Skip to content

Latest commit

 

History

History

keys

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

CA.pem

CA.pem

 
 

README.md

README.md

 
 

client.crt

client.crt

 
 

client.key

client.key

 
 

client.p12

client.p12

 
 

client.pem

client.pem

 
 

client_v3.crt

client_v3.crt

 
 

client_v3.key

client_v3.key

 
 

server.crt

server.crt

 
 

server.key

server.key

 
 

server.p12

server.p12

 
 

server.pem

server.pem

 
 

README.md

Test Keys and Certificates

This folder is dedicated to test keys and certificates provided in multiple formats. Primary use are unit test suites and cross language tests.

test/keys

The files in this directory must never be used on production systems.

SSL Keys and Certificates

create certificates

we use the following parameters for test key and certificate creation

C=US,
ST=Maryland,
L=Forest Hill,
O=The Apache Software Foundation,
OU=Apache Thrift,
CN=localhost/emailAddress=dev@thrift.apache.org

create self-signed server key and certificate

openssl req -new -x509 -nodes  -days 3000 -out server.crt -keyout server.key
openssl x509 -in server.crt -text > CA.pem
cat server.crt server.key > server.pem

Export password is "thrift" without the quotes

openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12

create client key and certificate

openssl genrsa -out client.key

create a signing request:

openssl req -new -key client.key -out client.csr

sign the client certificate with the server.key

openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt

export certificate in PKCS12 format (Export password is "thrift" without the quotes)

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

export certificate in PEM format for OpenSSL usage

openssl pkcs12 -in client.p12 -out client.pem -clcerts

create client key and certificate with altnames

copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ]

subjectAltName=@alternate_names

[ alternate_names ]
IP.1=127.0.0.1
IP.2=::1
IP.3=::ffff:127.0.0.1

create a signing request:

openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \
    -subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req

sign the client certificate with the server.key

openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf

Java key and certificate import

Java Test Environment uses key and trust store password "thrift" without the quotes

list keystore entries

keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore

list truststore entries

keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore

delete an entry

keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest

import certificate into truststore

keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt

import key into keystore

keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12

Test SSL server and clients

openssl s_client -connect localhost:9090
openssl s_server -accept 9090 -www