1d71Aw2f9ZuCkCiBrfA8jH3VREgdM9osrKWdExYoD7s7o7f0VH/AgMBAAGjggF+
MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFG1I2h8ZoohxDz2AXatEXPUGtbsLMIHr
BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV
HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEdHNhMTAN
BgkqhkiG9w0BAQsFAAOCAQEAorbhZnj/0PFTWC+KJgvBf3H4mtH6cPhbt87aeZJS
C1/R7cGG67wp9+0PW8QQq6POnpfIoMhcr7zyWHcAWWmFL6EWkkW4qTuNjL0auwgH
eW1q6Yt8+/sOcgrh+kzK1daZ/CxfHYooONq91Ig2oqQa5fl3cubtE2IxGXnsrZ61
0ZJ6z/jgrVbdW2jGZMUyUYMOiRcUIilTCbtJBjrxAo/e/JRZgj3Rl9hwU/+1DQRv
Kj8wUHuxYbOjEO6U3d64rHwNpK/2wop03eiV2+6r1e9oCpZ8RgWTEpPYhFptOP9p
QFGEKWKRYnuvFxi3u1kZiYmJXXVUkr91L37k++unrrWiLw==
-----END CERTIFICATE-----

View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC8TCCAdkCAQAwgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE
BxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsT
FE15T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2ExMRAwDgYDVQQpEwdF
YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIAIwnoFKshx/ltBwtvq+gi6rqG40C
MEEAGzo03G8EXZ/FWW+l+tUePA4iUhAefrJIsWXNDL5VYA6Y0jSN6ZtQopiSa2oJ
257294Ai0YvzcW69U7P7I3BOASBzdRIghzfTyuUL/7peva3N/wXikTF8sZk079Jv
HiL+d+lArIvc8OgjBPa3s2A0LILfPD3KFFLYilcfQBtwoqxl31SHun2Fe9iTvY6F
/N6aC2qIUrInGwwW4Ie6fMmUo/cQeYgOlrSnQHYAWLFaq1CJVfb4SE92ZuUc+rt6
WVffM1d71Aw2f9ZuCkCiBrfA8jH3VREgdM9osrKWdExYoD7s7o7f0VH/AgMBAAGg
ADANBgkqhkiG9w0BAQsFAAOCAQEAF/TgnEcEdYC0tZ/Dr3j03Y6+HMOXUDjN9yQp
1HPZlXc0cl9k3JDMEbqE3xnLF6xkk2CBfG9YkHZwUk/CcoaRAg2qF3/4SF9WfboX
42a1AcMpsbD2tbDAulndvONPREGOx+b4aUJ8ddWDnkQtx7JEoQ57GldgQ4c/bU6v
QfNAtBnnlNDvo1lOYi2RNInTHR/zui6s+z4we95FJcYkh6qlS6/o+tRYu5E7qxVl
P+66RmmlsMydIrM712O8wZSFRoRoHXqrolG+BdWK5nj2CEuhk4g8plNwcMLx/8FI
FGeKATizb4zAAtRnBH3uf3HOVkOgMdNkKJK447zuqaE/+KeG6Q==
-----END CERTIFICATE REQUEST-----

