Provide a script to generate test certificates/keys.

This will allow us to generate a variety of client and server certificates, including expired and revoked certificates, using both RSA and ECDSA. Discussed with tb@
author: jsing <> 2021-12-27 14:40:16 +0000
committer: jsing <> 2021-12-27 14:40:16 +0000
commit: 545f8879bf409b24a1dbb853e5a8f3b7e7d6a81f (patch)
tree: 6517fc79f8cd29b57ce1530e7e5dfeca62454b29 /src
parent: 2ff232a7ae3136fc0b5bc80b8e582b790fdf364e (diff)
download: openbsd-545f8879bf409b24a1dbb853e5a8f3b7e7d6a81f.tar.gz
openbsd-545f8879bf409b24a1dbb853e5a8f3b7e7d6a81f.tar.bz2
openbsd-545f8879bf409b24a1dbb853e5a8f3b7e7d6a81f.zip
1 files changed, 263 insertions, 0 deletions
diff --git a/src/regress/lib/libssl/certs/make-certs.sh b/src/regress/lib/libssl/certs/make-certs.sh
new file mode 100755
index 0000000000..c90b7c8ff3
--- /dev/null
+++ b/src/regress/lib/libssl/certs/make-certs.sh
@@ -0,0 +1,263 @@
+#!/bin/ksh
+#
+# Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+# 
+set -e
+set -u
+set -x
+readonly SUBJECT="/CN=LibreSSL Test"
+readonly TMPDIR=$(mktemp -d)
+cleanup() {
+        rm -rf "${TMPDIR}"
+}
+trap cleanup EXIT INT
+reset() {
+        echo '100001' > ${TMPDIR}/certserial
+        cat /dev/null > ${TMPDIR}/certindex
+}
+setup() {
+        reset
+        cat > ${TMPDIR}/openssl.cnf <<EOF
+[ca]
+default_ca = test_ca
+[test_ca]
+new_certs_dir = ${TMPDIR}/
+database = ${TMPDIR}/certindex
+default_days = 365
+default_md = sha256
+policy = test_policy
+serial = ${TMPDIR}/certserial
+[test_policy]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+[v3_ca_root]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
+[v3_ca_int]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
+[v3_other]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:false
+keyUsage = critical, digitalSignature
+[req]
+distinguished_name      = req_distinguished_name
+[ req_distinguished_name ]
+EOF
+}
+key_type_to_args() {
+        local key_type=$1
+        alg=${key_type%:*}
+        param=${key_type#*:}
+        if [[ "${alg}" == "rsa" ]]; then
+                echo "-newkey ${key_type}";
+        elif [[ "${alg}" == "ec" ]]; then
+                echo "-newkey $alg -pkeyopt ec_paramgen_curve:${param}"
+        else
+                echo "Unknown key type ${key_type}" >&2
+                exit 1
+        fi
+}
+create_root() {
+        local name=$1 file=$2 key_type=$3
+        key_args=$(key_type_to_args "${key_type}")
+        openssl req -new -days 3650 -nodes ${key_args} -sha256 -x509 \
+            -subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \
+            -config ${TMPDIR}/openssl.cnf -extensions v3_ca_root \
+            -out "${TMPDIR}/${file}.crt"
+}
+create_intermediate() {
+        local name=$1 file=$2 issuer_file=$3 key_type=$4
+        key_args=$(key_type_to_args "${key_type}")
+        openssl req -new -days 3650 -nodes ${key_args} -sha256 \
+            -subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \
+            -out "${TMPDIR}/${file}.csr"
+        openssl x509 -req -days 3650 -CA "${TMPDIR}/${issuer_file}.crt" \
+            -CAkey "${TMPDIR}/${issuer_file}.key" -CAcreateserial \
+            -extfile ${TMPDIR}/openssl.cnf -extensions v3_ca_int \
+            -in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt"
+}
+create_leaf() {
+        local name=$1 file=$2 issuer_file=$3 key_type=$4
+        key_args=$(key_type_to_args "${key_type}")
+        openssl req -new -days 3650 -nodes ${key_args} -sha256 \
+            -subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \
