-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: enable multiple SSL certificate support. #5317
Changes from 1 commit
7f6fe21
dd7e4f4
2efbe34
d735985
bd375bf
c006166
70c8a28
bc63fe7
4d1cbba
e6582d0
8957777
89b7d1c
2cb1935
24d59fd
242f046
c658615
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -227,8 +227,9 @@ message CommonTlsContext { | |
// TLS protocol versions, cipher suites etc. | ||
TlsParameters tls_params = 1; | ||
|
||
// Multiple TLS certificates can be associated with the same context. | ||
// E.g. to allow both RSA and ECDSA certificates, two TLS certificates can be configured. | ||
// :ref:`Multiple TLS certificates <arch_overview_ssl_multi_cert>` can be associated with the same | ||
// context.B E.g. to allow both RSA and ECDSA certificates, two TLS certificates can be | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
// configured. | ||
// | ||
// Only a single TLS certificate is supported in client contexts. In server contexts, the first | ||
// RSA certificate is used for clients that only support RSA and the first ECDSA certificate is | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -85,6 +85,29 @@ standard Debian installations. Common paths for system CA bundles on Linux and B | |
See the reference for :ref:`UpstreamTlsContexts <envoy_api_msg_auth.UpstreamTlsContext>` and | ||
:ref:`DownstreamTlsContexts <envoy_api_msg_auth.DownstreamTlsContext>` for other TLS options. | ||
|
||
.. _arch_overview_ssl_multi_cert: | ||
|
||
Multiple certificates | ||
--------------------- | ||
|
||
:ref:`UpstreamTlsContexts <envoy_api_msg_auth.UpstreamTlsContext>` support multiple TLS | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it's the reverse? We support multiple contexts for downstream but not for upstream? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Downstream contexts support multiple TLS certificates, not upstream. |
||
certificates. These may be a mix of RSA and P-256 ECDSA certificates. The following rules apply: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I believe that I asked about this before, but could we enforce that at most single RSA and single P-256 ECDSA are configured? We know that anything more is never going to be used at runtime, so it's most likely misconfiguration. This should only require a few easy checks in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, OK, let's go with this, it simplifies other logic later on. |
||
|
||
* Only the first certificate of a particular type (RSA or ECDSA) is considered. | ||
* Non-P256 server ECDSA certificates are rejected. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This isn't specific to multiple certificates. (We should have it documented somewhere, but probably not here.) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I will rename this section to something like "Certificate selection" and we can keep it here. |
||
* The client must indicate P-256 support to be considered ECDSA capable. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This line is redundant with the more descriptive line below. |
||
* If the client supports P-256 ECDSA, a P-256 ECDSA certificate will be selected if present in the | ||
:ref:`UpstreamTlsContext <envoy_api_msg_auth.UpstreamTlsContext>`. | ||
* If the client only supports RSA certificate, an RSA certificate will be selected if present in the | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
:ref:`UpstreamTlsContext <envoy_api_msg_auth.UpstreamTlsContext>`. | ||
* Otherwise, the first certificate listed is used. This will result in a failed handshake if the | ||
