tests/proton_tests/ssl_db/README.txt - qpid-proton - Git at Google

 The following certificate files are used by the SSL unit tests (ssl.py):

 ca-certificate.pem - contains the public certificate identifying a "trusted" Certificate
 Authority.  This certificate is used to sign the certificates that identify the SSL
 servers and clients run by the tests.

 client-certificate.pem - the public certificate used to identify the client.  Signed by
 the CA.

 client-private-key.pem - encrypted key used to create client-certificate.pem.  Password is
 "client-password"

 server-certificate.pem - the public certificate used to identify the server.  Signed by
 the CA.  The CommonName is "A1.Good.Server.domain.com", and is checked by some unit tests.

 server-private-key.pem - encrypted key used to create server-certificate.pem. Password is
 "server-password"

 bad-server-certificate.pem, bad-server-private-key.pem - a certificate/key that is not trusted by the client, for negative test.

 server-wc-certificate.pem and server-wc-private-key.pem - similar to
 server-certificate.pem and server-private-key.pem, but contains Subject Alternate Name
 entries, and a wildcard CommonName.  Used for certificate name checking tests.

 These certificates have been created using the OpenSSL tool.

 The following bash script can be used to create these certificates (requires keytool from Java 1.7, and openssl):

 --8<--
 #!/bin/bash
 #set -x

 rm -f *.pem *.pkcs12

 # Create a self-signed certificate for the CA, and a private key to sign certificate requests:
 keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -genkey -dname "O=Trust Me Inc.,CN=Trusted.CA.com"
 openssl pkcs12 -nokeys -passin pass:ca-password -in ca.pkcs12 -passout pass:ca-password -out ca-certificate.pem

 # Create a certificate request for the server certificate.  Use the CA's certificate to sign it:
 keytool -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-certificate -keypass server-password -genkey  -dname "O=Server,CN=A1.Good.Server.domain.com"
 keytool -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-certificate -keypass server-password -certreq -file server-request.pem
 keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile server-request.pem -outfile server-certificate.pem
 openssl pkcs12 -nocerts -passin pass:server-password -in server.pkcs12 -passout pass:server-password -out server-private-key.pem

 # Create a certificate request for the client certificate.  Use the CA's certificate to sign it:
 keytool -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -genkey  -dname "O=Client,CN=127.0.0.1"
 keytool -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -certreq -file client-request.pem
 keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile client-request.pem -outfile client-certificate.pem
 openssl pkcs12 -nocerts -passin pass:client-password -in client.pkcs12 -passout pass:client-password -out client-private-key.pem

 # Create a "bad" certificate - not signed by a trusted authority
 keytool -storetype pkcs12 -keystore bad-server.pkcs12 -storepass server-password -alias bad-server -keypass server-password -genkey -dname "O=Not Trusted Inc,CN=127.0.0.1"
 openssl pkcs12 -nocerts -passin pass:server-password -in bad-server.pkcs12 -passout pass:server-password -out bad-server-private-key.pem
 openssl pkcs12 -nokeys  -passin pass:server-password -in bad-server.pkcs12 -passout pass:server-password -out bad-server-certificate.pem

 # Create a server certificate with several alternate names, including a wildcarded common name:
 keytool -ext san=dns:alternate.name.one.com,dns:another.name.com -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-wc-certificate -keypass server-password -genkeypair -dname "O=Server,CN=*.prefix*.domain.com"
 keytool -ext san=dns:alternate.name.one.com,dns:another.name.com -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-wc-certificate -keypass server-password -certreq -file server-wc-request.pem
 keytool -ext san=dns:alternate.name.one.com,dns:another.name.com  -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile server-wc-request.pem -outfile server-wc-certificate.pem
 openssl pkcs12 -nocerts -passin pass:server-password -in server.pkcs12 -passout pass:server-password -out server-wc-private-key.pem
	The following certificate files are used by the SSL unit tests (ssl.py):

	ca-certificate.pem - contains the public certificate identifying a "trusted" Certificate
	Authority. This certificate is used to sign the certificates that identify the SSL
	servers and clients run by the tests.

	client-certificate.pem - the public certificate used to identify the client. Signed by
	the CA.

	client-private-key.pem - encrypted key used to create client-certificate.pem. Password is
	"client-password"

	server-certificate.pem - the public certificate used to identify the server. Signed by
	the CA. The CommonName is "A1.Good.Server.domain.com", and is checked by some unit tests.

	server-private-key.pem - encrypted key used to create server-certificate.pem. Password is
	"server-password"

	bad-server-certificate.pem, bad-server-private-key.pem - a certificate/key that is not trusted by the client, for negative test.

	server-wc-certificate.pem and server-wc-private-key.pem - similar to
	server-certificate.pem and server-private-key.pem, but contains Subject Alternate Name
	entries, and a wildcard CommonName. Used for certificate name checking tests.

	These certificates have been created using the OpenSSL tool.

	The following bash script can be used to create these certificates (requires keytool from Java 1.7, and openssl):

	--8<--
	#!/bin/bash
	#set -x

	rm -f .pem .pkcs12

	# Create a self-signed certificate for the CA, and a private key to sign certificate requests:
	keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -genkey -dname "O=Trust Me Inc.,CN=Trusted.CA.com"
	openssl pkcs12 -nokeys -passin pass:ca-password -in ca.pkcs12 -passout pass:ca-password -out ca-certificate.pem

	# Create a certificate request for the server certificate. Use the CA's certificate to sign it:
	keytool -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-certificate -keypass server-password -genkey -dname "O=Server,CN=A1.Good.Server.domain.com"
	keytool -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-certificate -keypass server-password -certreq -file server-request.pem
	keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile server-request.pem -outfile server-certificate.pem
	openssl pkcs12 -nocerts -passin pass:server-password -in server.pkcs12 -passout pass:server-password -out server-private-key.pem

	# Create a certificate request for the client certificate. Use the CA's certificate to sign it:
	keytool -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -genkey -dname "O=Client,CN=127.0.0.1"
	keytool -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -certreq -file client-request.pem
	keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile client-request.pem -outfile client-certificate.pem
	openssl pkcs12 -nocerts -passin pass:client-password -in client.pkcs12 -passout pass:client-password -out client-private-key.pem

	# Create a "bad" certificate - not signed by a trusted authority
	keytool -storetype pkcs12 -keystore bad-server.pkcs12 -storepass server-password -alias bad-server -keypass server-password -genkey -dname "O=Not Trusted Inc,CN=127.0.0.1"
	openssl pkcs12 -nocerts -passin pass:server-password -in bad-server.pkcs12 -passout pass:server-password -out bad-server-private-key.pem
	openssl pkcs12 -nokeys -passin pass:server-password -in bad-server.pkcs12 -passout pass:server-password -out bad-server-certificate.pem

	# Create a server certificate with several alternate names, including a wildcarded common name:
	keytool -ext san=dns:alternate.name.one.com,dns:another.name.com -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-wc-certificate -keypass server-password -genkeypair -dname "O=Server,CN=.prefix.domain.com"
	keytool -ext san=dns:alternate.name.one.com,dns:another.name.com -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-wc-certificate -keypass server-password -certreq -file server-wc-request.pem
	keytool -ext san=dns:alternate.name.one.com,dns:another.name.com -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile server-wc-request.pem -outfile server-wc-certificate.pem
	openssl pkcs12 -nocerts -passin pass:server-password -in server.pkcs12 -passout pass:server-password -out server-wc-private-key.pem