View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDIAIwnoFKshx/l
tBwtvq+gi6rqG40CMEEAGzo03G8EXZ/FWW+l+tUePA4iUhAefrJIsWXNDL5VYA6Y
0jSN6ZtQopiSa2oJ257294Ai0YvzcW69U7P7I3BOASBzdRIghzfTyuUL/7peva3N
/wXikTF8sZk079JvHiL+d+lArIvc8OgjBPa3s2A0LILfPD3KFFLYilcfQBtwoqxl
31SHun2Fe9iTvY6F/N6aC2qIUrInGwwW4Ie6fMmUo/cQeYgOlrSnQHYAWLFaq1CJ
Vfb4SE92ZuUc+rt6WVffM1d71Aw2f9ZuCkCiBrfA8jH3VREgdM9osrKWdExYoD7s
7o7f0VH/AgMBAAECggEAJfRcpKR7K/yUpA3TDydRwwDeVYEW+GRZ4YBJQoDWnJh7
2oLHelMooI07DW5PWsomYT8xF4GkmSUagAvcJ1Y+wEWq+JZj0C0adLmxWmozyeYr
4sgArtch19vE4cRExWGDybCGWQmVv6b1VdNgtYdiQcyeS3p7j9TDRVFSNZDJFgtX
QJBHNnMjP96EtVNUp3aHP/N1a+3FRqjWwCW41xqKYc2Gg9W5peZdso8/6avTu2uJ
dJB7wcccPiIAnfgX3Xs8yMdXsPVR2ZqSDKfC9dHyEO65xYLs1nDo7a6rS7OSarL+
dOYt85AmUswdr69X72DIzaVRBxgzbg4ONlVodAIr2QKBgQD9sPTFZRsh+RoU3eWF
B4BwF/CA+KuBoKxxDtTp6ARWHal70Q4BZwg5mEhkJ2yslRwBevZHkO8DDKkB53jc
XAHcr2l9VdJni7ynrmoypvDn04vpsxnoY70klyrqSePKD93SU/Ll3hYvF0Ie1IDr
kj3/0TNPIuxzIzX3zkx2J2YerQKBgQDJ0oH79GAt3dUZTmyPvazMSR5JBUWjK0of
aHxo1jBZf9MDtTLNyDxtqKKjEEcBCWrnHt682m7BYVbuU7MC+z1rQ9pWYLDBq0XG
8aY46aR5AudG09l9VDOwZdNsghglstdDURk1zWKsS10x1JwgJdGzKCMZAxO0RrIM
Pf1znA/k2wKBgGh1OYQh6nclo7id2YjaGueM4+mm+q+IYhi3W7HoaAixc/zYiqTH
MNrOOliK5zN0vjBZ2hiDs/aUeu6eyeQqOlYNICmMcfNS1V5R8cZjeORr9btHlM5c
ayAq4m/P9uxXdiXJjUVbGdVQBVi+dUsKT18LW84k+ik6gVlE57Tq6iCNAoGBALA/
/zYaXxgPHzefbl1FRq+Mtz8LtJnfhzbQl70yOD0gzRXy2vAtCuC1IXsIDwoPwGUg
Z2JD2+9TY4h0XeOfpy6Srg07GYG4YhJwHDqdh/4KFBGdltTFgPJuqmmbXx0lBqqK
G1sKBz7x/ewzgTjt7ijoR2ZjcoTALGNWi42334V7AoGBAPsRnyG2cmruO9/SpQxd
QOjM0QtIGUKsjssiuRMWytYFD+fCv0Ft+iwnLyxCjBY1Ad6qSwtv50hEoygHnJ5X
DiyTptqErIxpSpp0Up8LPN6sXNawM/C7wcvRBGNafK+ijjS38QiWG3enGo5sAG+Y
n6Dq8vmFQAKsFz8o1JwJGteB
-----END PRIVATE KEY-----

