# this is a test-only private key that is used in integration
# tests to test certificate based auth.
# generated with 'openssl genrsa 2048 > testuser.key'
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAtDFlcxd0AvdnUEswP7QZWt6JHTZEjcnfkm58xTcSBpp5v+b0
oNU9m/MserNCFy81CtpWmPXAddp0vept2Ffu9WBVZ14RqYHMVJUIHK/8pJnDJeeO
R2AUbOXdpv7+3H2I6rZrrxcBHkHlciNw6VixLtwxQmrNU6QAZw4IDnCw3tWBIwYK
OYTZaI5yrjqisyXyFo424f8Hr78UTGfuX3YuIpWkodydd5Jr5r64Q9p5+lqlHY4U

# SAN Certificate Creation with OpenSSL

### Creating CA

```
openssl genrsa -out ca.key 2048

openssl req -new -x509 -days 3650 -key ca.key -subj "/C=US/ST=AZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
```

### Creating Server Certificate
```
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=US/ST=AZ/O=Acme, Inc./CN=*.com" -out server.csr
```

### Signing Certificate with CA
```

# this is a test-only private key that is used in integration
# tests as the kube controller manager's signing key.
# generated with 'openssl genrsa 2048 > ca.key'
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwjbaJ4cvFelZznwnIJ1gb1CZqEd920M3pH0TAjrviCabzWJS
rT5tAGjKHigBKixe5zeLoVztL6u8R5F5pgJhA5eT8qi1qNjexII0AYj2gex0mau2
4tNw9f28iByoFTkGIVpJASQW2VIYoQIjmX+Yf7m4ywGSbHtgqPovK8z9gA+/Vaxa
szYhlU+PZ5YyWOG6FoM6JA6GtKOZZm45xEo9O6LYhWpOOzO5nsDWv6wocVI2BMWo

%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf
	@echo "generating $@"
	@openssl req -new -config $(L)/intermediate.conf -key $< -out $@

%/ca-key.pem: fetch-root-ca
	@echo "generating $@"
	@mkdir -p $(dir $@)
	@openssl genrsa -out $@ 4096

#------------------------------------------------------------------------

//  limitations under the License.

package cert

import (
	"fmt"
	"os/exec"
)

// GenerateKey and writes output to keyFile.
func GenerateKey(keyFile string) error {
	return openssl("genrsa", "-out", keyFile, "1024")
}

// GenerateCSR and writes output to csrFile.
func GenerateCSR(confFile, keyFile, csrFile string) error {
	return openssl("req", "-new",
		"-config", confFile,
		"-key", keyFile,

US
California
Sunnyvale
Istio
Test
Root CA
******@****.***


EOF

echo 'Generate private key for Istio CA.'
openssl genrsa -out ca-key.pem 2048

echo 'Generate CSR for Istio CA.'
openssl req -new -key ca-key.pem -out ca-cert.csr -config ca.cfg -batch -sha256

echo 'Sign the cert for Istio CA.'

```bash
pip install jwcrypto
```

## Regenerate private key and JWKS (for developer use only)

1. Regenerate private key using `openssl`

    ```bash
    openssl genrsa -out key.pem 2048
    ```

1. Run gen-jwt.py with `--jkws` to create new public key set and demo JWT

    ```bash
    gen-jwt.py key.pem -jwks=./jwks.json --expire=3153600000 --claims=foo:bar > demo.jwt

  fi
  if [ -f "$FINAL_DIR"/workload.cfg ]; then
    rm "$FINAL_DIR"/workload.cfg
  fi
  if [ -f "$FINAL_DIR"/workload.csr ]; then
    rm "$FINAL_DIR"/workload.csr
  fi
}

trap cleanup EXIT

openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048

cat > "$FINAL_DIR"/workload.cfg <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
prompt = no

```

#### 3.2.2 Generate a private key with RSA

Use the following command to generate a private key with RSA:

```sh
openssl genrsa -out private.key 2048
```

A response similar to this one should be displayed:

```
Generating RSA private key, 2048 bit long modulus
............................................+++
...........+++

import (
	"bytes"
	"crypto/ecdh"
	"crypto/ecdsa"
	"crypto/ed25519"
	"crypto/elliptic"
	"crypto/rsa"
	"encoding/hex"
	"reflect"
	"strings"
	"testing"
)

// Generated using:
//
//	openssl genrsa 1024 | openssl pkcs8 -topk8 -nocrypt