client only supports RSA certificates and the server only has ECDSA certificates. | ||
* Static and SDS certificates may not be mixed in a given :ref:`UpstreamTlsContext | ||
<envoy_api_msg_auth.UpstreamTlsContext>`. | ||
|
||
Only a single TLS certificate is supported today for :ref:`DownstreamTlsContexts | ||
<envoy_api_msg_auth.DownstreamTlsContext>`. | ||
|
||
Secret discovery service (SDS) | ||
------------------------------ | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -78,6 +78,7 @@ Version history | |
* tls: added support for CRLs in :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`. | ||
* tls: added support for :ref:`password encrypted private keys <envoy_api_field_auth.TlsCertificate.password>`. | ||
* tls: added ssl.versions.<version> to :ref:`listener metrics <config_listener_stats>` to track TLS versions in use. | ||
* tls: added support for :ref:`multiple server TLS certificates <arch_overview_ssl_multi_cert>`. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nit: move it above There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think |
||
* tracing: added support to the Zipkin tracer for the :ref:`b3 <config_http_conn_man_headers_b3>` single header format. | ||
* tracing: added support for :ref:`Datadog <arch_overview_tracing>` tracer. | ||
* upstream: added :ref:`scale_locality_weight<envoy_api_field_Cluster.LbSubsetConfig.scale_locality_weight>` to enable | ||
|
Original file line number | Diff line number | Diff line change | ||
---|---|---|---|---|
|
@@ -308,13 +308,12 @@ ServerContextConfigImpl::ServerContextConfigImpl( | |||
|
||||
return ret; | ||||
}()) { | ||||
// TODO(PiotrSikora): Support multiple TLS certificates. | ||||
if ((config.common_tls_context().tls_certificates().size() + | ||||
config.common_tls_context().tls_certificate_sds_secret_configs().size()) == 0) { | ||||
throw EnvoyException("No TLS certificates found for server context"); | ||||
} else if ((config.common_tls_context().tls_certificates().size() + | ||||
config.common_tls_context().tls_certificate_sds_secret_configs().size()) > 1) { | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As far as I recall, we still only support single certificate served over SDS, don't we? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think you may have multiple sds config for single cluster/listener? https://github.com/envoyproxy/envoy/blob/master/api/envoy/api/v2/auth/cert.proto#L239 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. But it doesn't work with multiple certificates, because callback clears all other certificates on update, see:
|
||||
throw EnvoyException("A single TLS certificate is required for server contexts"); | ||||
} else if (!config.common_tls_context().tls_certificates().empty() && | ||||
!config.common_tls_context().tls_certificate_sds_secret_configs().empty()) { | ||||
throw EnvoyException("Static and dynamic TLS certificates may not be mixed in server contexts"); | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nit: this isn't really "static" and "dynamic", since LDS/CDS and SDS can be both "static" and "dynamic". Maybe just say that (i.e. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think "Non-SDS and SDS TLS certificates may not be mixed.." is clearer here, as LDS/CDS doesn't refer to bootstrap static config. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. secrets (i.e. "static" SDS) can be also in the bootstrap static config. But yeah, I agree that it sounds cleaner. |
||||
} | ||||
} | ||||
|
||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,6 +20,7 @@ | |
