| # Test Keys and Certificates |
| This folder is dedicated to test keys and certificates provided in multiple formats. |
| Primary use are unit test suites and cross language tests. |
| |
| test/keys |
| |
| **The files in this directory must never be used on production systems.** |
| |
| ## SSL Keys and Certificates |
| |
| |
| ## create certificates |
| |
| we use the following parameters for test key and certificate creation |
| |
| C=US, |
| ST=Maryland, |
| L=Forest Hill, |
| O=The Apache Software Foundation, |
| OU=Apache Thrift, |
| CN=localhost/emailAddress=dev@thrift.apache.org |
| |
| ### create self-signed server key and certificate |
| |
| openssl req -new -x509 -nodes -days 3000 -out server.crt -keyout server.key |
| openssl x509 -in server.crt -text > CA.pem |
| cat server.crt server.key > server.pem |
| |
| Export password is "thrift" without the quotes |
| |
| openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 |
| |
| ### create client key and certificate |
| |
| openssl genrsa -out client.key |
| |
| create a signing request: |
| |
| openssl req -new -key client.key -out client.csr |
| |
| sign the client certificate with the server.key |
| |
| openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt |
| |
| export certificate in PKCS12 format (Export password is "thrift" without the quotes) |
| |
| openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 |
| |
| export certificate in PEM format for OpenSSL usage |
| |
| openssl pkcs12 -in client.p12 -out client.pem -clcerts |
| |
| ### create client key and certificate with altnames |
| |
| copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ] |
| |
| subjectAltName=@alternate_names |
| |
| [ alternate_names ] |
| IP.1=127.0.0.1 |
| IP.2=::1 |
| IP.3=::ffff:127.0.0.1 |
| |
| create a signing request: |
| |
| openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \ |
| -subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req |
| |
| sign the client certificate with the server.key |
| |
| openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf |
| |
| ## Java key and certificate import |
| Java Test Environment uses key and trust store password "thrift" without the quotes |
| |
| list keystore entries |
| |
| keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore |
| |
| list truststore entries |
| |
| keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore |
| |
| |
| delete an entry |
| |
| keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest |
| |
| |
| import certificate into truststore |
| |
| keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt |
| |
| import key into keystore |
| |
| keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12 |
| |
| # Test SSL server and clients |
| |
| openssl s_client -connect localhost:9090 |
| openssl s_server -accept 9090 -www |
| |