Skip to content

Commit 7f0a19d

Browse files
shivaspeaksshivaspeaks
authored
xds: Add documentation for /sni-test-certs and refactoring (#12415)
1 parent 032d292 commit 7f0a19d

File tree

2 files changed

+55
-0
lines changed

2 files changed

+55
-0
lines changed

xds/src/test/resources/certs/sni-test-certs/README

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
Bad Wildcard DNS Certificate (bad_wildcard_dns_certificate.pem)
2+
This certificate is used for testing SNI with invalid wildcard DNS SANs. It is issued by a custom, self-signed Certificate Authority (CA).
3+
4+
1. Create the Certificate Authority (CA)
5+
Create the CA's private key:
6+
$ openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:2048
7+
Create the CA's self-signed certificate:
8+
$ openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.pem -subj "/CN=My Internal CA"
9+
10+
2. Generate the Server Certificate
11+
Next, generate the server's private key and a Certificate Signing Request (CSR).
12+
Create the server's private key:
13+
$ openssl genpkey -algorithm RSA -out bad_wildcard_dns.key -pkeyopt rsa_keygen_bits:2048
14+
Create a configuration file named san.cnf with the following content. This file specifies the Subject Alternative Names (SANs) for the certificate.
15+
[req]
16+
distinguished_name = req_distinguished_name
17+
req_extensions = v3_req
18+
prompt = no
19+
20+
[req_distinguished_name]
21+
C = US
22+
ST = Illinois
23+
L = Chicago
24+
O = "Example, Co."
25+
CN = *.test.google.com
26+
27+
[v3_req]
28+
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
29+
extendedKeyUsage = serverAuth
30+
subjectAltName = @alt_names
31+
32+
[alt_names]
33+
DNS.1 = *.test.google.fr
34+
DNS.2 = *.test.youtube.com
35+
DNS.3 = waterzooi.test.google.be
36+
DNS.4 = 192.168.1.3
37+
DNS.5 = *.TEST.YOUTUBE.com
38+
DNS.6 = w*i.test.google.be
39+
DNS.7 = w*a.test.google.be
40+
DNS.8 = *.test.google.com.au
41+
DNS.9 = *waterzooi
42+
DNS.10 = *.lyft.com
43+
DNS.11 = ly**ft.com
44+
DNS.12 = *yft.c*m
45+
DNS.13 = xn--*.lyft.com
46+
47+
Create the Certificate Signing Request (CSR):
48+
$ openssl req -new -key bad_wildcard_dns.key -out bad_wildcard_dns.csr -config san.cnf
49+
50+
3. Sign the Server Certificate
51+
Finally, use the CA to sign the CSR, which will create the server certificate.
52+
$ openssl x509 -req -in bad_wildcard_dns.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out bad_wildcard_dns_certificate.pem -days 365 -sha256 -extensions v3_req -extfile san.cnf
53+
54+
4. Clean Up
55+
$ rm bad_wildcard_dns.key san.cnf bad_wildcard_dns.csr ca.key ca.pem ca.srl

testing/src/main/resources/certs/sni-test-certs/bad_wildcard_dns_certificate.pem renamed to xds/src/test/resources/certs/sni-test-certs/bad_wildcard_dns_certificate.pem

File renamed without changes.

0 commit comments

Comments
 (0)