View File

@ -0,0 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
Validity
Not Before: Aug 26 17:08:44 2016 GMT
Not After : Aug 24 17:08:44 2026 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=tsa2/name=EasyRSA/emailAddress=me@myhost.mydomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9b:34:5c:6b:ac:10:e9:63:50:cd:f5:f1:9e:80:
a8:be:ed:4f:21:25:7c:54:67:8f:f0:c1:16:57:ad:
1c:c7:14:90:8c:8d:1f:b4:e4:91:3b:fd:2c:44:a1:
c3:7d:1d:f5:cb:54:c2:45:a4:e3:e9:07:14:60:60:
63:07:d7:6d:92:2b:99:5a:c3:c1:91:87:92:b5:6d:
4b:d0:22:cd:62:13:34:9a:d1:c6:8f:e6:f6:df:50:
ba:1a:51:80:b8:2e:c9:dc:03:79:3d:97:a9:89:ce:
91:68:e4:dc:90:7d:f3:aa:74:2d:48:2b:40:f5:cf:
ba:d5:e8:07:d2:34:74:e0:31:c6:e1:0c:df:89:25:
c9:49:34:f6:0d:e8:1c:05:54:4c:eb:79:7b:04:bb:
e8:1e:f9:c3:dc:f8:d7:6f:d1:c3:77:a5:97:78:45:
1c:82:5a:52:a5:26:3e:4b:78:9e:6d:f8:75:3e:40:
b9:69:d6:e8:3f:ea:d7:6b:6e:e9:d3:a9:10:a4:92:
5e:96:e2:d8:f3:7e:2e:35:f2:81:85:b9:6d:9c:14:
02:38:c3:53:0f:a1:84:ef:c3:62:13:7f:10:0f:e4:
2e:43:4d:d0:48:06:5b:38:e4:49:e1:35:13:f6:d6:
83:1e:1c:f4:10:21:29:45:e3:48:47:01:9c:6a:4d:
b6:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
6E:12:12:1A:40:9F:52:2F:48:9C:B5:EE:DC:BF:20:B7:7A:30:02:DC
X509v3 Authority Key Identifier:
keyid:E3:2B:E4:74:CF:9B:BC:6E:6D:E6:52:1D:11:04:FC:66:1F:25:4A:73
DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
serial:F9:2F:C6:8B:0E:F1:EB:9E
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:tsa2
Signature Algorithm: sha256WithRSAEncryption
89:6d:03:f4:e6:29:77:ae:b4:82:de:7b:d6:39:56:10:2f:64:
f7:68:58:6e:3b:cf:9f:96:ab:a3:66:b0:53:80:98:88:c2:70:
3a:7e:de:d6:3f:69:ff:09:56:22:4f:b3:61:c3:43:ed:73:7f:
9f:29:10:31:31:ba:d6:78:a2:bc:7d:45:2c:5f:5a:8a:77:62:
3e:d8:38:fb:41:3c:54:8b:67:29:c5:d7:5a:a9:d3:a9:52:53:
81:eb:0b:55:9e:4e:f3:73:b5:f9:87:0d:a9:59:c4:2a:66:36:
47:bc:02:78:12:5b:12:7f:f5:c2:1c:a3:be:d0:bc:3e:72:1e:
96:f2:a4:16:71:d8:0f:af:76:1d:44:bd:1c:ef:e9:6a:09:00:
79:61:b1:20:83:61:1f:13:00:69:30:c6:ae:3b:31:a3:6c:db:
67:52:5d:ef:44:14:eb:53:b4:79:39:62:53:a6:d5:ea:96:ee:
2c:5f:38:9f:04:32:0c:39:24:e7:1c:04:79:ea:27:90:1f:e2:
b3:ed:93:a1:92:5c:c6:fa:d5:58:1f:9e:3a:a5:32:01:ce:b8:
61:f6:fa:bd:ff:37:1c:3f:30:54:8e:69:13:91:1b:95:6c:43:
c7:23:47:c8:2b:c1:97:00:d4:9b:46:52:ae:b4:dd:da:a6:13:
a5:6b:07:dc
-----BEGIN CERTIFICATE-----
MIIFXjCCBEagAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
cnQtRnVuc3RvbjEdMBsGA1UECxMUTXlPcmdhbml6YXRpb25hbFVuaXQxGDAWBgNV
BAMTD0ZvcnQtRnVuc3RvbiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEhMB8GCSqGSIb3
DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMB4XDTE2MDgyNjE3MDg0NFoXDTI2MDgy
NDE3MDg0NFowgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM
U2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsTFE15
T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2EyMRAwDgYDVQQpEwdFYXN5
UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbNFxrrBDpY1DN9fGegKi+7U8hJXxUZ4/w
wRZXrRzHFJCMjR+05JE7/SxEocN9HfXLVMJFpOPpBxRgYGMH122SK5law8GRh5K1
bUvQIs1iEzSa0caP5vbfULoaUYC4LsncA3k9l6mJzpFo5NyQffOqdC1IK0D1z7rV
6AfSNHTgMcbhDN+JJclJNPYN6BwFVEzreXsEu+ge+cPc+Ndv0cN3pZd4RRyCWlKl
Jj5LeJ5t+HU+QLlp1ug/6tdrbunTqRCkkl6W4tjzfi418oGFuW2cFAI4w1MPoYTv
w2ITfxAP5C5DTdBIBls45EnhNRP21oMeHPQQISlF40hHAZxqTbYLAgMBAAGjggF+
MIIBejAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFG4SEhpAn1IvSJy17ty/ILd6MALcMIHr
BgNVHSMEgeMwgeCAFOMr5HTPm7xubeZSHREE/GYfJUpzoYG8pIG5MIG2MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
A1UEChMMRm9ydC1GdW5zdG9uMR0wGwYDVQQLExRNeU9yZ2FuaXphdGlvbmFsVW5p
dDEYMBYGA1UEAxMPRm9ydC1GdW5zdG9uIENBMRAwDgYDVQQpEwdFYXN5UlNBMSEw
HwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW6CCQD5L8aLDvHrnjATBgNV
HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDwYDVR0RBAgwBoIEdHNhMjAN
BgkqhkiG9w0BAQsFAAOCAQEAiW0D9OYpd660gt571jlWEC9k92hYbjvPn5aro2aw
U4CYiMJwOn7e1j9p/wlWIk+zYcND7XN/nykQMTG61niivH1FLF9aindiPtg4+0E8
VItnKcXXWqnTqVJTgesLVZ5O83O1+YcNqVnEKmY2R7wCeBJbEn/1whyjvtC8PnIe
lvKkFnHYD692HUS9HO/pagkAeWGxIINhHxMAaTDGrjsxo2zbZ1Jd70QU61O0eTli
U6bV6pbuLF84nwQyDDkk5xwEeeonkB/is+2ToZJcxvrVWB+eOqUyAc64Yfb6vf83
HD8wVI5pE5EblWxDxyNHyCvBlwDUm0ZSrrTd2qYTpWsH3A==
-----END CERTIFICATE-----

