projects / ceph.git / blame
| Commit | Line | Data |
|---|---|---|
| f67539c2 TL |
1 | # Test Keys and Certificates |
| 2 | This folder is dedicated to test keys and certificates provided in multiple formats. | |
| 3 | Primary use are unit test suites and cross language tests. | |
| 4 | ||
| 5 | test/keys | |
| 6 | ||
| 7 | **The files in this directory must never be used on production systems.** | |
| 8 | ||
| 9 | ## SSL Keys and Certificates | |
| 10 | ||
| 11 | ||
| 12 | ## create certificates | |
| 13 | ||
| 14 | we use the following parameters for test key and certificate creation | |
| 15 | ||
| 16 | C=US, | |
| 17 | ST=Maryland, | |
| 18 | L=Forest Hill, | |
| 19 | O=The Apache Software Foundation, | |
| 20 | OU=Apache Thrift, | |
| 21 | CN=localhost/emailAddress=dev@thrift.apache.org | |
| 22 | ||
| 23 | ### create self-signed server key and certificate | |
| 24 | ||
| 25 | openssl req -new -x509 -nodes -days 3000 -out server.crt -keyout server.key | |
| 26 | openssl x509 -in server.crt -text > CA.pem | |
| 27 | cat server.crt server.key > server.pem | |
| 28 | ||
| 29 | Export password is "thrift" without the quotes | |
| 30 | ||
| 31 | openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 | |
| 32 | ||
| 33 | ### create client key and certificate | |
| 34 | ||
| 35 | openssl genrsa -out client.key | |
| 36 | ||
| 37 | create a signing request: | |
| 38 | ||
| 39 | openssl req -new -key client.key -out client.csr | |
| 40 | ||
| 41 | sign the client certificate with the server.key | |
| 42 | ||
| 43 | openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt | |
| 44 | ||
| 45 | export certificate in PKCS12 format (Export password is "thrift" without the quotes) | |
| 46 | ||
| 47 | openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 | |
| 48 | ||
| 49 | export certificate in PEM format for OpenSSL usage | |
| 50 | ||
| 51 | openssl pkcs12 -in client.p12 -out client.pem -clcerts | |
| 52 | ||
| 53 | ### create client key and certificate with altnames | |
| 54 | ||
| 55 | copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ] | |
| 56 | ||
| 57 | subjectAltName=@alternate_names | |
| 58 | ||
| 59 | [ alternate_names ] | |
| 60 | IP.1=127.0.0.1 | |
| 61 | IP.2=::1 | |
| 62 | IP.3=::ffff:127.0.0.1 | |
| 63 | ||
| 64 | create a signing request: | |
| 65 | ||
| 66 | openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \ | |
| 67 | -subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req | |
| 68 | ||
| 69 | sign the client certificate with the server.key | |
| 70 | ||
| 71 | openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf | |
| 72 | ||
| 73 | ## Java key and certificate import | |
| 74 | Java Test Environment uses key and trust store password "thrift" without the quotes | |
| 75 | ||
| 76 | list keystore entries | |
| 77 | ||
| 78 | keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore | |
| 79 | ||
| 80 | list truststore entries | |
| 81 | ||
| 82 | keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore | |
| 83 | ||
| 84 | ||
| 85 | delete an entry | |
| 86 | ||
| 87 | keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest | |
| 88 | ||
| 89 | ||
| 90 | import certificate into truststore | |
| 91 | ||
| 92 | keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt | |
| 93 | ||
| 94 | import key into keystore | |
| 95 | ||
| 96 | keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12 | |
| 97 | ||
| 98 | # Test SSL server and clients | |
| 99 | ||
| 100 | openssl s_client -connect localhost:9090 | |
| 101 | openssl s_server -accept 9090 -www | |
| 102 |