The change to a more configuration based approach to enable FIPS mode operation highlights a shortcoming in the default should do something approach we've taken for bad configuration files. Currently, a bad configuration file will be automatically loaded and once the badness is detected, it will silently stop processing the configuration and continue normal operations. This is good for remote servers, allowing changes to be made without bricking things. It's bad when a user thinks they've configured what they want but got something wrong and it still appears to work. Reviewed-by: Dmitry Belyavskiy <email@example.com> (Merged from https://github.com/openssl/openssl/pull/16171)
|3 months ago|
|apps||3 months ago|
|README.txt||1 year ago|
|ca.cnf||3 months ago|
|mkcerts.sh||3 years ago|
|ocspquery.sh||9 years ago|
|ocsprun.sh||9 years ago|
There is often a need to generate test certificates automatically using
a script. This is often a cause for confusion which can result in incorrect
CA certificates, obsolete V1 certificates or duplicate serial numbers.
The range of command line options can be daunting for a beginner.
The mkcerts.sh script is an example of how to generate certificates
automatically using scripts. Example creates a root CA, an intermediate CA
signed by the root and several certificates signed by the intermediate CA.
The script then creates an empty index.txt file and adds entries for the
certificates and generates a CRL. Then one certificate is revoked and a
second CRL generated.
The script ocsprun.sh runs the test responder on port 8888 covering the
The script ocspquery.sh queries the status of the certificates using the