File: HACKING.md

package info (click to toggle)
ocaml-ssl 0.7.0-1
  • links: PTS, VCS
  • area: main
  • in suites: sid, trixie
  • size: 448 kB
  • sloc: ml: 1,568; ansic: 1,547; makefile: 35
file content (106 lines) | stat: -rw-r--r-- 2,136 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 

## Generating test certificates

### CA

#### Configuration (ca.conf)

```
[ req ]
encrypt_key = no
default_md = sha256
prompt = no
utf8 = yes
distinguished_name = my_req_distinguished_name
req_extensions = my_extensions

[ my_req_distinguished_name ]
C = US
ST = California
L = San Francisco
O  = ca
CN = CA

[ my_extensions ]
keyUsage=critical, digitalSignature, keyEncipherment
basicConstraints=critical,CA:TRUE
extendedKeyUsage=critical,serverAuth
subjectKeyIdentifier = hash
```

#### Create the CA certificate

```shell
$ openssl genpkey -algorithm EC -out ca.key -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve

$ openssl req -new -x509 -days 3650 -config ca.conf -out ca.pem -key ca.key
```

### Server cert

#### Configuration (server.conf)

```
[ req ]
encrypt_key = no
default_md = sha256
prompt = no
utf8 = yes
distinguished_name = my_req_distinguished_name

[ my_req_distinguished_name ]
C = US
ST = California
L = San Francisco
O  = ocaml-ssl
CN = localhost
```

#### Extensions (ssl-extensions-x509.conf)

```
[v3_ca]
keyUsage=critical, digitalSignature, keyEncipherment
basicConstraints=critical,CA:FALSE
extendedKeyUsage=critical,serverAuth
subjectKeyIdentifier = hash
# subjectAltName         = IP:127.0.0.1
```

#### Create the server certificate

```shell
openssl genpkey -algorithm EC -out server.key -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve
openssl req -new -config server.conf -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 3650 -extensions v3_ca -extfile ./ssl-extensions-x509.conf
```

### Client cert

#### Configuration (client.conf)

```
[ req ]
encrypt_key = no
default_md = sha256
prompt = no
utf8 = yes
distinguished_name = my_req_distinguished_name

[ my_req_distinguished_name ]
C = US
ST = California
L = San Francisco
O  = ocaml-ssl
CN = localhost
```

#### Extensions (ssl-extensions-x509.conf)

```
[v3_ca]
keyUsage=critical, digitalSignature, keyEncipherment
basicConstraints=critical,CA:FALSE
extendedKeyUsage=critical,clientAuth
subjectKeyIdentifier = hash
```