+            -out "${TMPDIR}/${file}.csr"
+        openssl x509 -req -days 3650 -CA "${TMPDIR}/${issuer_file}.crt" \
+            -CAkey "${TMPDIR}/${issuer_file}.key" -CAcreateserial -sha256 \
+            -extfile ${TMPDIR}/openssl.cnf -extensions v3_other \
+            -in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt"
+}
+create_expired_leaf() {
+        local name=$1 file=$2 issuer_file=$3 key_type=$4
+        key_args=$(key_type_to_args "${key_type}")
+        openssl req -new -days 3650 -nodes ${key_args} -sha256 \
+            -subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \
+            -out "${TMPDIR}/${file}.csr"
+        openssl ca -batch -notext -cert "${TMPDIR}/${issuer_file}.crt" \
+            -keyfile "${TMPDIR}/${issuer_file}.key" \
+            -config ${TMPDIR}/openssl.cnf -extensions v3_other \
+            -startdate 20100101000000Z -enddate 20200101000000Z \
+            -in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt"
+}
+create_revoked_leaf() {
+        local name=$1 file=$2 issuer_file=$3 key_type=$4
+        key_args=$(key_type_to_args "${key_type}")
+        openssl req -new -days 3650 -nodes ${key_args} -sha256 \
+            -subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \
+            -out "${TMPDIR}/${file}.csr"
+        openssl x509 -req -days 3650 -CA "${TMPDIR}/${issuer_file}.crt" \
+            -CAkey "${TMPDIR}/${issuer_file}.key" -CAcreateserial \
+            -extfile ${TMPDIR}/openssl.cnf -extensions v3_other \
+            -in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt"
+        openssl ca -cert "${TMPDIR}/${issuer_file}.crt" \
+            -keyfile "${TMPDIR}/${issuer_file}.key" \
+            -config "${TMPDIR}/openssl.cnf" -extensions v3_other \
+            -revoke "${TMPDIR}/${file}.crt"
+        openssl ca -gencrl -cert "${TMPDIR}/${issuer_file}.crt" \
+            -keyfile "${TMPDIR}/${issuer_file}.key" \
+            -config "${TMPDIR}/openssl.cnf" -extensions v3_other \
+            -crldays 30 -out "${TMPDIR}/${issuer_file}.crl"
+}
+create_bundle() {
+        local bundle_file=$1
+        shift
+        mkdir -p $(dirname ${bundle_file})
+        cat /dev/null > ${bundle_file}
+        for _cert_file in $@; do
+                openssl x509 -nameopt oneline -subject -issuer \
+                    -in "${TMPDIR}/${_cert_file}.crt" >> ${bundle_file}
+        done
+}
+create_bundle_with_key() {
+        local bundle_file=$1
+        shift
+        mkdir -p $(dirname ${bundle_file})
+        cat /dev/null > ${bundle_file}
+        for _cert_file in $@; do
+                openssl x509 -nameopt oneline -subject -issuer -noout \
+                    -in "${TMPDIR}/${_cert_file}.crt" >> ${bundle_file}
+        done
+        for _cert_file in $@; do
+                cat "${TMPDIR}/${_cert_file}.crt" >> ${bundle_file}
+        done
+        for _key_file in $@; do
+                cat "${TMPDIR}/${_key_file}.key" >> ${bundle_file}
+        done
+}
+setup
+reset
+create_root "Root CA RSA" "ca-root-rsa" "rsa:2048"
+create_intermediate "Intermediate CA RSA" "ca-int-rsa" "ca-root-rsa" "rsa:2048"
+create_leaf "Server 1 RSA" "server-1-rsa" "ca-int-rsa" "rsa:2048"
+create_expired_leaf "Server 2 RSA" "server-2-rsa" "ca-int-rsa" "rsa:2048"
+create_revoked_leaf "Server 3 RSA" "server-3-rsa" "ca-int-rsa" "rsa:2048"
+create_leaf "Client 1 RSA" "client-1-rsa" "ca-int-rsa" "rsa:2048"
+create_expired_leaf "Client 2 RSA" "client-2-rsa" "ca-int-rsa" "rsa:2048"
+create_revoked_leaf "Client 3 RSA" "client-3-rsa" "ca-int-rsa" "rsa:2048"
+create_bundle "./ca-root-rsa.pem" "ca-root-rsa"
