diff options
author | Tobias Wiese <tobias@tobiaswiese.com> | 2021-05-23 01:39:15 +0200 |
---|---|---|
committer | waja <waja@users.noreply.github.com> | 2022-01-30 12:25:56 +0100 |
commit | 31bdbfce92de2dc7717fe13a8d1ca8e7dbf850d4 (patch) | |
tree | 27c5416f0096e89f168c1baaa1909537fb453223 /plugins/tests/certs/generate-certs.sh | |
parent | 986b2479465648c49a7eefc3fbf4df8860e3e4b7 (diff) | |
download | monitoring-plugins-31bdbfce92de2dc7717fe13a8d1ca8e7dbf850d4.tar.gz |
sslutils: use chain from client certificates
sslutils used to load only the first certificate when it was given a
client certificate file.
Added tests for check_http to connect to a http server that expects a
client certificate (simple and with chain).
Signed-off-by: Tobias Wiese <tobias@tobiaswiese.com>
Diffstat (limited to 'plugins/tests/certs/generate-certs.sh')
-rwxr-xr-x | plugins/tests/certs/generate-certs.sh | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/plugins/tests/certs/generate-certs.sh b/plugins/tests/certs/generate-certs.sh new file mode 100755 index 00000000..78660a26 --- /dev/null +++ b/plugins/tests/certs/generate-certs.sh | |||
@@ -0,0 +1,63 @@ | |||
1 | #!/bin/sh -e | ||
2 | # | ||
3 | # Recreates the https server certificates | ||
4 | # | ||
5 | # Set the GEN_EXPIRED environment variable to also regenerate | ||
6 | # the expired certificate. | ||
7 | |||
8 | cd "$(dirname "$0")" | ||
9 | trap 'rm -f *.csr; rm -f clientca-cert.srl' EXIT | ||
10 | |||
11 | subj() { | ||
12 | c="DE" | ||
13 | st="Bavaria" | ||
14 | l="Munich" | ||
15 | o="Monitoring Plugins" | ||
16 | cn="Monitoring Plugins" | ||
17 | emailAddress="devel@monitoring-plugins.org" | ||
18 | |||
19 | if [ -n "$1" ]; then | ||
20 | # Add to CN | ||
21 | cn="$cn $1" | ||
22 | fi | ||
23 | |||
24 | printf "/C=%s/ST=%s/L=%s/O=%s/CN=%s/emailAddress=%s" \ | ||
25 | "$c" "$st" "$l" "$o" "$cn" "$emailAddress" | ||
26 | } | ||
27 | |||
28 | # server | ||
29 | openssl req -new -x509 -days 3560 -nodes \ | ||
30 | -keyout server-key.pem -out server-cert.pem \ | ||
31 | -subj "$(subj)" | ||
32 | # server, expired | ||
33 | # there is generally no need to regenerate this, as it will stay epxired | ||
34 | [ -n "$GEN_EXPIRED" ] && TZ=UTC faketime -f '2008-01-01 12:00:00' \ | ||
35 | openssl req -new -x509 -days 1 -nodes \ | ||
36 | -keyout expired-key.pem -out expired-cert.pem \ | ||
37 | -subj "$(subj)" | ||
38 | |||
39 | # client, ca | ||
40 | openssl req -new -x509 -days 3560 -nodes \ | ||
41 | -keyout clientca-key.pem -out clientca-cert.pem \ | ||
42 | -subj "$(subj ClientCA)" | ||
43 | echo "01" >clientca-cert.srl | ||
44 | # client | ||
45 | openssl req -new -nodes \ | ||
46 | -keyout client-key.pem -out client-cert.csr \ | ||
47 | -subj "$(subj Client)" | ||
48 | openssl x509 -days 3560 -req -CA clientca-cert.pem -CAkey clientca-key.pem \ | ||
49 | -in client-cert.csr -out client-cert.pem | ||
50 | # client, intermediate | ||
51 | openssl req -new -nodes \ | ||
52 | -keyout clientintermediate-key.pem -out clientintermediate-cert.csr \ | ||
53 | -subj "$(subj ClientIntermediate)" | ||
54 | openssl x509 -days 3560 -req -CA clientca-cert.pem -CAkey clientca-key.pem \ | ||
55 | -extfile ext.cnf -extensions client_ca \ | ||
56 | -in clientintermediate-cert.csr -out clientintermediate-cert.pem | ||
57 | # client, chain | ||
58 | openssl req -new -nodes \ | ||
59 | -keyout clientchain-key.pem -out clientchain-cert.csr \ | ||
60 | -subj "$(subj ClientChain)" | ||
61 | openssl x509 -days 3560 -req -CA clientca-cert.pem -CAkey clientca-key.pem \ | ||
62 | -in clientchain-cert.csr -out clientchain-cert.pem | ||
63 | cat clientintermediate-cert.pem >>clientchain-cert.pem | ||