diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 18:45:59 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 18:45:59 +0000 |
commit | 19fcec84d8d7d21e796c7624e521b60d28ee21ed (patch) | |
tree | 42d26aa27d1e3f7c0b8bd3fd14e7d7082f5008dc /src/jaegertracing/thrift/test/keys/README.md | |
parent | Initial commit. (diff) | |
download | ceph-19fcec84d8d7d21e796c7624e521b60d28ee21ed.tar.xz ceph-19fcec84d8d7d21e796c7624e521b60d28ee21ed.zip |
Adding upstream version 16.2.11+ds.upstream/16.2.11+dsupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/jaegertracing/thrift/test/keys/README.md')
-rwxr-xr-x | src/jaegertracing/thrift/test/keys/README.md | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/src/jaegertracing/thrift/test/keys/README.md b/src/jaegertracing/thrift/test/keys/README.md new file mode 100755 index 000000000..010835d35 --- /dev/null +++ b/src/jaegertracing/thrift/test/keys/README.md @@ -0,0 +1,102 @@ +# Test Keys and Certificates +This folder is dedicated to test keys and certificates provided in multiple formats. +Primary use are unit test suites and cross language tests. + + test/keys + +**The files in this directory must never be used on production systems.** + +## SSL Keys and Certificates + + +## create certificates + +we use the following parameters for test key and certificate creation + + C=US, + ST=Maryland, + L=Forest Hill, + O=The Apache Software Foundation, + OU=Apache Thrift, + CN=localhost/emailAddress=dev@thrift.apache.org + +### create self-signed server key and certificate + + openssl req -new -x509 -nodes -days 3000 -out server.crt -keyout server.key + openssl x509 -in server.crt -text > CA.pem + cat server.crt server.key > server.pem + +Export password is "thrift" without the quotes + + openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 + +### create client key and certificate + + openssl genrsa -out client.key + +create a signing request: + + openssl req -new -key client.key -out client.csr + +sign the client certificate with the server.key + + openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt + +export certificate in PKCS12 format (Export password is "thrift" without the quotes) + + openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 + +export certificate in PEM format for OpenSSL usage + + openssl pkcs12 -in client.p12 -out client.pem -clcerts + +### create client key and certificate with altnames + +copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ] + + subjectAltName=@alternate_names + + [ alternate_names ] + IP.1=127.0.0.1 + IP.2=::1 + IP.3=::ffff:127.0.0.1 + +create a signing request: + + openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \ + -subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req + +sign the client certificate with the server.key + + openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf + +## Java key and certificate import +Java Test Environment uses key and trust store password "thrift" without the quotes + +list keystore entries + + keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore + +list truststore entries + + keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore + + +delete an entry + + keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest + + +import certificate into truststore + + keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt + +import key into keystore + + keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12 + +# Test SSL server and clients + + openssl s_client -connect localhost:9090 + openssl s_server -accept 9090 -www + |