View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC8TCCAdkCAQAwgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE
BxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xHTAbBgNVBAsT
FE15T3JnYW5pemF0aW9uYWxVbml0MQ0wCwYDVQQDEwR0c2EyMRAwDgYDVQQpEwdF
YXN5UlNBMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbNFxrrBDpY1DN9fGegKi+7U8hJXxU
Z4/wwRZXrRzHFJCMjR+05JE7/SxEocN9HfXLVMJFpOPpBxRgYGMH122SK5law8GR
h5K1bUvQIs1iEzSa0caP5vbfULoaUYC4LsncA3k9l6mJzpFo5NyQffOqdC1IK0D1
z7rV6AfSNHTgMcbhDN+JJclJNPYN6BwFVEzreXsEu+ge+cPc+Ndv0cN3pZd4RRyC
WlKlJj5LeJ5t+HU+QLlp1ug/6tdrbunTqRCkkl6W4tjzfi418oGFuW2cFAI4w1MP
oYTvw2ITfxAP5C5DTdBIBls45EnhNRP21oMeHPQQISlF40hHAZxqTbYLAgMBAAGg
ADANBgkqhkiG9w0BAQsFAAOCAQEAVXOIPyQqN2P/ZfcdsbklM/X0d1qfFAbkBV3M
MWh5QzrmyrxPnhGnSYBvwX0thN5G8FF5jlHit67G5Le5M5feczdRSXhGlLcao/U+
T/yr87Yojwagg9HgDGI+S82eLNSbI27x8A3dlaOGB5mPA+ff+WvRlqoC95sSDnEo
0W2cHMJTjwtj0/hDqlboh6iReXvicihdNVHJvfuED9CIOOPSLnW9WiZ+PM3GFvRi
EBZaoK/151mOqjfwIXCMelvozZG9kg8BKT+0+mtoFMHzaJWidPhArZt1hKyMc1FI
7jyUN+9X1d5piXIlN2RhO5CAx6ilhlqh7aZtEjkwnik+q8/P0w==
-----END CERTIFICATE REQUEST-----

View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbNFxrrBDpY1DN
9fGegKi+7U8hJXxUZ4/wwRZXrRzHFJCMjR+05JE7/SxEocN9HfXLVMJFpOPpBxRg
YGMH122SK5law8GRh5K1bUvQIs1iEzSa0caP5vbfULoaUYC4LsncA3k9l6mJzpFo
5NyQffOqdC1IK0D1z7rV6AfSNHTgMcbhDN+JJclJNPYN6BwFVEzreXsEu+ge+cPc
+Ndv0cN3pZd4RRyCWlKlJj5LeJ5t+HU+QLlp1ug/6tdrbunTqRCkkl6W4tjzfi41
8oGFuW2cFAI4w1MPoYTvw2ITfxAP5C5DTdBIBls45EnhNRP21oMeHPQQISlF40hH
AZxqTbYLAgMBAAECggEBAI2WX/XOHAN+Gfo6szjA8LB092oqs1igvZyJ2aMUhxtK
tG+0UseIeMH8PcVCuX9LtK7Q3QYB3fT5A2rEo7NEoW3mnllCGjV0M6+VTMNM7Ibb
NHNEils+/dpN3+kgj0f3TymKdbFtyTmxm8/QcTLT5FWM9L5Qz0swPabkrTXjqvfW
pW3znLJsI/31LzFqicNRzSG3/PTE/RDhPrHnc7Evbz9TYZS8/D3FnvO8QJB8F2Uk
/0WunCYU1IKeyVwZvArTLHIAZgQoEoaQIrkfr7AGBi4/uyGPI5GvrCib3MMdBm6s
HpxQMo68MwSTm7HVLE9l7QQIGv17iGdks3WuyuUc4bECgYEAy53xVse3EBoUxRZ8
yb1i/fr/aMYcCnPoVSHFJh6bGzxy9DeX5kOo0ksge7OgY8MWdoZWHmN3KzSAxkUF
Cgz9znRHwAP1Ka7VpFShxmgj752yNSqm7nXj9GJs9P3Y9Pwnp8LMQPOoZmWulJWT
HrxoZCpGeC5wQsZ6Ve1xcazr+skCgYEAwyIDSIBygtRjUCyoJhsJR9Vhc7FBLFBY
yqu+ZrP2HV31p99M3IT3zEfNYj97MXpE4ggCXuMsPxiHRhDbthOrO1DEDZiZ/zU7
c9gzqGjJoa+n77T/88dDpukqm7FbB4pMiUZXj0HOYLmKppTAGO2R01xPgsOrKcU6
yNTLUYeUwDMCgYBDQ7AAbQWKqjMGUMF0m73iDVLmt9t3kIbF6NwKFb5DpxqKlvr1
NJDGt87JTrPDgSUgjoxQiadKfJO17AMYKOaHl15Ejook9P7axKKUur50X/IJIkf3
Krbdes5nuJw9gjdPckirhFKzUQ/1QdxSIQeTX2vcM+seBBdR35jEZs2mEQKBgGZM
kJgT7vSz0BUaNFU121mzflGe3eIThVlLTJifRCoFNmJ56Nu7QgXwprYZPcakqTQu
qr+ALZQukcyjzevYx+5i20WdeS6Yg8Cp2fsyZHLFmi9LHtx43PjGSLYy9twvHwzg
ucq63y1KWGwYk9T9x3Odc3nEhxlw8u6S0Ly/bbaNAoGAJYp4drHJ8uLGufVURrK0
NQJIdPl7bcRaUdzBt1bmE5IiQOqzsdDkJpN1/ZD8SVkGPni6m+ZpvOprw7gtXs3T
dQ3Ri2dMZ4VJkyACi8z21eErRjr16pi92MhZKVnk1PEsxldEPa6XdJPaBm34O+BE
rzhN9WafVc6yL45gNLnUlRc=
-----END PRIVATE KEY-----

