pki/test/README.md
# Generate chain
`sh generate.sh` creates the trust chain using the configuration in `openssl.conf`.
Set your machine time 1+ hours in the past to ensure Intermediate C's CRL is expired immediately.
All sub/intermediate CAs use the same config and therefore same certificate administration.
Revocations are currently only generated correctly because of the order of revocation and CRL generation.
# Errors?!?!
MacOS by default uses `LibreSSL` which does not apply the `openssl.conf` correctly.
Check the version using `openssl version`. This is tested with `OpenSSL 1.1.1t 7 Feb 2023` distributed by `Homebrew`
# Certificate chain
Certificate properties above are summarized as:
```
CommonName (that is on the certificate)
- serial: the certificate's serial number
- status: one of valid,revoked,expired
- CRL: the CRL issued by this cert
- Issues: ceritifcates issued by this cert. When revoked they appear on the listed CRL.
- File: the file the cert is in. Only leaf certs contain a private key.
```
The actual chain
```
Root CA
- serial: 01
- status: valid
- CRL: RootCALatest.crl
- Issues: Intermediate A CA, Intermediate B CA
- File: truststore.pem
Intermediate A CA
- serial: 02
- status: valid
- CRL: IntermediateCAALatest.crl
- Issues: CertA Valid, CertA Revoked, CertA Expired
- File: truststore.pem
Intermediate B CA
- serial: 03
- status: revoked
- CRL: IntermediateCABLatest.crl
- Issues: CertB Valid
- File: truststore.pem
Intermediate C CA
- serial: 04
- status: valid
- CRL: IntermediateCACLatest.crl that expires after 1 hour
- Issues: CertC Valid
- File: truststore.pem
CertA Valid
- serial: 05
- status: valid
- File: A-valid.pem
CertA Revoked
- serial: 06
- status: revoked
- File: A-revoked.pem
CertA Expired
- serial: 07
- status: expired
- File: A-expired.pem
CertB Valid
- serial: 08
- status: valid (but CA is revoked)
- File: B-valid_revoked-CA.pem
CertC Valid
- serial: 09
- status: valid (but CRL is expired)
- File: C-valid.pem
```
`truststore.pem` contains in order:
- `Intermediate A CA`
- `Intermediate B CA`
- `Intermediate C CA`
- `Root CA`
It also creates `truststore_withPKIOverheid.pem` that appends the following files
- `truststore.pem`
- `/network/test/pkioverheid-server-bundle.pem`