{"id":20268990,"url":"https://github.com/patatetom/tls4dev","last_synced_at":"2025-10-26T22:35:12.424Z","repository":{"id":256781114,"uuid":"449449629","full_name":"patatetom/tls4dev","owner":"patatetom","description":"certificates for development / testing","archived":false,"fork":false,"pushed_at":"2022-06-30T07:19:10.000Z","size":30,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-17T01:32:37.878Z","etag":null,"topics":["certificates","openssl","shell","ssl","ssl-certificate","tls","tls-certificate","trust"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/patatetom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-18T21:14:09.000Z","updated_at":"2022-06-24T09:48:39.000Z","dependencies_parsed_at":"2024-09-13T02:51:47.013Z","dependency_job_id":"ab706ec7-edbd-434e-b64c-bae741624153","html_url":"https://github.com/patatetom/tls4dev","commit_stats":null,"previous_names":["patatetom/tls4dev"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/patatetom/tls4dev","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patatetom%2Ftls4dev","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patatetom%2Ftls4dev/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patatetom%2Ftls4dev/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patatetom%2Ftls4dev/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/patatetom","download_url":"https://codeload.github.com/patatetom/tls4dev/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patatetom%2Ftls4dev/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281185436,"owners_count":26457746,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-26T02:00:06.575Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificates","openssl","shell","ssl","ssl-certificate","tls","tls-certificate","trust"],"created_at":"2024-11-14T12:22:26.317Z","updated_at":"2025-10-26T22:35:12.395Z","avatar_url":"https://github.com/patatetom.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# certificates for development / testing\n\n\n## openssl\n\n\n### prerequisites\n\n```console\nmkdir /tmp/cert4dev/ \u0026\u0026 cd /tmp/cert4dev/\n```\n\n```console\ncat \u003e dev.conf \u003c\u003c~~~~\n[ca]\ndefault_ca=dev\n[dev]\ndir=.\ndatabase=.db\nserial=.sn\npolicy=policy\n[policy]\ncountryName=optional\nstateOrProvinceName=optional\nlocalityName=optional\norganizationName=optional\norganizationalUnitName=optional\ncommonName=supplied\nemailAddress=optional\n[intermediate]\nbasicConstraints = CA:true, pathlen:0\n[server]\nkeyUsage = digitalSignature, keyEncipherment\nextendedKeyUsage = serverAuth\n~~~~\n```\n\n```console\ntouch .db .sn\n```\n\n```console\nopenssl version\n\nOpenSSL 1.1.1m 14 Dec 2021\n```\n\n\n### self-signed CA Root\n\n```console\nopenssl req \\\n -new -newkey rsa:4096 -nodes \\\n -keyout root.key.pem \\\n -x509 -sha512 -out root.cert.pem \\\n -days 30 -subj \"/C=xx/ST=test/L=test/O=test/OU=test/CN=root\"\n\nGenerating a RSA private key\n........++++\n.......++++\nwriting new private key to 'root.key.pem'\n-----\n```\n\n```console\nopenssl x509 \\\n -in root.cert.pem \\\n -text -noout\n\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number:\n 5f:c1:20:d8:0c:a2:f2:7a:55:2b:1c:16:65:3e:e5:4b:96:65:c0:56\n Signature Algorithm: sha512WithRSAEncryption\n Issuer: C = xx, ST = test, L = test, O = test, OU = test, CN = root\n Validity\n Not Before: Jan 16 19:37:00 2022 GMT\n Not After : Feb 15 19:37:00 2022 GMT\n Subject: C = xx, ST = test, L = test, O = test, OU = test, CN = root\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n RSA Public-Key: (4096 bit)\n Modulus:\n …\n Exponent: 65537 (0x10001)\n X509v3 extensions:\n …\n X509v3 Basic Constraints: critical\n CA:TRUE\n Signature Algorithm: sha512WithRSAEncryption\n …\n```\n\n\n### intermediate certificate\n\n```console\nopenssl req \\\n -new -newkey rsa:4096 -nodes \\\n -keyout intermediate.key.pem \\\n -sha512 \\\n -out intermediate.csr.pem \\\n -subj \"/C=xx/ST=test/L=test/O=test/OU=test/CN=intermediate\"\n\nGenerating a RSA private key\n................................