# $OpenBSD: Makefile,v 1.4 2022/03/14 21:30:48 tb Exp $ CLEANFILES += *.pem *.serial *.txt *.attr *.old # Start each regress run from scratch with new keys and CA database. REGRESS_SETUP_ONCE += clean REGRESS_SETUP_ONCE += root.serial intermediate.serial root.serial intermediate.serial: echo 1000 >$@ REGRESS_SETUP_ONCE += root.txt intermediate.txt root.txt intermediate.txt: true >$@ # Vanna Vanna make me a root cert root.key.pem: stamp-clean # generate root rsa 4096 key openssl genrsa -out root.key.pem 4096 root.cert.pem: root.cnf root.key.pem \ stamp-root.serial stamp-root.txt # generate root cert openssl req -batch -config ${.CURDIR}/root.cnf -key root.key.pem \ -new -x509 -days 365 -sha256 -extensions v3_ca -out root.cert.pem # Make intermediate intermediate.key.pem: stamp-clean # generate intermediate rsa 2048 key openssl genrsa -out intermediate.key.pem 2048 intermediate.csr.pem: intermediate.cnf intermediate.key.pem # generate intermediate req openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \ -key intermediate.key.pem -out intermediate.csr.pem # Sign intermediate intermediate.cert.pem: root.cnf root.cert.pem intermediate.csr.pem \ stamp-intermediate.serial stamp-intermediate.txt # sign intermediate openssl ca -batch -config ${.CURDIR}/root.cnf \ -extensions v3_intermediate_ca -days 10 -notext -md sha256 \ -in intermediate.csr.pem -out intermediate.cert.pem REGRESS_TARGETS += run-verify-intermediate # Verify intermediate run-verify-intermediate: root.cert.pem intermediate.cert.pem # validate intermediate CA openssl verify -CAfile root.cert.pem intermediate.cert.pem chain.pem: intermediate.cert.pem root.cert.pem cat intermediate.cert.pem root.cert.pem > chain.pem # Make a server certificate server.key.pem: stamp-clean # genrsa server openssl genrsa -out server.key.pem 2048 server.csr.pem: intermediate.cnf server.key.pem # server req openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \ -subj '/CN=server.openbsd.org/OU=So and Sos/O=OpenBSD/C=CA' \ -key server.key.pem -out server.csr.pem # Sign server key server.cert.pem: intermediate.cnf intermediate.cert.pem server.csr.pem # server sign openssl ca -batch -config ${.CURDIR}/intermediate.cnf \ -extensions server_cert -days 5 -notext -md sha256 \ -in server.csr.pem -out server.cert.pem # Make a client certificate client.key.pem: stamp-clean # genrsa client openssl genrsa -out client.key.pem 2048 client.csr.pem: intermediate.cnf intermediate.cert.pem client.key.pem # client req openssl req -batch -config ${.CURDIR}/intermediate.cnf -new -sha256 \ -subj '/CN=client/OU=So and Sos/O=OpenBSD/C=CA' \ -key client.key.pem -out client.csr.pem # Sign client key client.cert.pem: intermediate.cnf intermediate.cert.pem client.csr.pem # client sign openssl ca -batch -config ${.CURDIR}/intermediate.cnf \ -extensions usr_cert -days 5 -notext -md sha256 \ -in client.csr.pem -out client.cert.pem REGRESS_TARGETS += run-verify-server # Verify server with intermediate run-verify-server: chain.pem server.cert.pem # validate server cert openssl verify -purpose sslserver -CAfile chain.pem server.cert.pem REGRESS_TARGETS += run-verify-client # Verify client with intermediate run-verify-client: chain.pem client.cert.pem # validate client cert openssl verify -purpose sslclient -CAfile chain.pem client.cert.pem .include