13
tests/cfg/pki/list-crl Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
# list revoked certificates
CRL="${1:-crl.pem}"
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR" && \
$OPENSSL crl -text -noout -in "$CRL"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

View File

@ -0,0 +1,268 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

View File

@ -0,0 +1,293 @@
# For use with easy-rsa version 2.0
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

View File

@ -0,0 +1,288 @@
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
openssl_conf = openssl_init
[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::KEY_DIR # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
[ req ]
default_bits = $ENV::KEY_SIZE
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation after 2004).
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::KEY_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::KEY_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::KEY_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::KEY_ORG
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
name = Name
name_max = 64
emailAddress = Email Address
emailAddress_default = $ENV::KEY_EMAIL
emailAddress_max = 40
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Easy-RSA Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
subjectAltName=$ENV::KEY_ALTNAMES
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::KEY_ALTNAMES
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

399
tests/cfg/pki/pkitool Executable file
View File

@ -0,0 +1,399 @@
#!/bin/sh
# OpenVPN -- An application to securely tunnel IP networks
# over a single TCP/UDP port, with support for SSL/TLS-based
# session authentication and key exchange,
# packet encryption, packet authentication, and
# packet compression.
#
# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program (see the file COPYING included with this
# distribution); if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# pkitool is a front-end for the openssl tool.
# Calling scripts can set the certificate organizational
# unit with the KEY_OU environmental variable.
# Calling scripts can also set the KEY_NAME environmental
# variable to set the "name" X509 subject field.
PROGNAME=pkitool
VERSION=2.0
DEBUG=0
die()
{
local m="$1"
echo "$m" >&2
exit 1
}
need_vars()
{
cat <<EOM
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool ($PROGNAME) to build certificates/keys.
EOM
}
usage()
{
cat <<EOM
$PROGNAME $VERSION
Usage: $PROGNAME [options...] [common-name]
Options:
--batch : batch mode (default)
--keysize : Set keysize
size : size (default=1024)
--interact : interactive mode
--server : build server cert
--initca : build root CA
--inter : build intermediate CA
--pass : encrypt private key with password
--csr : only generate a CSR, do not sign
--sign : sign an existing CSR
--pkcs12 : generate a combined PKCS#12 file
--pkcs11 : generate certificate on PKCS#11 token
lib : PKCS#11 library
slot : PKCS#11 slot
id : PKCS#11 object id (hex string)
label : PKCS#11 object label
Standalone options:
--pkcs11-slots : list PKCS#11 slots
lib : PKCS#11 library
--pkcs11-objects : list PKCS#11 token objects
lib : PKCS#11 library
slot : PKCS#11 slot
--pkcs11-init : initialize PKCS#11 token DANGEROUS!!!
lib : PKCS#11 library
slot : PKCS#11 slot
label : PKCS#11 token label
Notes:
EOM
need_vars
cat <<EOM
In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
Generated files and corresponding OpenVPN directives:
(Files will be placed in the \$KEY_DIR directory, defined in ./vars)
ca.crt -> root certificate (--ca)
ca.key -> root key, keep secure (not directly used by OpenVPN)