++++\n...................++++\nwriting new private key to 'intermediate.key.pem'\n-----\n```\n\n```console\nopenssl req \\\n -in intermediate.csr.pem \\\n -text -noout\n\nCertificate Request:\n Data:\n Version: 1 (0x0)\n Subject: C = xx, ST = test, L = test, O = test, OU = test, CN = intermediate\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n RSA Public-Key: (4096 bit)\n Modulus:\n …\n Exponent: 65537 (0x10001)\n Attributes:\n a0:00\n Signature Algorithm: sha512WithRSAEncryption\n …\n```\n\n```console\nopenssl ca \\\n -cert root.cert.pem -keyfile root.key.pem \\\n -extensions intermediate -rand_serial -days 30 -notext -md sha512 \\\n -in intermediate.csr.pem \\\n -outdir . -out intermediate.cert.pem \\\n -config dev.conf\n\nUsing configuration from dev.conf\nCheck that the request matches the signature\nSignature ok\nThe Subject's Distinguished Name is as follows\ncountryName :PRINTABLE:'xx'\nstateOrProvinceName :ASN.1 12:'test'\nlocalityName :ASN.1 12:'test'\norganizationName :ASN.1 12:'test'\norganizationalUnitName:ASN.1 12:'test'\ncommonName :ASN.1 12:'intermediate'\nCertificate is to be certified until Feb 15 21:35:32 2022 GMT (30 days)\nSign the certificate? [y/n]:y\n1 out of 1 certificate requests certified, commit? [y/n]y\nWrite out database with 1 new entries\nData Base Updated\n```\n\n```console\nopenssl x509 \\\n -in intermediate.cert.pem \\\n -text -noout\n\nCertificate:\n Data:\n Version: 1 (0x0)\n Serial Number:\n 37:a3:81:09:2e:0b:c2:19:5b:0c:fa:28:99:d1:e6:c9:60:43:d2:ce\n Signature Algorithm: sha512WithRSAEncryption\n Issuer: C = xx, ST = test, L = test, O = test, OU = test, CN = root\n Validity\n Not Before: Jan 16 21:35:32 2022 GMT\n Not After : Feb 15 21:35:32 2022 GMT\n Subject: C = xx, ST = test, L = test, O = test, OU = test, CN = intermediate\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n RSA Public-Key: (4096 bit)\n Modulus:\n …\n Exponent: 65537 (0x10001)\n X509v3 extensions:\n X509v3 Basic Constraints: critical\n CA:TRUE, pathlen:0\n X509v3 Key Usage: critical\n Digital Signature, Certificate Sign, CRL Sign\n Signature Algorithm: sha512WithRSAEncryption\n …\n```\n\n\u003e _note that a copy of the certificate is created with the certificate serial number as name._\n\u003e _`37A381092E0BC2195B0CFA2899D1E6C96043D2CE.pem` in this example._\n\n```console\nrm intermediate.csr.pem \n```\n\n```console\nopenssl verify \\\n -verbose -CAfile root.cert.pem \\\n intermediate.cert.pem\n\nintermediate.cert.pem: OK\n```\n\n\n### server certificate\n\n```console\nopenssl req \\\n -new -newkey rsa:4096 -nodes \\\n -keyout server.key.pem \\\n -sha512 \\\n -out server.csr.pem \\\n -subj \"/C=xx/ST=test/L=test/O=test/OU=test/CN=test.server\"\n\nGenerating a RSA private key\n....++++\n..............................................................................