+create_bundle "./ca-int-rsa.pem" "ca-int-rsa"
+cp "${TMPDIR}/ca-int-rsa.crl" "./ca-int-rsa.crl"
+create_bundle_with_key "./server1-rsa.pem" "server-1-rsa"
+create_bundle "./server1-rsa-chain.pem" "server-1-rsa" "ca-int-rsa"
+create_bundle_with_key "./server2-rsa.pem" "server-2-rsa"
+create_bundle "./server2-rsa-chain.pem" "server-2-rsa" "ca-int-rsa"
+create_bundle_with_key "./server3-rsa.pem" "server-3-rsa"
+create_bundle "./server3-rsa-chain.pem" "server-3-rsa" "ca-int-rsa"
+create_bundle_with_key "./client1-rsa.pem" "client-1-rsa"
+create_bundle "./client1-rsa-chain.pem" "client-1-rsa" "ca-int-rsa"
+create_bundle_with_key "./client2-rsa.pem" "client-2-rsa"
+create_bundle "./client2-rsa-chain.pem" "client-2-rsa" "ca-int-rsa"
+create_bundle_with_key "./client3-rsa.pem" "client-3-rsa"
+create_bundle "./client3-rsa-chain.pem" "client-3-rsa" "ca-int-rsa"
+reset
+create_root "Root CA ECDSA" "ca-root-ecdsa" "ec:prime256v1"
+create_intermediate "Intermediate CA ECDSA" "ca-int-ecdsa" "ca-root-ecdsa" "ec:prime256v1"
+create_leaf "Server 1 ECDSA" "server-1-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
+create_expired_leaf "Server 2 ECDSA" "server-2-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
+create_revoked_leaf "Server 3 ECDSA" "server-3-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
+create_leaf "Client 1 ECDSA" "client-1-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
+create_expired_leaf "Client 2 ECDSA" "client-2-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
+create_revoked_leaf "Client 3 ECDSA" "client-3-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
+create_bundle "./ca-root-ecdsa.pem" "ca-root-ecdsa"
+create_bundle "./ca-int-ecdsa.pem" "ca-int-ecdsa"
+cp "${TMPDIR}/ca-int-ecdsa.crl" "./ca-int-ecdsa.crl"
+create_bundle_with_key "./server1-ecdsa.pem" "server-1-ecdsa"
+create_bundle "./server1-ecdsa-chain.pem" "server-1-ecdsa" "ca-int-ecdsa"
+create_bundle_with_key "./server2-ecdsa.pem" "server-2-ecdsa"
+create_bundle "./server2-ecdsa-chain.pem" "server-2-ecdsa" "ca-int-ecdsa"
+create_bundle_with_key "./server3-ecdsa.pem" "server-3-ecdsa"
+create_bundle "./server3-ecdsa-chain.pem" "server-3-ecdsa" "ca-int-ecdsa"
+create_bundle_with_key "./client1-ecdsa.pem" "client-1-ecdsa"
+create_bundle "./client1-ecdsa-chain.pem" "client-1-ecdsa" "ca-int-ecdsa"
+create_bundle_with_key "./client2-ecdsa.pem" "client-2-ecdsa"
+create_bundle "./client2-ecdsa-chain.pem" "client-2-ecdsa" "ca-int-ecdsa"
+create_bundle_with_key "./client3-ecdsa.pem" "client-3-ecdsa"
+create_bundle "./client3-ecdsa-chain.pem" "client-3-ecdsa" "ca-int-ecdsa"
author	jsing <>	2021-12-27 14:40:16 +0000
committer	jsing <>	2021-12-27 14:40:16 +0000
commit	545f8879bf409b24a1dbb853e5a8f3b7e7d6a81f (patch)
tree	6517fc79f8cd29b57ce1530e7e5dfeca62454b29 /src
parent	2ff232a7ae3136fc0b5bc80b8e582b790fdf364e (diff)
download	openbsd-545f8879bf409b24a1dbb853e5a8f3b7e7d6a81f.tar.gz openbsd-545f8879bf409b24a1dbb853e5a8f3b7e7d6a81f.tar.bz2 openbsd-545f8879bf409b24a1dbb853e5a8f3b7e7d6a81f.zip

diff --git a/src/regress/lib/libssl/certs/make-certs.sh b/src/regress/lib/libssl/certs/make-certs.sh new file mode 100755 index 0000000000..c90b7c8ff3 --- /dev/null +++ b/src/regress/lib/libssl/certs/make-certs.sh
@@ -0,0 +1,263 @@
	1	#!/bin/ksh
	2
	3	#
	4	# Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
	5	#
	6	# Permission to use, copy, modify, and distribute this software for any
	7	# purpose with or without fee is hereby granted, provided that the above
	8	# copyright notice and this permission notice appear in all copies.