.crt files -> client/server certificates (--cert)
.key files -> private keys, keep secure (--key)
.csr files -> certificate signing request (not directly used by OpenVPN)
dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
Examples:
$PROGNAME --initca -> Build root certificate
$PROGNAME --initca --pass -> Build root certificate with password-protected key
$PROGNAME --server server1 -> Build "server1" certificate/key
$PROGNAME client1 -> Build "client1" certificate/key
$PROGNAME --pass client2 -> Build password-protected "client2" certificate/key
$PROGNAME --pkcs12 client3 -> Build "client3" certificate/key in PKCS#12 format
$PROGNAME --csr client4 -> Build "client4" CSR to be signed by another CA
$PROGNAME --sign client4 -> Sign "client4" CSR
$PROGNAME --inter interca -> Build an intermediate key-signing certificate/key
Also see ./inherit-inter script.
$PROGNAME --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
-> Build "client5" certificate/key in PKCS#11 token
Typical usage for initial PKI setup. Build myserver, client1, and client2 cert/keys.
Protect client2 key with a password. Build DH parms. Generated files in ./keys :
[edit vars with your site-specific info]
source ./vars
./clean-all
./build-dh -> takes a long time, consider backgrounding
./$PROGNAME --initca
./$PROGNAME --server myserver
./$PROGNAME client1
./$PROGNAME --pass client2
Typical usage for adding client cert to existing PKI:
source ./vars
./$PROGNAME client-new
EOM
}
# Set tool defaults
[ -n "$OPENSSL" ] || export OPENSSL="openssl"
[ -n "$PKCS11TOOL" ] || export PKCS11TOOL="pkcs11-tool"
[ -n "$GREP" ] || export GREP="grep"
# Set defaults
DO_REQ="1"
REQ_EXT=""
DO_CA="1"
CA_EXT=""
DO_P12="0"
DO_P11="0"
DO_ROOT="0"
NODES_REQ="-nodes"
NODES_P12=""
BATCH="-batch"
CA="ca"
# must be set or errors of openssl.cnf
PKCS11_MODULE_PATH="dummy"
PKCS11_PIN="dummy"
# Process options
while [ $# -gt 0 ]; do
case "$1" in
--keysize ) KEY_SIZE=$2
shift;;
--server ) REQ_EXT="$REQ_EXT -extensions server"
CA_EXT="$CA_EXT -extensions server" ;;
--batch ) BATCH="-batch" ;;
--interact ) BATCH="" ;;
--inter ) CA_EXT="$CA_EXT -extensions v3_ca" ;;
--initca ) DO_ROOT="1" ;;
--pass ) NODES_REQ="" ;;
--csr ) DO_CA="0" ;;
--sign ) DO_REQ="0" ;;
--pkcs12 ) DO_P12="1" ;;
--pkcs11 ) DO_P11="1"
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_ID="$4"
PKCS11_LABEL="$5"
shift 4;;
# standalone
--pkcs11-init)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
PKCS11_LABEL="$4"
if [ -z "$PKCS11_LABEL" ]; then
die "Please specify library name, slot and label"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
--label "$PKCS11_LABEL" &&
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
exit $?;;
--pkcs11-slots)
PKCS11_MODULE_PATH="$2"
if [ -z "$PKCS11_MODULE_PATH" ]; then
die "Please specify library name"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
exit 0;;
--pkcs11-objects)
PKCS11_MODULE_PATH="$2"
PKCS11_SLOT="$3"
if [ -z "$PKCS11_SLOT" ]; then
die "Please specify library name and slot"
fi
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
exit 0;;
--help|--usage)
usage
exit ;;
--version)
echo "$PROGNAME $VERSION"
exit ;;
# errors
--* ) die "$PROGNAME: unknown option: $1" ;;
* ) break ;;
esac
shift
done
if ! [ -z "$BATCH" ]; then
if $OPENSSL version | grep 0.9.6 > /dev/null; then
die "Batch mode is unsupported in openssl<0.9.7"
fi
fi
if [ $DO_P12 -eq 1 -a $DO_P11 -eq 1 ]; then
die "PKCS#11 and PKCS#12 cannot be specified together"
fi
if [ $DO_P11 -eq 1 ]; then
if ! grep "^pkcs11.*=" "$KEY_CONFIG" > /dev/null; then
die "Please edit $KEY_CONFIG and setup PKCS#11 engine"
fi
fi
