summaryrefslogtreecommitdiff
path: root/tests/keys/README
diff options
context:
space:
mode:
Diffstat (limited to 'tests/keys/README')
-rw-r--r--tests/keys/README56
1 files changed, 51 insertions, 5 deletions
diff --git a/tests/keys/README b/tests/keys/README
index 14515024..7a5a5684 100644
--- a/tests/keys/README
+++ b/tests/keys/README
@@ -11,6 +11,8 @@ README
ca2cert.pem Second-level RSA cert for ca2key.pem
dsakey.pem DSA private key
dsacert.pem Third level DSA cert for dsakey.pem
+ dsa2048key.pem DSA private key (2048 bits)
+ dsa3072key.pem DSA private key (3072 bits)
rsakey.pem RSA private key
rsacert.pem Third level RSA cert for rsacert.pem
hmackey.bin HMAC key ('secret')
@@ -37,12 +39,24 @@ README
> openssl verify -CAfile cacert.pem ca2cert.pem
C. Generate and sign DSA key with second level CA
- > openssl dsaparam -out dsakey.pem -genkey 512
+ > openssl dsaparam -out dsakey.pem -genkey 1024
> openssl req -config ./openssl.cnf -new -key dsakey.pem -out dsareq.pem
> openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
-out dsacert.pem -infiles dsareq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsacert.pem
+ > openssl dsaparam -out dsa2048key.pem -genkey 2048
+ > openssl req -config ./openssl.cnf -new -key dsa2048key.pem -out dsa2048req.pem
+ > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
+ -out dsa2048cert.pem -infiles dsa2048req.pem
+ > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsa2048cert.pem
+
+ > openssl dsaparam -out dsa3072key.pem -genkey 3072
+ > openssl req -config ./openssl.cnf -new -key dsa3072key.pem -out dsa3072req.pem
+ > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
+ -out dsa3072cert.pem -infiles dsa3072req.pem
+ > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsa3072cert.pem
+
D. Generate and sign RSA key with second level CA
> openssl genrsa -out rsakey.pem
> openssl req -config ./openssl.cnf -new -key rsakey.pem -out rsareq.pem
@@ -64,24 +78,41 @@ README
> openssl ca -config ./openssl.cnf -days 1 -cert ca2cert.pem \
-keyfile ca2key.pem -out expiredcert.pem -infiles expiredreq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem expiredcert.pem
+
+ G. Generate ECDSA key with second level CA
+ > openssl ecparam -list_curves
+ > openssl ecparam -name secp256k1 -genkey -noout -out ecdsa-secp256k1-key.pem
+ > openssl req -config ./openssl.cnf -new -key ecdsa-secp256k1-key.pem -out ecdsa-secp256k1-req.pem
+ > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
+ -out ecdsa-secp256k1-cert.pem -infiles ecdsa-secp256k1-req.pem
+ > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem ecdsa-secp256k1-cert.pem
+ > rm ecdsa-secp256k1-req.pem
3. Converting key and certs between PEM and DER formats
- Convert PEM private key file to DER file
- RSA key:
+ RSA keys:
> openssl rsa -inform PEM -outform DER -in rsakey.pem -out rsakey.der
> openssl rsa -inform PEM -outform DER -in largersakey.pem -out largersakey.der
> openssl rsa -inform PEM -outform DER -in expiredkey.pem -out expiredkey.der
- DSA key:
+ DSA keys:
> openssl dsa -inform PEM -outform DER -in dsakey.pem -out dsakey.der
+ > openssl dsa -inform PEM -outform DER -in dsa2048key.pem -out dsa2048key.der
+ > openssl dsa -inform PEM -outform DER -in dsa3072key.pem -out dsa3072key.der
+
+ ECDSA keys:
+ > openssl ec -inform PEM -outform DER -in ecdsa-secp256k1-key.pem -out ecdsa-secp256k1-key.der
- Convert PEM cert file to DER file
> openssl x509 -outform DER -in cacert.pem -out cacert.der
> openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der
> openssl x509 -outform DER -in dsacert.pem -out dsacert.der
+ > openssl x509 -outform DER -in dsa2048cert.pem -out dsa2048cert.der
+ > openssl x509 -outform DER -in dsa3072cert.pem -out dsa3072cert.der
> openssl x509 -outform DER -in rsacert.pem -out rsacert.der
> openssl x509 -outform DER -in largersacert.pem -out largersacert.der
> openssl x509 -outform DER -in expiredcert.pem -out expiredcert.der
+ > openssl x509 -outform DER -in ecdsa-secp256k1-cert.pem -out ecdsa-secp256k1-cert.der
- (optional) Convert PEM public key file to DER file
RSA key:
@@ -97,23 +128,35 @@ README
4. Converting an unencrypted PEM or DER file containing a private key
to an encrypted PEM or DER file containing the same private key but
- encrypted
+ encrypted (the tests password is secret123):
> openssl pkcs8 -in dsakey.pem -inform pem -out dsakey.p8-pem -outform pem -topk8
> openssl pkcs8 -in dsakey.der -inform der -out dsakey.p8-der -outform der -topk8
+ > openssl pkcs8 -in dsa2048key.pem -inform pem -out dsa2048key.p8-pem -outform pem -topk8
+ > openssl pkcs8 -in dsa2048key.der -inform der -out dsa2048key.p8-der -outform der -topk8
+ > openssl pkcs8 -in dsa3072key.pem -inform pem -out dsa3072key.p8-pem -outform pem -topk8
+ > openssl pkcs8 -in dsa3072key.der -inform der -out dsa3072key.p8-der -outform der -topk8
> openssl pkcs8 -in rsakey.pem -inform pem -out rsakey.p8-pem -outform pem -topk8
> openssl pkcs8 -in rsakey.der -inform der -out rsakey.p8-der -outform der -topk8
> openssl pkcs8 -in largersakey.pem -inform pem -out largersakey.p8-pem \
-outform pem -topk8
> openssl pkcs8 -in largersakey.der -inform der -out largersakey.p8-der \
-outform der -topk8
+ > openssl pkcs8 -in ecdsa-secp256k1-key.der -inform der -out ecdsa-secp256k1-key.p8-der \
+ -outform der -topk8
5. NSS is unfriendly towards standalone private keys.
This procedure helps convert raw private keys into PKCS12 form that is
- suitable for not only NSS but all crypto engines.
+ suitable for not only NSS but all crypto engines (the tests password is secret123):
> cat dsakey.pem dsacert.pem ca2cert.pem cacert.pem > alldsa.pem
> openssl pkcs12 -export -in alldsa.pem -name TestDsaKey -out dsakey.p12
+ > cat dsa2048key.pem dsa2048cert.pem ca2cert.pem cacert.pem > alldsa2048.pem
+ > openssl pkcs12 -export -in alldsa2048.pem -name TestDsa2048Key -out dsa2048key.p12
+
+ > cat dsa3072key.pem dsa3072cert.pem ca2cert.pem cacert.pem > alldsa3072.pem
+ > openssl pkcs12 -export -in alldsa3072.pem -name TestDsa3072Key -out dsa3072key.p12
+
> cat rsakey.pem rsacert.pem ca2cert.pem cacert.pem > allrsa.pem
> openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey.p12
@@ -124,6 +167,9 @@ README
> openssl pkcs12 -export -in allexpired.pem -name TestExpiredRsaKey \
-out expiredkey.p12
+ > cat ecdsa-secp256k1-key.pem ecdsa-secp256k1-cert.pem ca2cert.pem cacert.pem > all-ecdsa-secp256k1.pem
+ > openssl pkcs12 -export -in all-ecdsa-secp256k1.pem -name TestEcdsaSecp256k1Key -out ecdsa-secp256k1-key.p12
+ > rm all-ecdsa-secp256k1.pem
5a.
Input: DSA/RSA private key in PEM or DER format