-
Notifications
You must be signed in to change notification settings - Fork 0
Console: add time left to certificates #1130
Allan Roger Reid edited this page Feb 2, 2023
·
4 revisions
None
https://github.com/miniohq/engineering/issues/1130
apt-get install openssl -y
openssl req -x509 \
-sha256 -days 300 \
-nodes \
-newkey rsa:2048 \
-subj "/CN=min.io/C=US/L=San Fransisco" \
-keyout rootCA.key -out rootCA.crt
openssl genrsa -out server.key 2048
cat > csr.conf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = US
ST = California
L = San Fransisco
O = MinIO Inc.
OU = HQ
CN = min.io
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = min.io
IP.1 = 127.0.0.1
EOF
openssl req -new -key server.key -out server.csr -config csr.conf
cat > cert.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = min.io
EOF
apt-get install faketime
faketime '2000-01-01 00:00:00' \
openssl x509 -req \
-in server.csr \
-CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out server-expired.crt \
-days 1 \
-sha256 -extfile cert.conf
openssl x509 -noout -text -in server-expired.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4a:19:b0:86:7a:ce:b6:ae:d2:e1:7f:92:66:8b:bf:0c:73:10:e9:e7
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = min.io, C = US, L = San Fransisco
Validity
Not Before: Jan 1 00:00:00 2000 GMT
Not After : Jan 2 00:00:00 2000 GMT
Subject: C = US, ST = California, L = San Fransisco, O = MinIO Inc., OU = HQ, CN = min.io
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ca:db:0d:ee:7e:1b:44:5b:45:b4:b0:7d:e3:a9:
f6:47:f2:b3:24:f7:bb:d6:98:1f:fe:2a:a4:cc:a7:
15:b0:08:a7:2b:17:34:52:5a:78:5f:96:9b:20:88:
26:b3:ca:a9:87:de:2e:a4:32:11:d0:3e:61:a5:63:
d0:e3:36:ca:86:ef:33:7a:8f:47:d6:da:ef:4c:8d:
44:ac:d8:e7:22:f2:a6:03:15:4a:c5:b2:7c:08:25:
80:0a:75:1c:36:79:7e:3e:b1:0d:ad:bd:6f:55:22:
e8:70:43:e1:a6:d1:e5:54:b6:aa:f1:9a:e3:7a:4a:
d5:5a:d2:7b:31:22:a4:25:73:02:3d:2a:43:e0:57:
13:44:aa:b3:75:54:e7:4e:2d:2d:03:9c:32:30:62:
b3:15:3a:99:78:56:e7:12:83:db:a8:cb:db:f2:48:
3b:66:04:36:c5:7d:95:9d:09:1a:fb:70:eb:9e:3d:
88:a0:c4:97:bd:75:55:6d:9f:da:74:57:6c:66:21:
01:cc:9e:90:89:b4:71:9d:29:8d:5b:33:cc:99:10:
3d:e0:bb:9f:fd:d6:d6:7f:d1:e8:7d:77:43:9c:ab:
0a:fe:18:12:32:b0:f7:b7:0a:27:90:20:11:48:63:
8d:c8:cb:2e:45:d2:4c:38:f6:3b:64:3d:e2:de:2b:
bc:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
C0:8A:32:DE:F4:0A:67:80:99:56:7C:75:F7:CB:77:89:31:EB:BD:79
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:min.io
X509v3 Subject Key Identifier:
DD:C4:11:D3:42:46:C7:71:3B:6A:4A:23:46:7E:5D:DE:97:DD:48:BE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
5c:26:84:09:8f:f2:51:be:cb:06:37:1c:61:a2:d3:25:d4:bb:
f8:c6:b0:c6:c8:27:d8:2c:32:52:12:bd:74:52:03:b0:b2:9b:
dd:6a:71:a4:c8:ab:8c:fa:cc:b6:8b:4a:9b:c8:1a:05:48:23:
29:35:f0:dd:b7:28:ec:23:67:2d:48:fb:3c:34:01:1f:c0:ba:
e9:c2:7b:3c:b5:16:1c:24:b9:c5:d5:a6:4c:07:58:17:ec:b8:
5f:d2:7a:91:54:2d:62:aa:eb:c8:82:ae:eb:3f:10:74:39:e8:
45:92:fb:da:50:c9:c0:73:e3:0d:cc:1f:d7:b0:5c:29:6a:34:
7c:1b:6b:d5:43:b7:e3:b4:ba:50:22:c2:53:2a:65:ed:4e:db:
b7:1a:db:d5:e5:3a:04:2a:12:6f:a4:3b:1e:67:a4:4a:ba:bc:
ff:a4:66:f8:48:df:45:69:47:99:ff:1b:11:e9:e5:42:58:c4:
b1:9b:79:a7:a5:27:a9:79:1d:f9:71:31:ee:e9:cf:7e:2b:73:
ae:bd:8c:37:c5:ad:68:2f:9d:a7:73:14:ac:fd:2d:c5:ad:cc:
04:7b:c0:b1:06:1e:3d:4a:52:c7:be:87:b4:e4:64:a3:5f:a7:
9e:dc:3e:61:3e:27:2b:af:35:23:a0:3d:99:3e:45:57:91:79:
43:b8:65:80
openssl x509 -req \
-in server.csr \
-CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out 1-day-expiring.crt \
-days 1 \
-sha256 -extfile cert.conf
openssl x509 -req \
-in server.csr \
-CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out 9-day-expiring.crt \
-days 9 \
-sha256 -extfile cert.conf
openssl x509 -req \
-in server.csr \
-CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out 29-day-expiring.crt \
-days 29 \
-sha256 -extfile cert.conf
openssl x509 -req \
-in server.csr \
-CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out 300-day-expiring.crt \
-days 300 \
-sha256 -extfile cert.conf