	9	#
	10	# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	11	# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	12	# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	13	# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	14	# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	15	# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	16	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	17	#
	18
	19	set -e
	20	set -u
	21	set -x
	22
	23	readonly SUBJECT="/CN=LibreSSL Test"
	24
	25	readonly TMPDIR=$(mktemp -d)
	26
	27	cleanup() {
	28	rm -rf "${TMPDIR}"
	29	}
	30
	31	trap cleanup EXIT INT
	32
	33	reset() {
	34	echo '100001' > ${TMPDIR}/certserial
	35	cat /dev/null > ${TMPDIR}/certindex
	36	}
	37
	38	setup() {
	39	reset
	40
	41	cat > ${TMPDIR}/openssl.cnf <<EOF
	42	[ca]
	43	default_ca = test_ca
	44
	45	[test_ca]
	46	new_certs_dir = ${TMPDIR}/
	47	database = ${TMPDIR}/certindex
	48	default_days = 365
	49	default_md = sha256
	50	policy = test_policy
	51	serial = ${TMPDIR}/certserial
	52
	53	[test_policy]
	54	countryName = optional
	55	stateOrProvinceName = optional
	56	localityName = optional
	57	organizationName = optional
	58	organizationalUnitName = optional
	59	commonName = supplied
	60	emailAddress = optional
	61
	62	[v3_ca_root]
	63	subjectKeyIdentifier = hash
	64	authorityKeyIdentifier = keyid:always,issuer
	65	basicConstraints = critical, CA:true
	66	keyUsage = critical, cRLSign, keyCertSign
	67
	68	[v3_ca_int]
	69	subjectKeyIdentifier = hash
	70	authorityKeyIdentifier = keyid:always,issuer
	71	basicConstraints = critical, CA:true
	72	keyUsage = critical, cRLSign, keyCertSign
	73
	74	[v3_other]
	75	subjectKeyIdentifier = hash
	76	authorityKeyIdentifier = keyid:always,issuer
	77	basicConstraints = critical, CA:false
	78	keyUsage = critical, digitalSignature
	79
	80	[req]
	81	distinguished_name = req_distinguished_name
	82
	83	[ req_distinguished_name ]
	84	EOF
	85	}
	86
	87	key_type_to_args() {
	88	local key_type=$1
	89
	90	alg=${key_type%:*}
	91	param=${key_type#*:}
	92
	93	if [[ "${alg}" == "rsa" ]]; then
	94	echo "-newkey ${key_type}";
	95	elif [[ "${alg}" == "ec" ]]; then
	96	echo "-newkey $alg -pkeyopt ec_paramgen_curve:${param}"
	97	else
	98	echo "Unknown key type ${key_type}" >&2
	99	exit 1
	100	fi
	101	}
	102
	103	create_root() {
	104	local name=$1 file=$2 key_type=$3
	105
	106	key_args=$(key_type_to_args "${key_type}")
	107
	108	openssl req -new -days 3650 -nodes ${key_args} -sha256 -x509 \
	109	-subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \
	110	-config ${TMPDIR}/openssl.cnf -extensions v3_ca_root \
	111	-out "${TMPDIR}/${file}.crt"
	112	}
	113
	114	create_intermediate() {
	115	local name=$1 file=$2 issuer_file=$3 key_type=$4
	116
	117	key_args=$(key_type_to_args "${key_type}")
	118
	119	openssl req -new -days 3650 -nodes ${key_args} -sha256 \
	120	-subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \
	121	-out "${TMPDIR}/${file}.csr"
	122	openssl x509 -req -days 3650 -CA "${TMPDIR}/${issuer_file}.crt" \
	123	-CAkey "${TMPDIR}/${issuer_file}.key" -CAcreateserial \
	124	-extfile ${TMPDIR}/openssl.cnf -extensions v3_ca_int \
	125	-in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt"
	126	}
	127