# If we are generating pkcs12, only encrypt the final step
if [ $DO_P12 -eq 1 ]; then
NODES_P12="$NODES_REQ"
NODES_REQ="-nodes"
fi
if [ $DO_P11 -eq 1 ]; then
if [ -z "$PKCS11_LABEL" ]; then
die "PKCS#11 arguments incomplete"
fi
fi
# If undefined, set default key expiration intervals
if [ -z "$KEY_EXPIRE" ]; then
KEY_EXPIRE=3650
fi
if [ -z "$CA_EXPIRE" ]; then
CA_EXPIRE=3650
fi
# Set organizational unit to empty string if undefined
if [ -z "$KEY_OU" ]; then
KEY_OU=""
fi
# Set X509 Name string to empty string if undefined
if [ -z "$KEY_NAME" ]; then
KEY_NAME=""
fi
# Set KEY_CN, FN
if [ $DO_ROOT -eq 1 ]; then
if [ -z "$KEY_CN" ]; then
if [ "$1" ]; then
KEY_CN="$1"
KEY_ALTNAMES="DNS:${KEY_CN}"
elif [ "$KEY_ORG" ]; then
KEY_CN="$KEY_ORG CA"
KEY_ALTNAMES="$KEY_CN"
fi
fi
if [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using CA Common Name:" "$KEY_CN"
KEY_ALTNAMES="$KEY_CN"
fi
FN="$KEY_CN"
elif [ $BATCH ] && [ "$KEY_CN" ]; then
echo "Using Common Name:" "$KEY_CN"
KEY_ALTNAMES="$KEY_CN"
FN="$KEY_CN"
if [ "$1" ]; then
FN="$1"
fi
else
KEY_CN="$1"
KEY_ALTNAMES="DNS:$1"
shift
while [ "x$1" != "x" ]
do
KEY_ALTNAMES="${KEY_ALTNAMES},DNS:$1"
shift
done
FN="$KEY_CN"
fi
export CA_EXPIRE KEY_EXPIRE KEY_OU KEY_NAME KEY_CN PKCS11_MODULE_PATH PKCS11_PIN KEY_ALTNAMES
# Show parameters (debugging)
if [ $DEBUG -eq 1 ]; then
echo DO_REQ $DO_REQ
echo REQ_EXT $REQ_EXT
echo DO_CA $DO_CA
echo CA_EXT $CA_EXT
echo NODES_REQ $NODES_REQ
echo NODES_P12 $NODES_P12
echo DO_P12 $DO_P12
echo KEY_CN $KEY_CN
echo KEY_ALTNAMES $KEY_ALTNAMES
echo BATCH $BATCH
echo DO_ROOT $DO_ROOT
echo KEY_EXPIRE $KEY_EXPIRE
echo CA_EXPIRE $CA_EXPIRE
echo KEY_OU $KEY_OU
echo KEY_NAME $KEY_NAME
echo DO_P11 $DO_P11
echo PKCS11_MODULE_PATH $PKCS11_MODULE_PATH
echo PKCS11_SLOT $PKCS11_SLOT
echo PKCS11_ID $PKCS11_ID
echo PKCS11_LABEL $PKCS11_LABEL
fi
# Make sure ./vars was sourced beforehand
if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
cd "$KEY_DIR"
# Make sure $KEY_CONFIG points to the correct version
# of openssl.cnf
if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
:
else
echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
echo "version of openssl.cnf: $KEY_CONFIG"
echo "The correct version should have a comment that says: easy-rsa version 2.x";
exit 1;
fi
# Build root CA
if [ $DO_ROOT -eq 1 ]; then
$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
chmod 0600 "$CA.key"
else
# Make sure CA key/cert is available
if [ $DO_CA -eq 1 ] || [ $DO_P12 -eq 1 ]; then
if [ ! -r "$CA.crt" ] || [ ! -r "$CA.key" ]; then
echo "$PROGNAME: Need a readable $CA.crt and $CA.key in $KEY_DIR"
echo "Try $PROGNAME --initca to build a root certificate/key."
exit 1
fi
fi
# Generate key for PKCS#11 token
PKCS11_ARGS=
if [ $DO_P11 -eq 1 ]; then
stty -echo
echo -n "User PIN: "
read -r PKCS11_PIN
stty echo
export PKCS11_PIN
echo "Generating key pair on PKCS#11 token..."
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
--login --pin "$PKCS11_PIN" \
--key-type rsa:1024 \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
PKCS11_ARGS="-engine pkcs11 -keyform engine -key $PKCS11_SLOT:$PKCS11_ID"
fi
# Build cert/key
( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH $NODES_REQ -new -newkey rsa:$KEY_SIZE \
-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
-in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \
( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
# Load certificate into PKCS#11 token
if [ $DO_P11 -eq 1 ]; then
$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
--login --pin "$PKCS11_PIN" \
--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
fi
fi
# Need definitions
else
need_vars
fi