#include "openssl/x509v3.h" | ||
|
||
using Envoy::Protobuf::util::MessageDifferencer; | ||
using testing::EndsWith; | ||
using testing::NiceMock; | ||
using testing::ReturnRef; | ||
|
||
|
@@ -881,28 +882,37 @@ TEST(ClientContextConfigImplTest, MissingStaticCertificateValidationContext) { | |
"Unknown static certificate validation context: missing"); | ||
} | ||
|
||
// Multiple TLS certificates are not yet supported, but one is expected for | ||
// server. | ||
// TODO(PiotrSikora): Support multiple TLS certificates. | ||
// Multiple TLS certificates are supported. | ||
TEST(ServerContextConfigImplTest, MultipleTlsCertificates) { | ||
envoy::api::v2::auth::DownstreamTlsContext tls_context; | ||
NiceMock<Server::Configuration::MockTransportSocketFactoryContext> factory_context; | ||
EXPECT_THROW_WITH_MESSAGE( | ||
ServerContextConfigImpl client_context_config(tls_context, factory_context), EnvoyException, | ||
"No TLS certificates found for server context"); | ||
const std::string tls_certificate_yaml = R"EOF( | ||
const std::string rsa_tls_certificate_yaml = R"EOF( | ||
certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" | ||
)EOF"; | ||
MessageUtil::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), | ||
const std::string ecdsa_tls_certificate_yaml = R"EOF( | ||
certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert_ecdsa_p256.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem" | ||
)EOF"; | ||
MessageUtil::loadFromYaml(TestEnvironment::substitute(rsa_tls_certificate_yaml), | ||
*tls_context.mutable_common_tls_context()->add_tls_certificates()); | ||
MessageUtil::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml), | ||
MessageUtil::loadFromYaml(TestEnvironment::substitute(ecdsa_tls_certificate_yaml), | ||
*tls_context.mutable_common_tls_context()->add_tls_certificates()); | ||
EXPECT_THROW_WITH_MESSAGE( | ||
ServerContextConfigImpl client_context_config(tls_context, factory_context), EnvoyException, | ||
"A single TLS certificate is required for server contexts"); | ||
MessageUtil::loadFromYaml(TestEnvironment::substitute(rsa_tls_certificate_yaml), | ||
*tls_context.mutable_common_tls_context()->add_tls_certificates()); | ||
ServerContextConfigImpl server_context_config(tls_context, factory_context); | ||
auto tls_certs = server_context_config.tlsCertificates(); | ||
ASSERT_EQ(3, tls_certs.size()); | ||
EXPECT_THAT(tls_certs[0].get().privateKeyPath(), EndsWith("selfsigned_key.pem")); | ||
EXPECT_THAT(tls_certs[1].get().privateKeyPath(), EndsWith("selfsigned_key_ecdsa_p256.pem")); | ||
EXPECT_THAT(tls_certs[2].get().privateKeyPath(), EndsWith("selfsigned_key.pem")); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Erm, we really shouldn't be able to load the same certificate twice. |
||
} | ||
|
||
TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { | ||
|
@@ -922,7 +932,7 @@ TEST(ServerContextConfigImplTest, TlsCertificatesAndSdsConfig) { | |
tls_context.mutable_common_tls_context()->add_tls_certificate_sds_secret_configs(); | ||
EXPECT_THROW_WITH_MESSAGE( | ||
ServerContextConfigImpl server_context_config(tls_context, factory_context), EnvoyException, | ||
"A single TLS certificate is required for server contexts"); | ||
"Static and dynamic TLS certificates may not be mixed in server contexts"); | ||
} | ||
|
||
TEST(ServerContextConfigImplTest, SecretNotReady) { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -656,6 +656,116 @@ TEST_P(SslSocketTest, NoCert) { | |
GetParam()); | ||
} | ||
|
||
// The first RSA certificate is picked when multiple RSA certificates are | ||
