]>
Commit | Line | Data |
---|---|---|
f67539c2 TL |
1 | # Test Keys and Certificates |
2 | This folder is dedicated to test keys and certificates provided in multiple formats. | |
3 | Primary use are unit test suites and cross language tests. | |
4 | ||
5 | test/keys | |
6 | ||
7 | **The files in this directory must never be used on production systems.** | |
8 | ||
9 | ## SSL Keys and Certificates | |
10 | ||
11 | ||
12 | ## create certificates | |
13 | ||
14 | we use the following parameters for test key and certificate creation | |
15 | ||
16 | C=US, | |
17 | ST=Maryland, | |
18 | L=Forest Hill, | |
19 | O=The Apache Software Foundation, | |
20 | OU=Apache Thrift, | |
21 | CN=localhost/emailAddress=dev@thrift.apache.org | |
22 | ||
23 | ### create self-signed server key and certificate | |
24 | ||
25 | openssl req -new -x509 -nodes -days 3000 -out server.crt -keyout server.key | |
26 | openssl x509 -in server.crt -text > CA.pem | |
27 | cat server.crt server.key > server.pem | |
28 | ||
29 | Export password is "thrift" without the quotes | |
30 | ||
31 | openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 | |
32 | ||
33 | ### create client key and certificate | |
34 | ||
35 | openssl genrsa -out client.key | |
36 | ||
37 | create a signing request: | |
38 | ||
39 | openssl req -new -key client.key -out client.csr | |
40 | ||
41 | sign the client certificate with the server.key | |
42 | ||
43 | openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt | |
44 | ||
45 | export certificate in PKCS12 format (Export password is "thrift" without the quotes) | |
46 | ||
47 | openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 | |
48 | ||
49 | export certificate in PEM format for OpenSSL usage | |
50 | ||
51 | openssl pkcs12 -in client.p12 -out client.pem -clcerts | |
52 | ||
53 | ### create client key and certificate with altnames | |
54 | ||
55 | copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ] | |
56 | ||
57 | subjectAltName=@alternate_names | |
58 | ||
59 | [ alternate_names ] | |
60 | IP.1=127.0.0.1 | |
61 | IP.2=::1 | |
62 | IP.3=::ffff:127.0.0.1 | |
63 | ||
64 | create a signing request: | |
65 | ||
66 | openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \ | |
67 | -subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req | |
68 | ||
69 | sign the client certificate with the server.key | |
70 | ||
71 | openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf | |
72 | ||
73 | ## Java key and certificate import | |
74 | Java Test Environment uses key and trust store password "thrift" without the quotes | |
75 | ||
76 | list keystore entries | |
77 | ||
78 | keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore | |
79 | ||
80 | list truststore entries | |
81 | ||
82 | keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore | |
83 | ||
84 | ||
85 | delete an entry | |
86 | ||
87 | keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest | |
88 | ||
89 | ||
90 | import certificate into truststore | |
91 | ||
92 | keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt | |
93 | ||
94 | import key into keystore | |
95 | ||
96 | keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12 | |
97 | ||
98 | # Test SSL server and clients | |
99 | ||
100 | openssl s_client -connect localhost:9090 | |
101 | openssl s_server -accept 9090 -www | |
102 |