# client intermediate ca: cca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
#
-./mkcert.sh genca "CA" ca-key cca-cert root-key root-cert clientAuth
+./mkcert.sh genca -p clientAuth "CA" ca-key cca-cert root-key root-cert
#
openssl x509 -in cca-cert.pem -trustout \
-addtrust serverAuth -out cca+serverAuth.pem
# server intermediate ca: sca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth, -anyEKU, +anyEKU
#
-./mkcert.sh genca "CA" ca-key sca-cert root-key root-cert serverAuth
+./mkcert.sh genca -p serverAuth "CA" ca-key sca-cert root-key root-cert
#
openssl x509 -in sca-cert.pem -trustout \
-addtrust serverAuth -out sca+serverAuth.pem
# SHA1
./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \
-sha1 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
-# SHA256
+# EE SHA256
./mkcert.sh genee PSS-SHA256 ee-key ee-pss-sha256-cert ca-key ca-cert \
- -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
+ -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:digest
+# CA-PSS
+./mkcert.sh genca "CA-PSS" ca-pss-key ca-pss-cert root-key root-cert \
+ -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
+./mkcert.sh genee "EE-PSS" ee-key ee-pss-cert ca-pss-key ca-pss-cert \
+ -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
+# Should not have been possible to produce, see issue #13968:
+#./mkcert.sh genee "EE-PSS-wrong1.5" ee-key ee-pss-wrong1.5-cert ca-pss-key ca-pss-cert -sha256
OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \
"Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \