==== Note ==== Please use auto_gen_cert.sh to gen all cert in sample_key, then the raw_data_key_gen.py need run to generate sync raw data key. Note: the rsa3072_Expiration have 1 day valid time. ==== RSA ==== Generate a root key: openssl genrsa -out TestRoot.key 2048 Generate a self-signed root certificate: openssl req -extensions v3_ca -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem ==== ECC ==== Generate a root key: prime256v1(secp256r1/NIST P-256) / secp384r1 / secp521r1 openssl ecparam -out EccTestRoot.key -name prime256v1 -genkey Generate a self-signed root certificate: openssl req -extensions v3_ca -new -x509 -days 3650 -key EccTestRoot.key -out EccTestRoot.crt openssl x509 -in EccTestRoot.crt -out EccTestRoot.cer -outform DER openssl x509 -inform DER -in EccTestRoot.cer -outform PEM -out EccTestRoot.pub.pem ==== EdDSA ==== Generate a root key: ED25519 / ED448 openssl genpkey -algorithm ED25519 > ed25519.key Generate a self-signed root certificate: openssl req -new -out ed25519.csr -key ed25519.key -config openssl-25519.cnf openssl x509 -req -days 700 -in ed25519.csr -signkey ed25519.key -out ed25519.crt === RSA Certificate Chains === NOTE: Use "//CN" for windows and use "/CN" for Linux system. RECOMMEND: Use openssl 1.1.1k === long_chains Certificate Chains(ShorterMAXUINT16_xxx.cert/ShorterMAXINT16_xxx.cert/Shorter1024B_xxx.cert) === For CA cert: openssl req -nodes -x509 -days 3650 -newkey rsa:2048 -keyout ShorterMAXUINT16_ca.key -out ShorterMAXUINT16_ca.cert -sha256 -subj "/CN=DMTF libspdm RSA CA" For inter cert: Generate the remain cert in order Generate cert chain: cat ShorterMAXUINT16_ca.cert.der ShorterMAXUINT16_inter*.cert.der ShorterMAXUINT16_end_responder.cert.der >ShorterMAXUINT16_bundle_responder.certchain.der ==== More cert_chain for ecp256/384/521 rsa2048/3072/4096 ed448/25519 sm2 to gen ==== NOTE: The bundle_requester.certchain1.der and bundle_requester.certchain.der have same leaf cert key. As same as bundle_responder.certchain1.der. Gen new ca1.key; use old inter.key and end.key. === Add test cert in ecp256=== Gen ecp256/end_requester_ca_false.cert.der is same with ecp256/end_requester.cert.der, expect the openssl.cnf is follow: [ v3_end_with_false_basicConstraints] basicConstraints = critical,CA:true Gen ecp256/end_requester_without_basic_constraint.cert.der is same with ecp256/end_requester.cert.der, expect the basicConstraints is excluded in openssl.cnf [ v3_end_without_basicConstraints]. === Gen rsa3072_Expiration === Gen rsa3072_Expiration is same with rsa3072, expect the cert validaty time is 1 day. ==== More alias_cert model cert_chain to gen ==== NOTE: The bundle_responder.certchain_alias_cert_partial_set.der and bundle_requester.certchain.der have same ca_cert and inter cert. The only different is: the basic constraints is: CA: ture in leaf cert of bundle_responder.certchain_alias_cert_partial_set.der. This alias cert chain is partial, from root CA to device certificate CA. The bundle_responder.certchain_alias.der is the entire cert_chain in the alias_cert mode.