++++\nwriting new private key to 'server.key.pem'\n-----\n```\n\n```console\nopenssl req \\\n -in server.csr.pem \\\n -text -noout\n\nCertificate Request:\n Data:\n Version: 1 (0x0)\n Subject: C = xx, ST = test, L = test, O = test, OU = test, CN = test.server\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n RSA Public-Key: (4096 bit)\n Modulus:\n …\n Exponent: 65537 (0x10001)\n Attributes:\n a0:00\n Signature Algorithm: sha512WithRSAEncryption\n …\n```\n\n```console\nopenssl ca \\\n -cert intermediate.cert.pem -keyfile intermediate.key.pem \\\n -extensions server -rand_serial -days 30 -notext -md sha512 \\\n -in server.csr.pem \\\n -outdir . -out server.cert.pem \\\n -config dev.conf\n\nUsing configuration from dev.conf\nCheck that the request matches the signature\nSignature ok\nThe Subject's Distinguished Name is as follows\ncountryName :PRINTABLE:'xx'\nstateOrProvinceName :ASN.1 12:'test'\nlocalityName :ASN.1 12:'test'\norganizationName :ASN.1 12:'test'\norganizationalUnitName:ASN.1 12:'test'\ncommonName :ASN.1 12:'server.test'\nCertificate is to be certified until Feb 15 22:01:41 2022 GMT (30 days)\nSign the certificate? [y/n]:y\n1 out of 1 certificate requests certified, commit? [y/n]y\nWrite out database with 1 new entries\nData Base Updated\n```\n\n```console\nopenssl x509 \\\n -in server.cert.pem \\\n -text -noout\n\nCertificate:\n Data:\n Version: 1 (0x0)\n Serial Number:\n 21:4c:2d:01:07:20:6e:02:59:1b:53:ec:9e:71:3a:0e:3c:c3:46:7a\n Signature Algorithm: sha512WithRSAEncryption\n Issuer: C = xx, ST = test, L = test, O = test, OU = test, CN = intermediate\n Validity\n Not Before: Jan 16 22:01:41 2022 GMT\n Not After : Feb 15 22:01:41 2022 GMT\n Subject: C = xx, ST = test, L = test, O = test, OU = test, CN = server.test\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n RSA Public-Key: (4096 bit)\n Modulus:\n …\n Exponent: 65537 (0x10001)\n X509v3 extensions:\n X509v3 Key Usage: \n Digital Signature, Key Encipherment\n X509v3 Extended Key Usage: \n TLS Web Server Authentication\n Signature Algorithm: sha512WithRSAEncryption\n …\n```\n\n\u003e _note that a copy of the certificate is created with the certificate serial number as name._\n\u003e _`214C2D0107206E02591B53EC9E713A0E3CC3467A.pem` in this example._\n\n```console\nrm server.csr.pem \n```\n\n```console\nopenssl verify \\\n -verbose -CAfile root.cert.pem \\\n -untrusted intermediate.cert.pem server.cert.pem\n\nserver.cert.pem: OK\n```\n\n\n### bundle\n\n```console\ncat root.cert.pem intermediate.cert.pem server.cert.pem \u003e bundle.pem\n```\n\n\n\n## server\n\n```console\nwhile :\ndo\n\techo -e \"HTTP/1.0 200 OK\\nContent-Length: 0\\n\" |\n\topenssl s_server -cert server.cert.pem -key server.key.pem -accept 443\ndone\n```\n\n\n\n## client\n\n\u003e upload `bundle.pem` on the client for server certificate validation.\n\n\n### curl\n\n```console\ncurl --version\n\ncurl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/1.1.1m zlib/1.2.11 brotli/1.0.9 zstd/1.5.1 libidn2/2.3.2 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.46.0\nRelease-Date: 2022-01-05\nProtocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp \nFeatures: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd\n```\n\n\u003e startup file `.curlrc` can interfere with the following commands.\n\u003e use `--disable` as first option to disable its use.\n\n```console\ncurl --head https://test.server \u0026\u0026 echo OK\n\ncurl: (60) SSL certificate problem: unable to get local issuer certificate\n```\n\n```console\ncurl --insecure --head https://test.server \u0026\u0026 echo OK\n\nHTTP/1.0 200 OK\nContent-Length: 0\nOK\n```\n\n```console\ncurl --cacert bundle.pem --head https://test.server \u0026\u0026 echo OK\n\nHTTP/1.0 200 OK\nContent-Length: 0\nOK\n```\n\n\n### wget\n\n```console\nwget --version\n\nGNU Wget 1.21.2 built on linux-gnu.