From ba03d024d0ea9b6a739ab913708d6fd5e6dae83a Mon Sep 17 00:00:00 2001 From: Mark Goodwin Date: Tue, 17 Nov 2015 20:15:03 +0000 Subject: [PATCH 1/3] Created a test certificate to add support for rfc7633 --- certs/cert-generator/badssl-must-staple.conf | 24 ++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 certs/cert-generator/badssl-must-staple.conf diff --git a/certs/cert-generator/badssl-must-staple.conf b/certs/cert-generator/badssl-must-staple.conf new file mode 100644 index 00000000..a97438f3 --- /dev/null +++ b/certs/cert-generator/badssl-must-staple.conf @@ -0,0 +1,24 @@ +[ req ] +default_bits = 2048 +default_keyfile = ../self-signed/badssl.key +distinguished_name = req_distinguished_name +encrypt_key = no +prompt = no +req_extensions = req_v3_usr + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = California +localityName = San Francisco +organizationName = BadSSL +commonName = must-staple.badssl.com + +[ req_v3_usr ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names +1.3.6.1.5.5.7.1.24 = DER:30:03:02:01:05 + +[ alt_names ] +DNS.1 = must-staple.badssl.com +DNS.2 = must-staple-no-ocsp.badssl.com From b1814d505ff988ca053f687a6d8060b18616fd69 Mon Sep 17 00:00:00 2001 From: Mark Goodwin Date: Tue, 17 Nov 2015 20:16:02 +0000 Subject: [PATCH 2/3] Created a test certificate to add support for rfc7633 --- certs/cert-generator/cert-generator.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/certs/cert-generator/cert-generator.sh b/certs/cert-generator/cert-generator.sh index ebd0bfd1..cfb781dc 100755 --- a/certs/cert-generator/cert-generator.sh +++ b/certs/cert-generator/cert-generator.sh @@ -231,6 +231,24 @@ cat out.pem ../self-signed/badssl-intermediate.pem ../self-signed/badssl-root.pe rm out.pem echo +echo "Generating BadSSL.com must-staple Certificate Signing Request" +openssl req -new \ + -key ../self-signed/badssl.com.key \ + -out badssl-must-staple.csr \ + -config badssl-must-staple.conf + +echo "Signing BadSSL.com must-staple Certificate" +openssl x509 -req -days 730 -sha256 -CAcreateserial \ + -in badssl-1000-sans.csr \ + -CA ../self-signed/badssl-intermediate.pem \ + -CAkey ../self-signed/badssl-intermediate.key \ + -extfile badssl-must-staple.conf \ + -extensions req_v3_usr \ + -out out.pem +cat out.pem ../self-signed/badssl-intermediate.pem ../self-signed/badssl-root.pem > ../self-signed/must-staple.badssl.com.pem +rm out.pem +echo + # Generate the Diffie-Hellman primes if [[ $regen =~ ^[Yy]$ ]]; then openssl dhparam -out ../self-signed/dh480.pem 480 From 92101fb49f8a2153784cd0a6c0436bbbca8445aa Mon Sep 17 00:00:00 2001 From: Mark Goodwin Date: Tue, 17 Nov 2015 20:25:59 +0000 Subject: [PATCH 3/3] Fixed the must-staple signing step to use the correct CSR --- certs/cert-generator/cert-generator.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certs/cert-generator/cert-generator.sh b/certs/cert-generator/cert-generator.sh index cfb781dc..6634e5e0 100755 --- a/certs/cert-generator/cert-generator.sh +++ b/certs/cert-generator/cert-generator.sh @@ -239,7 +239,7 @@ openssl req -new \ echo "Signing BadSSL.com must-staple Certificate" openssl x509 -req -days 730 -sha256 -CAcreateserial \ - -in badssl-1000-sans.csr \ + -in badssl-must-staple.csr \ -CA ../self-signed/badssl-intermediate.pem \ -CAkey ../self-signed/badssl-intermediate.key \ -extfile badssl-must-staple.conf \