	128	create_leaf() {
	129	local name=$1 file=$2 issuer_file=$3 key_type=$4
	130
	131	key_args=$(key_type_to_args "${key_type}")
	132
	133	openssl req -new -days 3650 -nodes ${key_args} -sha256 \
	134	-subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \
	135	-out "${TMPDIR}/${file}.csr"
	136	openssl x509 -req -days 3650 -CA "${TMPDIR}/${issuer_file}.crt" \
	137	-CAkey "${TMPDIR}/${issuer_file}.key" -CAcreateserial -sha256 \
	138	-extfile ${TMPDIR}/openssl.cnf -extensions v3_other \
	139	-in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt"
	140	}
	141
	142	create_expired_leaf() {
	143	local name=$1 file=$2 issuer_file=$3 key_type=$4
	144
	145	key_args=$(key_type_to_args "${key_type}")
	146
	147	openssl req -new -days 3650 -nodes ${key_args} -sha256 \
	148	-subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \
	149	-out "${TMPDIR}/${file}.csr"
	150	openssl ca -batch -notext -cert "${TMPDIR}/${issuer_file}.crt" \
	151	-keyfile "${TMPDIR}/${issuer_file}.key" \
	152	-config ${TMPDIR}/openssl.cnf -extensions v3_other \
	153	-startdate 20100101000000Z -enddate 20200101000000Z \
	154	-in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt"
	155	}
	156
	157	create_revoked_leaf() {
	158	local name=$1 file=$2 issuer_file=$3 key_type=$4
	159
	160	key_args=$(key_type_to_args "${key_type}")
	161
	162	openssl req -new -days 3650 -nodes ${key_args} -sha256 \
	163	-subj "${SUBJECT} ${name}" -keyout "${TMPDIR}/${file}.key" \
	164	-out "${TMPDIR}/${file}.csr"
	165	openssl x509 -req -days 3650 -CA "${TMPDIR}/${issuer_file}.crt" \
	166	-CAkey "${TMPDIR}/${issuer_file}.key" -CAcreateserial \
	167	-extfile ${TMPDIR}/openssl.cnf -extensions v3_other \
	168	-in "${TMPDIR}/${file}.csr" -out "${TMPDIR}/${file}.crt"
	169	openssl ca -cert "${TMPDIR}/${issuer_file}.crt" \
	170	-keyfile "${TMPDIR}/${issuer_file}.key" \
	171	-config "${TMPDIR}/openssl.cnf" -extensions v3_other \
	172	-revoke "${TMPDIR}/${file}.crt"
	173	openssl ca -gencrl -cert "${TMPDIR}/${issuer_file}.crt" \
	174	-keyfile "${TMPDIR}/${issuer_file}.key" \
	175	-config "${TMPDIR}/openssl.cnf" -extensions v3_other \
	176	-crldays 30 -out "${TMPDIR}/${issuer_file}.crl"
	177	}
	178
	179	create_bundle() {
	180	local bundle_file=$1
	181	shift
	182
	183	mkdir -p $(dirname ${bundle_file})
	184	cat /dev/null > ${bundle_file}
	185
	186	for _cert_file in $@; do
	187	openssl x509 -nameopt oneline -subject -issuer \
	188	-in "${TMPDIR}/${_cert_file}.crt" >> ${bundle_file}
	189	done
	190	}
	191
	192	create_bundle_with_key() {
	193	local bundle_file=$1
	194	shift
	195
	196	mkdir -p $(dirname ${bundle_file})
	197	cat /dev/null > ${bundle_file}
	198
	199	for _cert_file in $@; do
	200	openssl x509 -nameopt oneline -subject -issuer -noout \
	201	-in "${TMPDIR}/${_cert_file}.crt" >> ${bundle_file}
	202	done
	203	for _cert_file in $@; do
	204	cat "${TMPDIR}/${_cert_file}.crt" >> ${bundle_file}
	205	done
	206	for _key_file in $@; do
	207	cat "${TMPDIR}/${_key_file}.key" >> ${bundle_file}
	208	done
	209	}
	210
	211	setup
	212
	213	reset
	214	create_root "Root CA RSA" "ca-root-rsa" "rsa:2048"
	215	create_intermediate "Intermediate CA RSA" "ca-int-rsa" "ca-root-rsa" "rsa:2048"
	216	create_leaf "Server 1 RSA" "server-1-rsa" "ca-int-rsa" "rsa:2048"
