valitydev/thrift
14
0
Fork 0
mirror of https://github.com/valitydev/thrift.git synced 2024-11-06 18:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a6415bc985
thrift/test/keys
History
Roger Meier a6415bc985 THRIFT-2325: SSL test certificates 
CN for servername was ssltest instead of localhost
+ little update of README.md

Patch: Roger Meier
2014-04-07 23:45:19 +02:00
..
CA.pem THRIFT-2325: SSL test certificates 2014-04-07 23:45:19 +02:00
client.crt THRIFT-2325: SSL test certificates 2014-04-07 23:45:19 +02:00
client.key THRIFT-2325: SSL test certificates 2014-04-07 23:45:19 +02:00
client.p12 THRIFT-2325: SSL test certificates 2014-04-07 23:45:19 +02:00
client.pem THRIFT-2325: SSL test certificates 2014-04-07 23:45:19 +02:00
README.md THRIFT-2325: SSL test certificates 2014-04-07 23:45:19 +02:00
server.crt THRIFT-2325: SSL test certificates 2014-04-07 23:45:19 +02:00
server.key THRIFT-2325: SSL test certificates 2014-04-07 23:45:19 +02:00
server.p12 THRIFT-2325: SSL test certificates 2014-04-07 23:45:19 +02:00
server.pem THRIFT-2325: SSL test certificates 2014-04-07 23:45:19 +02:00

README.md

Test Keys and Certificates

This folder is dedicated to test keys and certificates provided in multiple formats. Primary use are unit test suites and cross language tests.

test/keys

The files in this directory must never be used on production systems.

SSL Keys and Certificates

create certificates

we use the following parameters for test key and certificate creation

C=US,
ST=Maryland,
L=Forest Hill,
O=The Apache Software Foundation,
OU=Apache Thrift,
CN=localhost/emailAddress=dev@thrift.apache.org

create self-signed server key and certificate

openssl req -new -x509 -nodes  -days 3000 -out server.crt -keyout server.key
openssl x509 -in server.crt -text > CA.pem
cat server.crt server.key > server.pem

Export password is thrift

openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12

create client key and certificate

openssl genrsa -out client.key

create a signing request:

openssl req -new -key client.key -out client.csr

sign the client certificate with the server.key

openssl x509 -req -days 365 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt

export certificate in PKCS12 format (Export password is thrift)

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

export certificate in PEM format for OpenSSL usage

openssl pkcs12 -in client.p12 -out client.pem -clcerts

Java key and certificate import

Java Test Environment uses key and trust store password thrift

list keystore entries

keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore

list truststore entries

keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore

delete an entry

keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest

import certificate into truststore

keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt

import key into keystore

keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12

Test SSL server and clients

openssl s_client -connect localhost:9090
openssl s_server -accept 9090 -www