-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Prepare for DST Root CA X3 expiration and the woes that come with it
References: * https://blog.voltone.net/post/29 * https://blog.voltone.net/post/30 * elixir-mint/mint#328 * http://erlang.org/pipermail/erlang-questions/2021-July/101251.html * http://erlang.org/pipermail/erlang-questions/2021-July/101252.html
- Loading branch information
Showing
8 changed files
with
358 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
*.csr | ||
*.pem | ||
*.srl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
|
||
all: good_ca_store_for_expiry | ||
all: bad_ca_store_for_expiry | ||
all: ca_store1_for_cross_signing | ||
all: ca_store2_for_cross_signing | ||
all: localhost_chain_for_expiry | ||
all: localhost_chain_for_cross_signing | ||
|
||
good_ca_store_for_expiry: new_ca | ||
good_ca_store_for_expiry: expired_ca | ||
good_ca_store_for_expiry: | ||
cat expired_ca.pem new_ca.pem >good_ca_store_for_expiry.pem | ||
.PHONY: good_ca_store_for_expiry | ||
|
||
bad_ca_store_for_expiry: expired_ca | ||
bad_ca_store_for_expiry: | ||
cat expired_ca.pem >bad_ca_store_for_expiry.pem | ||
.PHONY: bad_ca_store_for_expiry | ||
|
||
ca_store1_for_cross_signing: third_ca | ||
cat new_ca.pem >ca_store1_for_cross_signing.pem | ||
|
||
ca_store2_for_cross_signing: third_ca | ||
cat third_ca.pem >ca_store2_for_cross_signing.pem | ||
|
||
localhost_chain_for_expiry: localhost | ||
localhost_chain_for_expiry: regular_intermediate_cert | ||
localhost_chain_for_expiry: cross_signed_bad_intermediate_cert | ||
cat \ | ||
localhost.pem \ | ||
regular_intermediate_cert.pem \ | ||
cross_signed_bad_intermediate_cert.pem \ | ||
>localhost_chain_for_expiry.pem | ||
.PHONY: localhost_chain | ||
|
||
localhost_chain_for_cross_signing: localhost | ||
localhost_chain_for_cross_signing: regular_intermediate_cert | ||
localhost_chain_for_cross_signing: cross_signed_good_intermediate_cert | ||
cat \ | ||
localhost.pem \ | ||
regular_intermediate_cert.pem \ | ||
cross_signed_good_intermediate_cert.pem \ | ||
>localhost_chain_for_cross_signing.pem | ||
.PHONY: localhost_chain | ||
|
||
localhost: regular_intermediate_cert | ||
localhost: localhost.csr | ||
localhost: | ||
faketime -f '-5y' openssl x509 \ | ||
-req \ | ||
-in localhost.csr \ | ||
-CA regular_intermediate_cert.pem \ | ||
-CAkey regular_intermediate_cert_key.pem \ | ||
-CAcreateserial \ | ||
-out localhost.pem \ | ||
-days 3600 \ | ||
-sha256 | ||
.PHONY: localhost | ||
|
||
regular_intermediate_cert: new_ca | ||
regular_intermediate_cert: regular_intermediate_cert.csr | ||
faketime -f '-5y' openssl x509 \ | ||
-req \ | ||
-in regular_intermediate_cert.csr \ | ||
-extfile intermediate_ca.ext \ | ||
-extensions v3_intermediate_ca \ | ||
-CA new_ca.pem \ | ||
-CAkey new_ca_key.pem \ | ||
-CAcreateserial \ | ||
-out regular_intermediate_cert.pem \ | ||
-days 3600 \ | ||
-sha256 | ||
.PHONY: regular_intermediate_cert | ||
|
||
cross_signed_bad_intermediate_cert: expired_ca | ||
cross_signed_bad_intermediate_cert: new_ca.csr | ||
faketime -f '-5y' openssl x509 \ | ||
-req \ | ||
-in new_ca.csr \ | ||
-extfile intermediate_ca.ext \ | ||
-extensions v3_intermediate_ca \ | ||
-CA expired_ca.pem \ | ||
-CAkey expired_ca_key.pem \ | ||
-CAcreateserial \ | ||
-out cross_signed_bad_intermediate_cert.pem \ | ||
-days 3600 \ | ||
-sha256 | ||
.PHONY: cross_signed_bad_intermediate_cert | ||
|
||
cross_signed_good_intermediate_cert: third_ca | ||
cross_signed_good_intermediate_cert: new_ca.csr | ||
faketime -f '-5y' openssl x509 \ | ||
-req \ | ||
-in new_ca.csr \ | ||
-extfile intermediate_ca.ext \ | ||
-extensions v3_intermediate_ca \ | ||
-CA third_ca.pem \ | ||
-CAkey third_ca_key.pem \ | ||
-CAcreateserial \ | ||
-out cross_signed_good_intermediate_cert.pem \ | ||
-days 3600 \ | ||
-sha256 | ||
.PHONY: cross_signed_good_intermediate_cert | ||
|
||
expired_ca: faketime | ||
expired_ca: expired_ca_key.pem | ||
faketime -f '-5y' openssl req -x509 \ | ||
-new -nodes \ | ||
-key expired_ca_key.pem \ | ||
-sha256 \ | ||
-days 1800 \ | ||
-subj "/CN=Expired CA" \ | ||
-out expired_ca.pem | ||
.PHONY: expired_ca | ||
|
||
faketime: | ||
./install_faketime.sh | ||
.PHONY: faketime | ||
|
||
.PRECIOUS: %_ca # prevens removal of what is considered an intermediate file (FIXME untested on macos) | ||
%_ca: %_ca_key.pem | ||
faketime -f '-5y' openssl req -x509 \ | ||
-new -nodes \ | ||
-key $*_ca_key.pem \ | ||
-sha256 \ | ||
-days 3600 \ | ||
-subj "/CN=$*_ca" \ | ||
-out $*_ca.pem | ||
.PHONY: %_ca | ||
|
||
.PRECIOUS: %_key.pem # prevens removal of what is considered an intermediate file (FIXME untested on macos) | ||
%.csr: %_key.pem | ||
openssl req \ | ||
-new \ | ||
-key $*_key.pem \ | ||
-subj "/CN=$*" \ | ||
-out $@ | ||
|
||
.PRECIOUS: %_key.pem # prevens removal of what is considered an intermediate file (FIXME untested on macos) | ||
%_key.pem: | ||
openssl genrsa -out $@ 2048 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -eu | ||
|
||
function is_installed { | ||
which $1 >/dev/null; | ||
} | ||
|
||
|
||
if is_installed faketime; then | ||
exit | ||
fi | ||
|
||
if is_installed brew; then | ||
brew install faketime # FIXME untested | ||
exit | ||
fi | ||
|
||
if is_installed apt-get; then | ||
DEBIAN_FRONTEND=noninteractive sudo apt-get --yes install faketime | ||
exit | ||
fi | ||
|
||
>&2 echo "I don't know how to install faketime in your system" | ||
exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# From: https://stackoverflow.com/questions/52500165/problem-verifying-a-self-created-openssl-root-intermediate-and-end-user-certifi | ||
|
||
[ v3_intermediate_ca ] | ||
# Extensions for a typical intermediate CA (`man x509v3_config`). | ||
subjectKeyIdentifier = hash | ||
authorityKeyIdentifier = keyid:always,issuer | ||
basicConstraints = critical, CA:true, pathlen:1 | ||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign |
Oops, something went wrong.