Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / thrift / 0d18fb2e97a00fc56997fa059d6819e54cdff64b / . / test / keys / README.md
blob: 010835d35adbb33187e960652e111d8d3de69a5d [file] [log] [blame] [view]
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]1# Test Keys and Certificates
2This folder is dedicated to test keys and certificates provided in multiple formats.
Roger Meier58bbb702014-02-19 19:59:25 +0100[diff] [blame]3Primary use are unit test suites and cross language tests.
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]4
5 test/keys
6
Roger Meier58bbb702014-02-19 19:59:25 +0100[diff] [blame]7**The files in this directory must never be used on production systems.**
8
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]9## SSL Keys and Certificates
10
11
12## create certificates
13
14we use the following parameters for test key and certificate creation
15
16 C=US,
17 ST=Maryland,
18 L=Forest Hill,
19 O=The Apache Software Foundation,
20 OU=Apache Thrift,
Roger Meiera6415bc2014-04-07 23:45:19 +0200[diff] [blame]21 CN=localhost/emailAddress=dev@thrift.apache.org
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]22
23### create self-signed server key and certificate
24
25 openssl req -new -x509 -nodes -days 3000 -out server.crt -keyout server.key
26 openssl x509 -in server.crt -text > CA.pem
Roger Meier58bbb702014-02-19 19:59:25 +0100[diff] [blame]27 cat server.crt server.key > server.pem
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]28
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]29Export password is "thrift" without the quotes
Roger Meier48555c52014-02-22 20:05:21 +0100[diff] [blame]30
31 openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12
32
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]33### create client key and certificate
34
35 openssl genrsa -out client.key
36
37create a signing request:
38
39 openssl req -new -key client.key -out client.csr
40
41sign the client certificate with the server.key
42
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]43 openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]44
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]45export certificate in PKCS12 format (Export password is "thrift" without the quotes)
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]46
47 openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
48
49export certificate in PEM format for OpenSSL usage
50
51 openssl pkcs12 -in client.p12 -out client.pem -clcerts
Roger Meier48555c52014-02-22 20:05:21 +0100[diff] [blame]52
Nobuaki Sukegawaf39f7db2016-02-04 15:09:41 +0900[diff] [blame]53### create client key and certificate with altnames
54
55copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ]
56
57 subjectAltName=@alternate_names
58
59 [ alternate_names ]
60 IP.1=127.0.0.1
61 IP.2=::1
Nobuaki Sukegawa008283d2016-02-22 20:59:04 +0900[diff] [blame]62 IP.3=::ffff:127.0.0.1
Nobuaki Sukegawaf39f7db2016-02-04 15:09:41 +0900[diff] [blame]63
64create a signing request:
65
66 openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \
67 -subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req
68
69sign the client certificate with the server.key
70
71 openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf
Roger Meier48555c52014-02-22 20:05:21 +0100[diff] [blame]72
73## Java key and certificate import
Nobuaki Sukegawaad835862015-12-23 23:32:09 +0900[diff] [blame]74Java Test Environment uses key and trust store password "thrift" without the quotes
Roger Meier48555c52014-02-22 20:05:21 +0100[diff] [blame]75
76list keystore entries
77
78 keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore
79
80list truststore entries
81
82 keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore
83
Roger Meiera6415bc2014-04-07 23:45:19 +0200[diff] [blame]84
85delete an entry
86
Nobuaki Sukegawaf39f7db2016-02-04 15:09:41 +0900[diff] [blame]87 keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest
Roger Meiera6415bc2014-04-07 23:45:19 +0200[diff] [blame]88
89
Roger Meier48555c52014-02-22 20:05:21 +0100[diff] [blame]90import certificate into truststore
91
Roger Meiera6415bc2014-04-07 23:45:19 +0200[diff] [blame]92 keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt
Roger Meier48555c52014-02-22 20:05:21 +0100[diff] [blame]93
94import key into keystore
95
96 keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12
97
98# Test SSL server and clients
99
100 openssl s_client -connect localhost:9090
101 openssl s_server -accept 9090 -www
102