• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..--

keygen/11-Mar-2024-157105

CA.pemD11-Mar-20248 KiB134132

README.mdD11-Mar-20243 KiB10357

client.crtD11-Mar-20241.7 KiB2928

client.keyD11-Mar-20241.6 KiB2827

client.p12D11-Mar-20242.8 KiB

client.pemD11-Mar-20244 KiB6865

client_v3.crtD11-Mar-20241.8 KiB3130

client_v3.keyD11-Mar-20241.6 KiB2827

server.crtD11-Mar-20242.3 KiB3938

server.keyD11-Mar-20243.2 KiB5352

server.p12D11-Mar-20244.4 KiB

server.pemD11-Mar-20245.5 KiB9190

README.md

1# Test Keys and Certificates
2This folder is dedicated to test keys and certificates provided in multiple formats.
3Primary use are unit test suites and cross language tests.
4
5    test/keys
6
7**The files in this directory must never be used on production systems.**
8
9## SSL Keys and Certificates
10
11
12## create certificates
13
14we use the following parameters for test key and certificate creation
15
16    C=US,
17    ST=Maryland,
18    L=Forest Hill,
19    O=The Apache Software Foundation,
20    OU=Apache Thrift,
21    CN=localhost/emailAddress=dev@thrift.apache.org
22
23### create self-signed server key and certificate
24
25    openssl req -new -x509 -nodes  -days 3000 -out server.crt -keyout server.key
26    openssl x509 -in server.crt -text > CA.pem
27    cat server.crt server.key > server.pem
28
29Export password is "thrift" without the quotes
30
31    openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12
32
33### create client key and certificate
34
35    openssl genrsa -out client.key
36
37create a signing request:
38
39    openssl req -new -key client.key -out client.csr
40
41sign the client certificate with the server.key
42
43    openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt
44
45export certificate in PKCS12 format (Export password is "thrift" without the quotes)
46
47    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
48
49export certificate in PEM format for OpenSSL usage
50
51    openssl pkcs12 -in client.p12 -out client.pem -clcerts
52
53### create client key and certificate with altnames
54
55copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ]
56
57    subjectAltName=@alternate_names
58
59    [ alternate_names ]
60    IP.1=127.0.0.1
61    IP.2=::1
62    IP.3=::ffff:127.0.0.1
63
64create a signing request:
65
66    openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \
67        -subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req
68
69sign the client certificate with the server.key
70
71    openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf
72
73## Java key and certificate import
74Java Test Environment uses key and trust store password "thrift" without the quotes
75
76list keystore entries
77
78    keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore
79
80list truststore entries
81
82    keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore
83
84
85delete an entry
86
87    keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest
88
89
90import certificate into truststore
91
92    keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt
93
94import key into keystore
95
96    keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12
97
98# Test SSL server and clients
99
100    openssl s_client -connect localhost:9090
101    openssl s_server -accept 9090 -www
102
103