| Current Path : /home/usr.opt/mysql57/mysql-test/std_data/ |
FreeBSD hs32.drive.ne.jp 9.1-RELEASE FreeBSD 9.1-RELEASE #1: Wed Jan 14 12:18:08 JST 2015 root@hs32.drive.ne.jp:/sys/amd64/compile/hs32 amd64 |
| Current File : //home/usr.opt/mysql57/mysql-test/std_data/crl-certificate-readme.txt |
These are the instructions on how to generate test files for the CRL tests
using openSSL.
If you have root access on the system
=====================================
1. Make sure you have the right validity periods in CA.pl and openssl.cnf
2. Create a new certification authority : CA.pl -newca
3. Copy demoCA/cacert.pem to crl-ca-cert.pem
4. Create one server certificate request : CA.pl -newreq
5. Sign the server certificate request : CA.pl -signCA
6. Copy demoCA/newcert.pem to crl-server-cert.pem
7. Remove the key from server's certificate key while copying it :
openssl rsa -in newkey.pem -out crl-server-key.pem
8. Create one client certificate request : CA.pl -newreq
9. Sign the client certificate request : CA.pl -signCA
10. Copy demoCA/newcert.pem to crl-client-cert.pem
11. Remove the key from client's certificate key while copying it :
openssl rsa -in newkey.pem -out crl-client-key.pem
12. Create one to-be-revoked client certificate request : CA.pl -newreq
13. Sign the to-be-revoked client certificate request : CA.pl -signCA
14. Copy demoCA/newcert.pem to crl-client-cert-revoked.pem
15. Remove the key from the to-be-revoked client's certificate
key while copying it :
openssl rsa -in newkey.pem -out crl-client-key-revoked.pem
16. Revoke the crl-client-invalid-cert.pem :
openssl ca -revoke crl-client-invalid-cert.pem
17. Generate a CRL file :
openssl ca -gencrl -crldays=3650 -out crl-client-revoked.crl
18. Clean up all the files in the crldir directory
19. Copy the CRL file into it :
cp crl-client-revoked.crl `openssl crl -in crl-client-revoked.crl -noout -hash`.r0
If you are using your own CA
============================
Prepare directory
-----------------
1. mkdir new_crlcerts && cd new_crlcerts
2. mkdir crldir
3. mkdir private
Generate CA and 3 set of certificates
-------------------------------------
4. Generate CA
openssl genrsa 2048 > crl-ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key crl-ca-key.pem -out crl-ca-cert.pem
5. Generate Server certificate
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout crl-server-key.pem -out crl-server-req.pem
openssl rsa -in crl-server-key.pem -out crl-server-key.pem
openssl x509 -req -in crl-server-req.pem -days 3600 -CA crl-ca-cert.pem -CAkey crl-ca-key.pem -set_serial 01 -out crl-server-cert.pem
6. Generate Client certificate
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout crl-client-key.pem -out crl-client-req.pem
openssl rsa -in crl-client-key.pem -out crl-client-key.pem
openssl x509 -req -in crl-client-req.pem -days 3600 -CA crl-ca-cert.pem -CAkey crl-ca-key.pem -set_serial 02 -out crl-client-cert.pem
7. Generate Client certificate that will be revoked later
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout crl-client-revoked-key.pem -out crl-client-revoked-req.pem
openssl rsa -in crl-client-revoked-key.pem -out crl-client-revoked-key.pem
openssl x509 -req -in crl-client-revoked-req.pem -days 3600 -CA crl-ca-cert.pem -CAkey crl-ca-key.pem -set_serial 03 -out crl-client-revoked-cert.pem
Prepare for certificate revocation
----------------------------------
8. cp crl-ca-cert.pem cacert.pem
9. cp crl-ca-key.pem private/cakey.pem
10. touch index.txt
11. echo 1000 > crlnumber
12. copy global openssl.cnf to current working dirctory
13. Open local copy of openssl.cnf and in [CA_default] section
- Update dir to point to current working directory
- Update certs to point to $dir and not $dir/certs
Revoke a certificate and create crl file
----------------------------------------
14. openssl ca -config openssl.cnf -revoke crl-client-revoked-cert.pem
15. openssl ca -config openssl.cnf -gencrl -crldays 3600 -out crl-client-revoked.crl
16. cp crl-client-revoked.crl `openssl crl -in crl-client-revoked.pem -noout -hash`.r0
Replace existing certs
----------------------
17. Replace following files in <src>/mysql-test/std_data/ with files generated above
crl-ca-cert.pem
crl-client-cert.pem
crl-client-key.pem
crl-client-revoked-cert.pem
crl-client-revoked-key.pem
crl-client-revoked.crl
crl-server-cert.pem
crl-server-key.pem
18. Remove file in <src>/mysql-test/std_data/crldir
19. Copy file generated in step 16 above to <src>/mysql-test/std_data/crldir
20. You may now remove new_crls directory