thrift/test/keys/README.md
Nobuaki Sukegawa 008283de6c THRIFT-3660 Add V4 mapped address to test client cert's altname
Client: Test
Patch: Nobuaki Sukegawa

This closes #887
2016-02-22 23:26:11 +09:00

3.0 KiB
Executable File

Test Keys and Certificates

This folder is dedicated to test keys and certificates provided in multiple formats. Primary use are unit test suites and cross language tests.

test/keys

The files in this directory must never be used on production systems.

SSL Keys and Certificates

create certificates

we use the following parameters for test key and certificate creation

C=US,
ST=Maryland,
L=Forest Hill,
O=The Apache Software Foundation,
OU=Apache Thrift,
CN=localhost/emailAddress=dev@thrift.apache.org

create self-signed server key and certificate

openssl req -new -x509 -nodes  -days 3000 -out server.crt -keyout server.key
openssl x509 -in server.crt -text > CA.pem
cat server.crt server.key > server.pem

Export password is "thrift" without the quotes

openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12

create client key and certificate

openssl genrsa -out client.key

create a signing request:

openssl req -new -key client.key -out client.csr

sign the client certificate with the server.key

openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt

export certificate in PKCS12 format (Export password is "thrift" without the quotes)

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

export certificate in PEM format for OpenSSL usage

openssl pkcs12 -in client.p12 -out client.pem -clcerts

create client key and certificate with altnames

copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ]

subjectAltName=@alternate_names

[ alternate_names ]
IP.1=127.0.0.1
IP.2=::1
IP.3=::ffff:127.0.0.1

create a signing request:

openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \
    -subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req

sign the client certificate with the server.key

openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf

Java key and certificate import

Java Test Environment uses key and trust store password "thrift" without the quotes

list keystore entries

keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore

list truststore entries

keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore

delete an entry

keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest

import certificate into truststore

keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt

import key into keystore

keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12

Test SSL server and clients

openssl s_client -connect localhost:9090
openssl s_server -accept 9090 -www