The test credentials have been generated with the following commands: The ca is self-signed: ---------------------- $ openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem \ -config ca-openssl.cnf -days 3650 -extensions v3_req When prompted for certificate information, everything is default. valid is issued by CA: ---------------------------------------------------------------------------- $ openssl genrsa -out valid.key.rsa 2048 $ openssl pkcs8 -topk8 -in valid.key.rsa -out valid.key -nocrypt $ openssl req -new -key valid.key -out valid.csr When prompted for certificate information, everything is default except the common name which is set to valid. $ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in valid.csr \ -out valid.pem -days 3650 revoked is issued by CA: ----------------------- $ openssl genrsa -out revoked.key.rsa 2048 $ openssl pkcs8 -topk8 -in revoked.key.rsa -out revoked.key -nocrypt $ openssl req -new -key revoked.key -out revoked.csr When prompted for certificate information, everything is default except the common name which is set to revoked. $ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in revoked.csr \ -out revoked.pem -days 3650 $ openssl ca -revoke revoked.pem -keyfile ca.key -cert ca.pem -days 3650 Generate the CRL file: ---------------------------------------------------------------------------- $ openssl ca -gencrl -out current.crl -keyfile ca.key -cert ca.pem -crldays 3650 $ openssl rehash ./ Generate a chain with a leaf cert signed by an intermediate CA and revoke the intermediate certificate ---------------------------------------------------------------------------- Run `intermediate_gen.sh` from the `test/core/tsi/test_creds/crl_data` directory Generate a CA with the same issuer name but a different public key than the base CA ---------------------------------------------------------------------------- Run `evil_ca_gen.sh` from the `test/core/tsi/test_creds/crl_data` directory Generate a CA and CRL with an Authority Key Identifier ---------------------------------------------------------------------------- Run `ca_with_akid_gen.sh` from the `test/core/tsi/test_creds/crl_data` directory Create CRLs with modified signatures and content ---------------------------------------------------------------------------- Make a directory `test/core/tsi/test_creds/crl_data/bad_crls Make two copies of `test/core/tsi/test_creds/crl_data/crls/current.crl` in the bad_crls directory named `test/core/tsi/test_creds/crl_data/bad_crls/invalid_content.crl` and `test/core/tsi/test_creds/crl_data/bad_crls/invalid_signature.crl`. In `invalid_content.crl`, change the first letter on the second line. In `invalid_signature.crl`, change the last letter before the `=` on the second to last line. Clean up: --------- $ rm *.rsa $ rm *.csr $ rm ca.srl demoCA folder: ---------------------------------------------------------------------------- The demoCA folder contains files used by the openssl CA commands to revoke credentials and create CRL files.