// present. We validate TLSv1.2 only here, since we validate the e2e behavior on | ||
// TLSv1.2/1.3 in ssl_integration_test. | ||
TEST_P(SslSocketTest, MultiCertFirstRsa) { | ||
const std::string client_ctx_yaml = R"EOF( | ||
common_tls_context: | ||
tls_params: | ||
tls_minimum_protocol_version: TLSv1_2 | ||
tls_maximum_protocol_version: TLSv1_2 | ||
cipher_suites: ECDHE-RSA-AES128-GCM-SHA256 | ||
validation_context: | ||
verify_certificate_hash: | ||
AB:6A:9F:1A:F4:C8:9E:81:A2:06:E9:E1:05:7E:BD:63:3E:8D:54:4A:E8:F0:50:5A:A3:58:63:25:17:B6:23:12 | ||
)EOF"; | ||
|
||
const std::string server_ctx_yaml = R"EOF( | ||
common_tls_context: | ||
tls_certificates: | ||
- certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert_ecdsa_p256.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem" | ||
- certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" | ||
- certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert2.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" | ||
)EOF"; | ||
|
||
testUtil(client_ctx_yaml, server_ctx_yaml, "", "", "", "", "", "", "", "ssl.no_certificate", true, | ||
GetParam()); | ||
} | ||
|
||
// The first ECDSA certificate is picked when multiple ECDSA certificates are | ||
// present. We validate TLSv1.2 only here, since we validate the e2e behavior on | ||
// TLSv1.2/1.3 in ssl_integration_test. | ||
TEST_P(SslSocketTest, MultiCertFirstEcdsa) { | ||
const std::string client_ctx_yaml = R"EOF( | ||
common_tls_context: | ||
tls_params: | ||
tls_minimum_protocol_version: TLSv1_2 | ||
tls_maximum_protocol_version: TLSv1_2 | ||
cipher_suites: ECDHE-ECDSA-AES128-GCM-SHA256 | ||
validation_context: | ||
verify_certificate_hash: | ||
49:D0:E5:82:F1:0F:29:D8:C5:64:33:8F:14:2A:3E:53:87:CD:E2:E6:0E:8B:C7:83:CF:6F:88:BD:50:4E:11:E2 | ||
)EOF"; | ||
|
||
const std::string server_ctx_yaml = R"EOF( | ||
common_tls_context: | ||
tls_certificates: | ||
- certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" | ||
- certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert_ecdsa_p256.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem" | ||
- certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert2_ecdsa_p256.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem" | ||
)EOF"; | ||
|
||
testUtil(client_ctx_yaml, server_ctx_yaml, "", "", "", "", "", "", "", "ssl.no_certificate", true, | ||
GetParam()); | ||
} | ||
|
||
// Prefer ECDSA certificate when multiple RSA certificates are present and the | ||
// client is RSA/ECDSA capable. We validate TLSv1.2 only here, since we validate | ||
// the e2e behavior on TLSv1.2/1.3 in ssl_integration_test. | ||
TEST_P(SslSocketTest, MultiCertPreferEcdsa) { | ||
const std::string client_ctx_yaml = R"EOF( | ||
common_tls_context: | ||
tls_params: | ||
tls_minimum_protocol_version: TLSv1_2 | ||
tls_maximum_protocol_version: TLSv1_2 | ||
cipher_suites: | ||
- ECDHE-ECDSA-AES128-GCM-SHA256 | ||
- ECDHE-RSA-AES128-GCM-SHA256 | ||
validation_context: | ||
verify_certificate_hash: | ||
49:D0:E5:82:F1:0F:29:D8:C5:64:33:8F:14:2A:3E:53:87:CD:E2:E6:0E:8B:C7:83:CF:6F:88:BD:50:4E:11:E2 | ||
)EOF"; | ||
|
||
const std::string server_ctx_yaml = R"EOF( | ||
common_tls_context: | ||
tls_certificates: | ||
- certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" | ||
- certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert_ecdsa_p256.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem" | ||
- certificate_chain: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert2.pem" | ||
private_key: | ||