	217	create_expired_leaf "Server 2 RSA" "server-2-rsa" "ca-int-rsa" "rsa:2048"
	218	create_revoked_leaf "Server 3 RSA" "server-3-rsa" "ca-int-rsa" "rsa:2048"
	219	create_leaf "Client 1 RSA" "client-1-rsa" "ca-int-rsa" "rsa:2048"
	220	create_expired_leaf "Client 2 RSA" "client-2-rsa" "ca-int-rsa" "rsa:2048"
	221	create_revoked_leaf "Client 3 RSA" "client-3-rsa" "ca-int-rsa" "rsa:2048"
	222
	223	create_bundle "./ca-root-rsa.pem" "ca-root-rsa"
	224	create_bundle "./ca-int-rsa.pem" "ca-int-rsa"
	225	cp "${TMPDIR}/ca-int-rsa.crl" "./ca-int-rsa.crl"
	226	create_bundle_with_key "./server1-rsa.pem" "server-1-rsa"
	227	create_bundle "./server1-rsa-chain.pem" "server-1-rsa" "ca-int-rsa"
	228	create_bundle_with_key "./server2-rsa.pem" "server-2-rsa"
	229	create_bundle "./server2-rsa-chain.pem" "server-2-rsa" "ca-int-rsa"
	230	create_bundle_with_key "./server3-rsa.pem" "server-3-rsa"
	231	create_bundle "./server3-rsa-chain.pem" "server-3-rsa" "ca-int-rsa"
	232	create_bundle_with_key "./client1-rsa.pem" "client-1-rsa"
	233	create_bundle "./client1-rsa-chain.pem" "client-1-rsa" "ca-int-rsa"
	234	create_bundle_with_key "./client2-rsa.pem" "client-2-rsa"
	235	create_bundle "./client2-rsa-chain.pem" "client-2-rsa" "ca-int-rsa"
	236	create_bundle_with_key "./client3-rsa.pem" "client-3-rsa"
	237	create_bundle "./client3-rsa-chain.pem" "client-3-rsa" "ca-int-rsa"
	238
	239	reset
	240	create_root "Root CA ECDSA" "ca-root-ecdsa" "ec:prime256v1"
	241	create_intermediate "Intermediate CA ECDSA" "ca-int-ecdsa" "ca-root-ecdsa" "ec:prime256v1"
	242	create_leaf "Server 1 ECDSA" "server-1-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
	243	create_expired_leaf "Server 2 ECDSA" "server-2-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
	244	create_revoked_leaf "Server 3 ECDSA" "server-3-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
	245	create_leaf "Client 1 ECDSA" "client-1-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
	246	create_expired_leaf "Client 2 ECDSA" "client-2-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
	247	create_revoked_leaf "Client 3 ECDSA" "client-3-ecdsa" "ca-int-ecdsa" "ec:prime256v1"
	248
	249	create_bundle "./ca-root-ecdsa.pem" "ca-root-ecdsa"
	250	create_bundle "./ca-int-ecdsa.pem" "ca-int-ecdsa"
	251	cp "${TMPDIR}/ca-int-ecdsa.crl" "./ca-int-ecdsa.crl"
	252	create_bundle_with_key "./server1-ecdsa.pem" "server-1-ecdsa"
	253	create_bundle "./server1-ecdsa-chain.pem" "server-1-ecdsa" "ca-int-ecdsa"
	254	create_bundle_with_key "./server2-ecdsa.pem" "server-2-ecdsa"
	255	create_bundle "./server2-ecdsa-chain.pem" "server-2-ecdsa" "ca-int-ecdsa"
	256	create_bundle_with_key "./server3-ecdsa.pem" "server-3-ecdsa"
	257	create_bundle "./server3-ecdsa-chain.pem" "server-3-ecdsa" "ca-int-ecdsa"
	258	create_bundle_with_key "./client1-ecdsa.pem" "client-1-ecdsa"
	259	create_bundle "./client1-ecdsa-chain.pem" "client-1-ecdsa" "ca-int-ecdsa"
	260	create_bundle_with_key "./client2-ecdsa.pem" "client-2-ecdsa"
	261	create_bundle "./client2-ecdsa-chain.pem" "client-2-ecdsa" "ca-int-ecdsa"
	262	create_bundle_with_key "./client3-ecdsa.pem" "client-3-ecdsa"
	263	create_bundle "./client3-ecdsa-chain.pem" "client-3-ecdsa" "ca-int-ecdsa"