\n-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls \n+ntlm +opie +psl +ssl/gnutls \nWgetrc: \n /etc/wgetrc (system)\nLocale: \n /usr/share/locale \nCompile: \n gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=\"/etc/wgetrc\" \n -DLOCALEDIR=\"/usr/share/locale\" -I. -I../lib -I../lib \n -D_FORTIFY_SOURCE=2 -I/usr/include/p11-kit-1 -DHAVE_LIBGNUTLS \n -DNDEBUG -march=x86-64 -mtune=generic -O2 -pipe -fno-plt \nLink: \n gcc -I/usr/include/p11-kit-1 -DHAVE_LIBGNUTLS -DNDEBUG \n -march=x86-64 -mtune=generic -O2 -pipe -fno-plt \n -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -lpcre2-8 -luuid \n -lidn2 -lnettle -lgnutls -lz -lpsl ftp-opie.o gnutls.o http-ntlm.o \n ../lib/libgnu.a /usr/lib/libunistring.so \n```\n\n\u003e startup file `.wgetrc` can interfere with the following commands.\n\n```console\nwget --server-response https://test.server \u0026\u0026 echo OK\n\n--2022-01-18 19:46:35-- https://test.server/\nSSL_INIT\nLoaded CA certificate '/etc/ssl/certs/ca-certificates.crt'\nResolving test.server (test.server)... 10.0.2.15\nConnecting to test.server (test.server)|10.0.2.15|:443... connected.\nERROR: The certificate of 'test.server' is not trusted.\nERROR: The certificate of 'test.server' doesn't have a known issuer.\n```\n\n```console\nwget --no-check-certificate --server-response --output-document=/dev/null --quiet https://test.server \u0026\u0026 echo OK\n\nSSL_INIT\n HTTP/1.0 200 OK\n Content-Length: 0\nOK\n```\n\n```console\nwget --ca-certificate=bundle.pem --server-response --output-document=/dev/null --quiet https://test.server \u0026\u0026 echo OK\n\nSSL_INIT\n HTTP/1.0 200 OK\n Content-Length: 0\nOK\n```\n\n\n### httpie\n\n```console\nhttps --version\n\n2.6.0\n```\n\n```console\nhttps --header test.server \u0026\u0026 echo OK\n\nhttps: error: ConnectionError: HTTPSConnectionPool(host='test.server', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('\u003curllib3.connection.HTTPSConnection object at 0x7f692dc58820\u003e: Failed to establish a new connection: [Errno 111] Connection refused')) while doing a GET request to URL: https://test.server/\n```\n\n```console\nhttps --verify=no --header test.server \u0026\u0026 echo OK\n\nHTTP/1.0 200 OK\nContent-Length: 0\nOK\n```\n\n```console\nhttps --verify=./bundle.pem --header test.server \u0026\u0026 echo OK\n\nHTTP/1.0 200 OK\nContent-Length: 0\nOK\n```\n\n\n### system trust bundle\n\n\u003e system is `ArchLinux` up to date\n\n```console\ntrust anchor --store bundle.pem\n```\n\n```console\ntrust list | egrep -B1 -A2 'label: (root|intermediate|test.server)'\n\n type: certificate\n label: intermediate\n trust: anchor\n category: authority\n--\n type: certificate\n label: root\n trust: anchor\n category: authority\n--\n type: certificate\n label: test.server\n trust: anchor\n category: other-entry\n```\n\n```console\ncurl --head https://test.server \u0026\u0026 echo OK\n\nHTTP/1.0 200 OK\nContent-Length: 0\nOK\n```\n\n```console\nwget --server-response --output-document=/dev/null --quiet https://test.server \u0026\u0026 echo OK\n\nSSL_INIT\n HTTP/1.0 200 OK\n Content-Length: 0\nOK\n```\n\n```console\nhttps --header test.server \u0026\u0026 echo OK\n\nHTTP/1.0 200 OK\nContent-Length: 0\nOK\n```\n\n\n## see also\n\n- [minica](https://github.com/jsha/minica)\n- [mkcert](https://github.com/FiloSottile/mkcert)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatatetom%2Ftls4dev","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpatatetom%2Ftls4dev","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatatetom%2Ftls4dev/lists"}