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key.pem" | ||
)EOF"; | ||
|
||
testUtil(client_ctx_yaml, server_ctx_yaml, "", "", "", "", "", "", "", "ssl.no_certificate", true, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could you test a more "happy" stat, e.g. |
||
GetParam()); | ||
} | ||
|
||
TEST_P(SslSocketTest, GetUriWithLocalUriSan) { | ||
const std::string client_ctx_yaml = R"EOF( | ||
common_tls_context: | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIDEDCCAnmgAwIBAgIJAJ1VrEXUcUiBMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV | ||
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp | ||
c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRQw | ||
EgYDVQQDDAtUZXN0IFNlcnZlcjAeFw0xODEyMTYwNDQ4MjdaFw0yMDEyMTUwNDQ4 | ||
MjdaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH | ||
DA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVu | ||
Z2luZWVyaW5nMRQwEgYDVQQDDAtUZXN0IFNlcnZlcjCBnzANBgkqhkiG9w0BAQEF | ||
AAOBjQAwgYkCgYEAqy+9qxHrAhi/o4GlshCoalUxMXxHBmE2vyxMs1rejBfwOl3y | ||
IyA9r7oaHtMrqXxfF5TdjRvKWpj7dbAwGjhSOrPKXRjhT543BCAbSisCpMlA/CP7 | ||
GaNfYLOtgBHU5mz8BlXY2fLBUORnHRlFbL/myIl3oeNhuLsUNjIlJSSflL0CAwEA | ||
AaOBnTCBmjAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggr | ||
BgEFBQcDAgYIKwYBBQUHAwEwHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxlLmNv | ||
bTAdBgNVHQ4EFgQU8/1SRZup5ukZHvtfSaI/OXXXUJIwHwYDVR0jBBgwFoAU8/1S | ||
RZup5ukZHvtfSaI/OXXXUJIwDQYJKoZIhvcNAQELBQADgYEAIWOd7GevpE1RH54w | ||
/P/Pvg3kyW3AA7YLpqJ2TmKkzquFNphxzkYlyGvG0b5SY+XnWTJ2XtedmOB6lsMB | ||
mpZFnvTCzzSqKHUessfpFoCiEC/oq1tA8iz4Zzj5vdQ67Fklr7DfY7c2MJZMQ79w | ||
n9Rlw5/zEeURPi5HA274+57OOiI= | ||
-----END CERTIFICATE----- |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIICiDCCAi+gAwIBAgIJAN04uvKQrwj7MAoGCCqGSM49BAMCMHoxCzAJBgNVBAYT | ||
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv | ||
MQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRQwEgYD | ||
VQQDDAtUZXN0IFNlcnZlcjAeFw0xODEyMTYwNDQ4MjdaFw0yMDEyMTUwNDQ4Mjda | ||
MHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T | ||
YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu | ||
ZWVyaW5nMRQwEgYDVQQDDAtUZXN0IFNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49 | ||
AwEHA0IABK64d3LUKGgoZW6+SmRmomON7VKNpnLrzxnab+YDSVaIa6Ra5wKfwpPl | ||
lY13E/pvImznLi7CGeqDnAOlR1FfoLKjgZ0wgZowDAYDVR0TAQH/BAIwADALBgNV | ||
HQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB4GA1UdEQQX | ||
MBWCE3NlcnZlcjEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFL4/swsRcOIQC1vhhteF | ||
lW+xYkx5MB8GA1UdIwQYMBaAFL4/swsRcOIQC1vhhteFlW+xYkx5MAoGCCqGSM49 | ||
BAMCA0cAMEQCIEOAdoVvPioRujN4PPCO7XfbI0tVkvG+s6gz5sPstzFIAiAUQW+C | ||
94PF5iyAemvKtE674ehQNDDCv024NmdO2K2pNg== | ||
-----END CERTIFICATE----- |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,18 +1,18 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIICzTCCAjagAwIBAgIJANI6/WtezQ2/MA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV | ||
MIICzTCCAjagAwIBAgIJAPmiZ4jz1XVSMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV | ||
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp | ||
c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw | ||
DgYDVQQDDAdUZXN0IENBMB4XDTE4MTEyNzE1MjMxMFoXDTIwMTEyNjE1MjMxMFow | ||
DgYDVQQDDAdUZXN0IENBMB4XDTE4MTIxNjAyMTIxOVoXDTIwMTIxNTAyMTIxOVow | ||
djELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh | ||
biBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5l | ||
ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ | ||
AoGBAMny8RRgQj5XRwI6FghrH1ZMWQxTnTR7qjvOaORM0/JbdK6ogz2J7GW7Kwt5 | ||