43
tests/cfg/pki/revoke-full Executable file
View File

@ -0,0 +1,43 @@
#!/bin/sh
# revoke a certificate, regenerate CRL,
# and verify revocation
CRL="crl.pem"
RT="revoke-test.pem"
if [ $# -ne 1 ]; then
echo "usage: revoke-full <cert-name-base>";
exit 1
fi
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR"
rm -f "$RT"
# set defaults
export KEY_CN=""
export KEY_OU=""
export KEY_NAME=""
# required due to hack in openssl.cnf that supports Subject Alternative Names
export KEY_ALTNAMES=""
# revoke key and generate a new CRL
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
# generate a new CRL -- try to be compatible with
# intermediate PKIs
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
if [ -e export-ca.crt ]; then
cat export-ca.crt "$CRL" >"$RT"
else
cat ca.crt "$CRL" >"$RT"
fi
# verify the revocation
$OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi

7
tests/cfg/pki/sign-req Executable file
View File

@ -0,0 +1,7 @@
#!/bin/sh
# Sign a certificate signing request (a .csr file)
# with a local root certificate and key.
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --interact --sign $*

80
tests/cfg/pki/vars Normal file
View File

@ -0,0 +1,80 @@
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
# X509 Subject Field
export KEY_NAME="EasyRSA"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
# export KEY_CN="CommonName"

26
tests/cfg/pki/whichopensslcnf Executable file
View File

@ -0,0 +1,26 @@
#!/bin/sh
cnf="$1/openssl.cnf"
if [ "$OPENSSL" ]; then
if $OPENSSL version | grep -E "0\.9\.6[[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-0.9.6.cnf"
elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-0.9.8.cnf"
elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-1.0.0.cnf"
else
cnf="$1/openssl.cnf"
fi
fi
echo $cnf
if [ ! -r $cnf ]; then
echo "**************************************************************" >&2
echo " No $cnf file could be found" >&2
echo " Further invocations will fail" >&2
echo "**************************************************************" >&2
fi
exit 0

142
tests/cfg/uts-server.cnf Normal file
View File

@ -0,0 +1,142 @@
[ new_oids ]
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ main ]
# Comma-separated list of ips:ports to listen on.
# If the port is SSL, a letter s must be appended.
listening_ports = 127.0.0.1:2020
#listening_ports = 80,443s
# Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance.
enable_keep_alive = no
# Number of worker threads.
num_threads = 50
# Switch to given user credentials after startup.
# Required to run on privileged ports and not be run as root.
# run_as_user = uts-server
# Limit download speed for clients. throttle is a comma-separated list of key=value pairs:
# * limit speed for all connections
# x.x.x.x/mask limit speed for specified subnet
# The value is a floating-point number of bytes per second, optionally followed by a k or m character
# meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate
throttle = *
#throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0
# Timeout for network read and network write operations, in milliseconds.
request_timeout_ms = 30000
# Path to the SSL certificate file. (PEM format containing private key and certificate)
#ssl_certificate = /etc/uts-server/cert.pem
# Enable client's certificate verification by the server.
#ssl_verify_peer = yes
# Name of a directory containing trusted CA certificates
#ssl_ca_path = /etc/ssl/ca/
# Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
#ssl_ca_file = /etc/uts-server/ca.pem
# Sets maximum depth of certificate chain.
# If client's certificate chain is longer than the depth set here connection is refused.
#ssl_verify_depth = 9
# Loads default trusted certificates locations set at openssl compile time.
#ssl_default_verify_paths = yes
# see https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
#ssl_cipher_list = ALL:!eNULL
# Sets the minimal accepted version of SSL/TLS protocol according to the table:
# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0
# SSL3+TLS1.0+TLS1.1+TLS1.2 1
# TLS1.0+TLS1.1+TLS1.2 2
# TLS1.1+TLS1.2 3
# TLS1.2 4
#ssl_protocol_version = 3
# Enables the use of short lived certificates
#ssl_short_trust = no
# comma separated list of IP subnets to accept/deny
# deny all accesses, only allow 192.168/16 subnet
#access_control_allow_origin = -0.0.0.0/0,+192.168/16
# Enable TCP_NODELAY socket option on client connections.
tcp_nodelay = 0
# loglevel
# debug, info, notice, warn, err, emerg, crit
log_level = info
####################################################################
[ tsa ]
# The default TSA section.
default_tsa = tsa_config1
[ tsa_config1 ]
# These are used by the TSA reply generation only.
# TSA root directory
dir = ./demoCA
# The current serial number
# (mandatory)
serial = ./tsaserial
# OpenSSL engine to use for signing
crypto_device = builtin
# The TSA signing certificat
# (optional)
signer_cert = $dir/tsacert.pem
# Certificate chain to include in reply
# (optional)
certs = $dir/cacert.pem
# The TSA private key
# (optional)
signer_key = $dir/private/tsakey.pem
# Policy if request did not specify it
# (optional)
default_policy = tsa_policy1
# Acceptable policies
# (optional)
other_policies = tsa_policy2, tsa_policy3
# Acceptable message digests
# (mandatory)
digests = md5, sha1
# (optional)
accuracy = secs:1, millisecs:500, microsecs:100
# Number of digits after dot.
# (optional)
clock_precision_digits = 0
# Is ordering defined for timestamps?
# (optional, default: no)
ordering = yes
# Must the TSA name be included in the reply?
## (optional, default: no)
tsa_name = yes
# Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_chain = no