Closed TinCanTech closed 2 months ago
No unit-test.
Early manual test, failed for CA:
tct@home:/dev/shm/easyrsa-ut$ easyrsa init-pki
WARNING!!!
You are about to remove the EASYRSA_PKI at:
* /dev/shm/easyrsa-ut/pki
and initialize a fresh PKI here.
Type the word 'yes' to continue, or any other input to abort.
Confirm removal: yes
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /dev/shm/easyrsa-ut/pki
Using Easy-RSA configuration:
* undefined
tct@home:/dev/shm/easyrsa-ut$ easyrsa --nopass --ku-crit --bc-crit build-ca
...+++++
....................................+++++
Can't load /dev/shm/easyrsa-ut/pki/.rnd into RNG
140700229961024:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/dev/shm/easyrsa-ut/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
Notice
------
CA creation complete. Your new CA certificate is at:
* /dev/shm/easyrsa-ut/pki/ca.crt
tct@home:/dev/shm/easyrsa-ut$ easyrsa --nopass --ku-crit --bc-crit build-server-full s1
Generating a RSA private key
........+++++
.............+++++
writing new private key to '/dev/shm/easyrsa-ut/pki/58acae36/temp.1.1'
-----
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /dev/shm/easyrsa-ut/pki/reqs/s1.req
* key: /dev/shm/easyrsa-ut/pki/private/s1.key
You are about to sign the following certificate:
Request subject, to be signed as a server certificate
for '825' days:
subject=
commonName = s1
X509v3 Subject Alternative Name:
DNS:s1
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /usr/share/easy-rsa/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'s1'
Certificate is to be certified until Apr 18 00:59:07 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at:
* /dev/shm/easyrsa-ut/pki/issued/s1.crt
Notice
------
Inline file created:
* /dev/shm/easyrsa-ut/pki/inline/s1.inline
tct@home:/dev/shm/easyrsa-ut$ easyrsa show-ca
Notice
------
Showing details for CA certificate, at:
* /dev/shm/easyrsa-ut/pki/ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
36:35:23:5d:90:db:f8:96:dd:fc:6c:6f:60:0c:2c:a0:22:67:65:64
Signature Algorithm: sha256WithRSAEncryption
Issuer:
commonName = Easy-RSA CA
Validity
Not Before: Jan 14 00:58:53 2024 GMT
Not After : Jan 11 00:58:53 2034 GMT
Subject:
commonName = Easy-RSA CA
X509v3 extensions:
X509v3 Subject Key Identifier:
DA:40:C0:D9:C4:12:92:F2:EC:EB:67:9C:D1:20:51:CE:71:2B:44:3D
X509v3 Authority Key Identifier:
keyid:DA:40:C0:D9:C4:12:92:F2:EC:EB:67:9C:D1:20:51:CE:71:2B:44:3D
DirName:/CN=Easy-RSA CA
serial:36:35:23:5D:90:DB:F8:96:DD:FC:6C:6F:60:0C:2C:A0:22:67:65:64
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
tct@home:/dev/shm/easyrsa-ut$ easyrsa show-cert s1
Notice
------
Showing 'cert' details for: 's1'
This file is stored at:
* /dev/shm/easyrsa-ut/pki/issued/s1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1255548484 (0x4ad62644)
Signature Algorithm: sha256WithRSAEncryption
Issuer:
commonName = Easy-RSA CA
Validity
Not Before: Jan 14 00:59:07 2024 GMT
Not After : Apr 18 00:59:07 2026 GMT
Subject:
commonName = s1
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
D3:CF:2C:64:CC:30:2E:5D:61:74:52:FB:02:04:6B:5A:7B:02:6E:CF
X509v3 Authority Key Identifier:
keyid:DA:40:C0:D9:C4:12:92:F2:EC:EB:67:9C:D1:20:51:CE:71:2B:44:3D
DirName:/CN=Easy-RSA CA
serial:36:35:23:5D:90:DB:F8:96:DD:FC:6C:6F:60:0C:2C:A0:22:67:65:64
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:s1
Superseded-by: #1176
These option allow X509 'critical' attributes to be used.
--ku-critical (--ku-crit): Configure 'keyUsage' to set 'critical' attribute.
--bc-critical (--bc-crit): Configure 'basicContraints' to set 'critical' attribute.
Use of these options is left to the discretion of the the user task.
Supported certificate types does not include 'email', 'codeSigning' or 'kdc'.