D1EkVfuBD38aTK+2U/029tV1ZMYaM/WdvdUXM9gqAhwfdeePbbG5iU4JTz/Hh+zF | ||
IVdhE66XGiobM+z1LASvXjn+ZXQN2xpFtwrWAkWibbq+ASBtAgMBAAGjYzBhMA8G | ||
A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQNmhpLfi64 | ||
Pw/YagZdVaA8zyZMfzAfBgNVHSMEGDAWgBQNmhpLfi64Pw/YagZdVaA8zyZMfzAN | ||
BgkqhkiG9w0BAQsFAAOBgQALipnMELDx4Im9xX8stxlt+vM9J44CIzUN6nMTmY7F | ||
CUId2s0VtHhaBhoRr/31zaEu10e+7KP3Cf1U8u1iZ/L8w3w9qspJC47AMUkbgVf2 | ||
tsQg/jDYiz+bsmoTGPeBYIoH1OMcOEapXqgA0esuqPsTKFJh8WivWrpbeeFYMYBR | ||
7A== | ||
AoGBANtVpfbHmKM0b5XO6C8gEniF2fmtW8AgCwK/y2xPhqxj8lHC3esKLH89tc/W | ||
6g52xKpC3Z2wMYfc2uLgKysw2WARdC3OgZ98GSYxhuBUjS9DwNlMqkDlKcjyFLBY | ||
C9xSJ/LdNlf77P/LthDn5lwn9ss8zqERAqBoGMg9VayOn043AgMBAAGjYzBhMA8G | ||
A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTWRDt+nal2 | ||
jB8E8iz03ieef0S6ejAfBgNVHSMEGDAWgBTWRDt+nal2jB8E8iz03ieef0S6ejAN | ||
BgkqhkiG9w0BAQsFAAOBgQCwikkLinPmWv5V77HX6SqsxShr20V1EPgLkFo6SmAT | ||
iOBfv14GBNqckXE8bvDoJ+1o0SljpRJ8xVSzKVVD3SQVLMTW4PIRyPwSFvSHiM92 | ||
QTCrt1AbQ1tRI+6Yzkgs+cPqIhuUeXqXYSI2TDbalyztOMBJFAmMFKVY9ZNeW7mU | ||
vQ== | ||
-----END CERTIFICATE----- |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,15 @@ | ||
-----BEGIN RSA PRIVATE KEY----- | ||
MIICXgIBAAKBgQDJ8vEUYEI+V0cCOhYIax9WTFkMU500e6o7zmjkTNPyW3SuqIM9 | ||
iexluysLeQ9RJFX7gQ9/GkyvtlP9NvbVdWTGGjP1nb3VFzPYKgIcH3Xnj22xuYlO | ||
CU8/x4fsxSFXYROulxoqGzPs9SwEr145/mV0DdsaRbcK1gJFom26vgEgbQIDAQAB | ||
AoGBAKkV1/QPhGdd+/5JVBlIV7yRwB0qBP3kbOwWLoy4Jt1M5a03OmtUB7JFvAyn | ||
F8QAgF1L+gWZp4uXRUtFsfWXjP8z/vlMaiwkUcehf1WUBCWW19b7fSXE+V5Kid4K | ||
zG1+pj2u9T3NO+fk2CEYdTRmY37vnxFEoJk+T64cJtdNxVGhAkEA6+NWe/gX5Xmy | ||
IROXbWG3q3F+RVfkHky0C19P6VbiqPNvz9U7ZSYydmoy22drv5O2zWoWZStO2ojG | ||
bzrh4spkowJBANsq02fsg+j+boBVYq20OLjjil04UAsJjCCYPmi2ObJl6FBE6QbG | ||
mpSNw2shji6VjKRwkChr8eHUSJ2Vg3oAp68CQQDEPO+A2IdAv7oh7EOImseK2DMd | ||
Cx5a2qLZ5yP60e5kcYjuVM1Bu8I1YuoGPwaTbRah0wToi1vhT/INLOYonwmTAkAK | ||
M/0xil49u5KTYOY+JfS6DsXDPzriuKgQYGYPY+RdvMbK7dpXWWma3tqpIx/GZWnt | ||
wdvENfpFxCc5RtufE2a7AkEAjMRXZyWMv1t9mzILWIezbTrQHT32znGVwIV/Y1Ej | ||
AtfGtC6UBwr1/pfBBlMKFSPxCNSCuxej+3K7BVWpO6Ve6A== | ||
MIICXgIBAAKBgQDbVaX2x5ijNG+VzugvIBJ4hdn5rVvAIAsCv8tsT4asY/JRwt3r | ||
Cix/PbXP1uoOdsSqQt2dsDGH3Nri4CsrMNlgEXQtzoGffBkmMYbgVI0vQ8DZTKpA | ||
5SnI8hSwWAvcUify3TZX++z/y7YQ5+ZcJ/bLPM6hEQKgaBjIPVWsjp9ONwIDAQAB | ||
AoGBAI+l9n47luI8s2AgFLzYeoBo2avGODMKSWvRhT84jnFVPB0ETSdkkGP9XJf0 | ||
n3I9ouwHwvFFtgrPQKQaQOuWoKYt4OjtewFaV98dCx1DMD92fbiKUJ5IYdOFO9lX | ||
o+UG/XbRlOKI4gzE71AVByW9OQ64WF5pMKSmzHbti1kD9A5hAkEA9vvICcAa8Cvx | ||
v6EhycTKOwRNKoU5dJ8F9bkRnjjAwrFKiUdwbGcFeTw6PY90tw6DCzHn8J+M3c9f | ||
Q7pXVqZqyQJBAONXeEFvKFqtjpiOhTw5Tpqav1rJZtzRQqbDDLLmDukp7AEsnE3s | ||
pkRsbLmvK9ZnNvjx3Xa1RwDpAS8g+k2LcP8CQQC7GLTKnhpKAiAaGIgt/sNrvbBv | ||
G4kQzT6IjG/KOhfb5M4f/Fwv4kMFOhisdbXmzjl7C402fMcLaII0Hj73Rw3xAkBn | ||
SWMyX103LWj+uKmhveuPZEUR6zTXmB8vAqjvUoRtvIUj12/AG4dCyPvwtLw28bfR | ||
DJnwh9WVfUbzcYkm1/ZjAkEAmPqsx/kh0gIAnGPvRi1k3FJZmca+8GG/7NKLuWxI | ||
pxC0WV+hXKZKtnSlq5v26F42HP7Lv1+bAu8uZeXxkfWvZg== | ||
-----END RSA PRIVATE KEY----- |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -41,6 +41,11 @@ rm -f server_ecdsacert.cfg | |
# Generate cert for the client. | ||
generate_rsa_key client ca | ||
generate_x509_cert client ca | ||
# Generate ECDSA cert for the celitn. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
cp -f clientcert.cfg client_ecdsacert.cfg | ||
generate_ecdsa_key client_ecdsa ca | ||
generate_x509_cert client_ecdsa ca | ||
rm -f client_ecdsacert.cfg | ||
|
||
# Generate cert for the upstream CA. | ||
generate_ca upstreamca | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo ".B"