This script doesn't automatically test biometrics required cases.
./piv_cli_test.sh -h
./piv_cli_test.ps1 -h
- Create a private certificate authority (CA) and a certificate for it.
openssl req -new -newkey rsa:2048 -nodes -out CA_CSR.csr -keyout CA_private_key.key -sha256
- Create a certificate for your private CA. This step creates a certificate (.arm) that you can use to sign your CSR.
openssl x509 -signkey CA_private_key.key -days 90 -req -in CA_CSR.csr -out CA_certificate.arm -sha256
- Use the CA certificate to sign the certificate signing request that you created in Creating private keys and certificates.
openssl x509 -req -days 90 -in CSR.csr -CA CA_certificate.arm -CAkey CA_private_key.key -out certificate.arm -set_serial 01 -sha256
- Replace CSR.csr with CA_CSR.csr to create a self-signed certificate
- Generate 2048-bit RSA/EC P-256 private key
openssl genrsa -out key.pem 2048
openssl genpkey -algorithm EC -out key.pem -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve
- Generate a Certificate Signing Request
openssl req -new -sha256 -key key.pem -out csr.csr
- Generate a self-signed x509 certificate
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem
- Create PKCS12 file
openssl pkcs12 -export -out pkcs12.pfx -inkey key.pem -in certificate.pem
Or specify the encryption algorithm for the private key and certificates.
openssl pkcs12 -export -out pkcs12.pfx -inkey key.pem -in certificate.pem -keypbe PBE-SHA1-RC2-40 -certpbe PBE-SHA1-RC2-40