Client: Test Patch: Nobuaki Sukegawa This closes #887
3.0 KiB
Executable File
Test Keys and Certificates
This folder is dedicated to test keys and certificates provided in multiple formats. Primary use are unit test suites and cross language tests.
test/keys
The files in this directory must never be used on production systems.
SSL Keys and Certificates
create certificates
we use the following parameters for test key and certificate creation
C=US,
ST=Maryland,
L=Forest Hill,
O=The Apache Software Foundation,
OU=Apache Thrift,
CN=localhost/emailAddress=dev@thrift.apache.org
create self-signed server key and certificate
openssl req -new -x509 -nodes -days 3000 -out server.crt -keyout server.key
openssl x509 -in server.crt -text > CA.pem
cat server.crt server.key > server.pem
Export password is "thrift" without the quotes
openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12
create client key and certificate
openssl genrsa -out client.key
create a signing request:
openssl req -new -key client.key -out client.csr
sign the client certificate with the server.key
openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt
export certificate in PKCS12 format (Export password is "thrift" without the quotes)
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
export certificate in PEM format for OpenSSL usage
openssl pkcs12 -in client.p12 -out client.pem -clcerts
create client key and certificate with altnames
copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ]
subjectAltName=@alternate_names
[ alternate_names ]
IP.1=127.0.0.1
IP.2=::1
IP.3=::ffff:127.0.0.1
create a signing request:
openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \
-subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req
sign the client certificate with the server.key
openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf
Java key and certificate import
Java Test Environment uses key and trust store password "thrift" without the quotes
list keystore entries
keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore
list truststore entries
keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore
delete an entry
keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest
import certificate into truststore
keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt
import key into keystore
keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12
Test SSL server and clients
openssl s_client -connect localhost:9090
openssl s_server -accept 9090 -www