1This documents the X.509 CAs, certificates, and CRLS used for testing. 2 3Certification authorities 4------------------------- 5 6There are two main CAs for use as trusted roots: 7- test-ca.crt aka "C=NL, O=PolarSSL, CN=PolarSSL Test CA" 8 uses a RSA-2048 key 9- test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA" 10 uses an EC key with NIST P-384 (aka secp384r1) 11 variants used to test the keyUsage extension 12The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways. 13 14Two intermediate CAs are signed by them: 15- test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA" 16 uses RSA-4096, signed by test-ca2 17- test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA" 18 uses an EC key with NIST P-256, signed by test-ca 19 20A third intermediate CA is signed by test-int-ca2.crt: 21- test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3" 22 23Finally, other CAs for specific purposes: 24- enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert 25 enco-cert-utf8str.pem has its issuer's CN encoded as a UTF-8 string. 26- test-ca-v1.crt: v1 "CA", signs 27 server1-v1.crt: v1 "intermediate CA", signs 28 server2-v1*.crt: EE cert (without of with chain in same file) 29- keyUsage.decipherOnly.crt: has the decipherOnly keyUsage bit set 30 31End-entity certificates 32----------------------- 33 34Short information fields: 35 36- name or pattern 37- issuing CA: 1 -> test-ca.crt 38 2 -> test-ca2.crt 39 I1 -> test-int-ca.crt 40 I2 -> test-int-ca2.crt 41 I3 -> test-int-ca3.crt 42 O -> other 43- key type: R -> RSA, E -> EC 44- C -> there is a CRL revoking this cert (see below) 45- L -> CN=localhost (useful for local test servers) 46- P1, P2 if the file includes parent (resp. parent + grandparent) 47- free-form comments 48 49List of certificates: 50 51- cert_example_multi*.crt: 1/O R: subjectAltName 52- cert_example_wildcard.crt: 1 R: wildcard in subject's CN 53- cert_md*.crt, cert_sha*.crt: 1 R: signature hash 54- cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal) 55- cli2.crt: 2 E: basic 56- enco-cert-utf8str.pem: see enco-ca-prstr.pem above 57- server1*.crt: 1* R C* P1*: misc *(server1-v1 see test-ca-v1.crt above) 58 *CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt 59 P1 only for _ca.crt 60- server2-v1*.crt: O R: see test-ca-v1.crt above 61- server2*.crt: 1 R L: misc 62- server3.crt: 1 E L: EC cert signed by RSA CA 63- server4.crt: 2 R L: RSA cert signed by EC CA 64- server5*.crt: 2* E L: misc *(except server5-selfsigned) 65 -sha*: hashes 66 -eku*: extendeKeyUsage (cli/srv = www client/server, cs = codesign, etc) 67 -ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement) 68- server6-ss-child.crt: O E: "child" of non-CA server5-selfsigned 69- server6.crt, server6.pem: 2 E L C: revoked 70- server7*.crt: I1 E L P1*: EC signed by RSA signed by EC 71 *P1 except 7.crt, P2 _int-ca_ca2.crt 72 *_space: with PEM error(s) 73- server8*.crt: I2 R L: RSA signed by EC signed by RSA (P1 for _int-ca2) 74- server9*.crt: 1 R C* L P1*: signed using RSASSA-PSS 75 *CRL for: 9.crt, -badsign, -with-ca (P1) 76- server10*.crt: I3 E L P2/P3 77 78Certificate revocation lists 79---------------------------- 80 81Signing CA in parentheses (same meaning as certificates). 82 83- crl-ec-sha*.pem: (2) server6.crt 84- crl-future.pem: (2) server6.crt + unknown 85- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown 86- crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown 87- crl_md*.pem: crl_sha*.pem: (1) same as crl.pem 88- crt_cat_*.pem: (1+2) concatenations in various orders: 89 ec = crl-ec-sha256.pem, ecfut = crl-future.pem 90 rsa = crl.pem, rsabadpem = same with pem error, rsaexp = crl_expired.pem 91 92Note: crl_future would revoke server9 and cert_sha384.crt if signed by CA 1 93 crl-rsa-pss* would revoke server6.crt if signed by CA 2 94
