Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / thrift / ef2b5285f3be08e52000a60d3de2e2f8a30f892b / . / test / keys / README.md
blob: 53fe0cc0b408113ab0cd30576c171ac4f2294f83 [file] [log] [blame] [view]
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]1# Test Keys and Certificates
2This folder is dedicated to test keys and certificates provided in multiple formats.
Roger Meier58bbb702014-02-19 19:59:25 +0100[diff] [blame]3Primary use are unit test suites and cross language tests.
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]4
5 test/keys
6
Roger Meier58bbb702014-02-19 19:59:25 +0100[diff] [blame]7**The files in this directory must never be used on production systems.**
8
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]9## SSL Keys and Certificates
10
11
12## create certificates
13
14we use the following parameters for test key and certificate creation
15
16 C=US,
17 ST=Maryland,
18 L=Forest Hill,
19 O=The Apache Software Foundation,
20 OU=Apache Thrift,
Roger Meiera6415bc2014-04-07 23:45:19 +0200[diff] [blame]21 CN=localhost/emailAddress=dev@thrift.apache.org
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]22
23### create self-signed server key and certificate
24
25 openssl req -new -x509 -nodes -days 3000 -out server.crt -keyout server.key
26 openssl x509 -in server.crt -text > CA.pem
Roger Meier58bbb702014-02-19 19:59:25 +0100[diff] [blame]27 cat server.crt server.key > server.pem
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]28
Roger Meier48555c52014-02-22 20:05:21 +0100[diff] [blame]29Export password is **thrift**
30
31 openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12
32
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]33### create client key and certificate
34
35 openssl genrsa -out client.key
36
37create a signing request:
38
39 openssl req -new -key client.key -out client.csr
40
41sign the client certificate with the server.key
42
43 openssl x509 -req -days 365 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt
44
Roger Meiera6415bc2014-04-07 23:45:19 +0200[diff] [blame]45export certificate in PKCS12 format (Export password is **thrift**)
Roger Meier161cf422014-02-19 16:45:56 +0100[diff] [blame]46
47 openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
48
49export certificate in PEM format for OpenSSL usage
50
51 openssl pkcs12 -in client.p12 -out client.pem -clcerts
Roger Meier48555c52014-02-22 20:05:21 +0100[diff] [blame]52
53
54## Java key and certificate import
55Java Test Environment uses key and trust store password **thrift**
56
57list keystore entries
58
59 keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore
60
61list truststore entries
62
63 keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore
64
Roger Meiera6415bc2014-04-07 23:45:19 +0200[diff] [blame]65
66delete an entry
67
68 keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest
69
70
Roger Meier48555c52014-02-22 20:05:21 +0100[diff] [blame]71import certificate into truststore
72
Roger Meiera6415bc2014-04-07 23:45:19 +0200[diff] [blame]73 keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt
Roger Meier48555c52014-02-22 20:05:21 +0100[diff] [blame]74
75import key into keystore
76
77 keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12
78
79# Test SSL server and clients
80
81 openssl s_client -connect localhost:9090
82 openssl s_server -accept 9090 -www
83