Generate a certificate with critical id-pkix-ocsp-nocheck extension

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/12947)
2025-02-17 14:32:04 +08:00 · 2020-09-23 09:43:43 +02:00 · 2020-09-23 09:43:43 +02:00 · cf61b97d5f
commit cf61b97d5f
parent 37326895b7
2 changed files with 38 additions and 1 deletions
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@ -233,6 +233,40 @@ genee() {
 	    -set_serial 2 -days "${DAYS}" "$@"
 }

+geneeextra() {
+    local OPTIND=1
+    local purpose=serverAuth
+
+    while getopts p: o
+    do
+        case $o in
+        p) purpose="$OPTARG";;
+        *) echo "Usage: $0 geneeextra [-p EKU] cn keyname certname cakeyname cacertname extraext" >&2
+           return 1;;
+        esac
+    done
+
+    shift $((OPTIND - 1))
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+    local extraext=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid, issuer" \
+	    "basicConstraints = CA:false" \
+	    "extendedKeyUsage = $purpose" \
+	    "subjectAltName = @alts"\
+	    "$extraext" "DNS=${cn}")
+    csr=$(req "$key" "CN = $cn") || return 1
+    echo "$csr" |
+	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+	    -set_serial 2 -days "${DAYS}" "$@"
+}
+
 geneenocsr() {
    local OPTIND=1
    local purpose=serverAuth
@ -241,7 +275,7 @@ geneenocsr() {
    do
        case $o in
        p) purpose="$OPTARG";;
-        *) echo "Usage: $0 genee [-p EKU] cn certname cakeyname cacertname" >&2
+        *) echo "Usage: $0 geneenocsr [-p EKU] cn certname cakeyname cacertname" >&2
           return 1;;
        esac
    done
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@ -400,3 +400,6 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \
    root-ed448-key root-ed448-cert
 OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
    server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert
+
+# Cert with id-pkix-ocsp-no-check
+./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00"