| <!DOCTYPE html> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
| <head> |
| <meta content="text/html; charset=utf-8" http-equiv="Content-Type" /> |
| <meta content="en-us" http-equiv="Content-Language" /> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| |
| <link href="/static/images/favicon.ico" rel="shortcut icon" /> |
| <link href="/static/css/style.css" rel="stylesheet" type="text/css" /> |
| <link href="/static/css/codehilite.css" rel="stylesheet" type="text/css" /> |
| <link href="/static/css/bootstrap.css" media="screen, projection" rel="stylesheet" type="text/css" /> |
| <link href="/static/css/thrift.css" media="screen, projection" rel="stylesheet" type="text/css" /> |
| |
| <script src="/static/js/jquery.min.js"></script> |
| <script src="/static/js/bootstrap-dropdown.js"></script> |
| <script src="/static/js/bootstrap-tab.js"></script> |
| <script src="/static/js/thrift.js"></script> |
| |
| <title>Apache Thrift - Keys</title> |
| </head> |
| <body> |
| <div class="navbar"> |
| <div class="navbar-inner"> |
| <div class="container"> |
| <a class="brand" href="/">Apache Thrift ™</a> |
| <div class="nav-collapse"> |
| <ul class="nav pull-right"> |
| <li><a href="/download">Download</a></li> |
| <li><a href="/docs">Documentation</a></li> |
| <li><a href="/developers">Developers</a></li> |
| <li><a href="/lib">Libraries</a></li> |
| <li><a href="/tutorial">Tutorial</a></li> |
| <li><a href="/test">Test Suite</a></li> |
| <li><a href="/about">About</a></li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="http://www.apache.org/" target="_blank">Apache Home</a></li> |
| <li><a href="http://www.apache.org/licenses/" target="_blank">Apache License v2.0</a></li> |
| <li><a href="http://www.apache.org/foundation/sponsorship.html" target="_blank">Donate</a></li> |
| <li><a href="http://www.apache.org/foundation/thanks.html" target="_blank">Thanks</a></li> |
| <li><a href="http://www.apache.org/security/" target="_blank">Security</a></li> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </div> |
| |
| <div class="container"> |
| |
| <h1 id="test-keys-and-certificates">Test Keys and Certificates</h1> |
| <p>This folder is dedicated to test keys and certificates provided in multiple formats. |
| Primary use are unit test suites and cross language tests.</p> |
| |
| <pre><code>test/keys |
| </code></pre> |
| |
| <p><strong>The files in this directory must never be used on production systems.</strong></p> |
| |
| <h2 id="ssl-keys-and-certificates">SSL Keys and Certificates</h2> |
| |
| <h2 id="create-certificates">create certificates</h2> |
| |
| <p>we use the following parameters for test key and certificate creation</p> |
| |
| <pre><code>C=US, |
| ST=Maryland, |
| L=Forest Hill, |
| O=The Apache Software Foundation, |
| OU=Apache Thrift, |
| CN=localhost/emailAddress=dev@thrift.apache.org |
| </code></pre> |
| |
| <h3 id="create-self-signed-server-key-and-certificate">create self-signed server key and certificate</h3> |
| |
| <pre><code>openssl req -new -x509 -nodes -days 3000 -out server.crt -keyout server.key |
| openssl x509 -in server.crt -text > CA.pem |
| cat server.crt server.key > server.pem |
| </code></pre> |
| |
| <p>Export password is “thrift” without the quotes</p> |
| |
| <pre><code>openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 |
| </code></pre> |
| |
| <h3 id="create-client-key-and-certificate">create client key and certificate</h3> |
| |
| <pre><code>openssl genrsa -out client.key |
| </code></pre> |
| |
| <p>create a signing request:</p> |
| |
| <pre><code>openssl req -new -key client.key -out client.csr |
| </code></pre> |
| |
| <p>sign the client certificate with the server.key</p> |
| |
| <pre><code>openssl x509 -req -days 3000 -in client.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client.crt |
| </code></pre> |
| |
| <p>export certificate in PKCS12 format (Export password is “thrift” without the quotes)</p> |
| |
| <pre><code>openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 |
| </code></pre> |
| |
| <p>export certificate in PEM format for OpenSSL usage</p> |
| |
| <pre><code>openssl pkcs12 -in client.p12 -out client.pem -clcerts |
| </code></pre> |
| |
| <h3 id="create-client-key-and-certificate-with-altnames">create client key and certificate with altnames</h3> |
| |
| <p>copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ]</p> |
| |
| <pre><code>subjectAltName=@alternate_names |
| |
| [ alternate_names ] |
| IP.1=127.0.0.1 |
| IP.2=::1 |
| IP.3=::ffff:127.0.0.1 |
| </code></pre> |
| |
| <p>create a signing request:</p> |
| |
| <pre><code>openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \ |
| -subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req |
| </code></pre> |
| |
| <p>sign the client certificate with the server.key</p> |
| |
| <pre><code>openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf |
| </code></pre> |
| |
| <h2 id="java-key-and-certificate-import">Java key and certificate import</h2> |
| <p>Java Test Environment uses key and trust store password “thrift” without the quotes</p> |
| |
| <p>list keystore entries</p> |
| |
| <pre><code>keytool -list -storepass thrift -keystore ../../lib/java/test/.keystore |
| </code></pre> |
| |
| <p>list truststore entries</p> |
| |
| <pre><code>keytool -list -storepass thrift -keystore ../../lib/java/test/.truststore |
| </code></pre> |
| |
| <p>delete an entry</p> |
| |
| <pre><code>keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest |
| </code></pre> |
| |
| <p>import certificate into truststore</p> |
| |
| <pre><code>keytool -importcert -storepass thrift -keystore ../../lib/java/test/.truststore -alias localhost --file server.crt |
| </code></pre> |
| |
| <p>import key into keystore</p> |
| |
| <pre><code>keytool -importkeystore -storepass thrift -keystore ../../lib/java/test/.keystore -srcstoretype pkcs12 -srckeystore server.p12 |
| </code></pre> |
| |
| <h1 id="test-ssl-server-and-clients">Test SSL server and clients</h1> |
| |
| <pre><code>openssl s_client -connect localhost:9090 |
| openssl s_server -accept 9090 -www |
| </code></pre> |
| |
| <p class="snippet_footer">This page was generated by Apache Thrift's <strong>source tree docs</strong>: |
| <a href="https://gitbox.apache.org/repos/asf?p=thrift.git;a=blob;hb=HEAD;f=test/keys/README.md">test/keys/README.md</a> |
| </p> |
| |
| |
| </div> |
| <div class="container"> |
| <hr> |
| <footer class="footer"> |
| <div class="row"> |
| <div class="span3"> |
| <h3>Links</h3> |
| <ul class="unstyled"> |
| <li><a href="/download">Download</a></li> |
| <li><a href="/developers">Developers</a></li> |
| <li><a href="/tutorial">Tutorials</a></li> |
| </ul> |
| <ul class="unstyled"> |
| <li><a href="/sitemap">Sitemap</a></li> |
| </ul> |
| </div> |
| <div class="span3"> |
| <h3>Get Involved</h3> |
| <ul class="unstyled"> |
| <li><a href="/mailing">Mailing Lists</a></li> |
| <li><a href="http://issues.apache.org/jira/browse/THRIFT">Issue Tracking</a></li> |
| <li><a href="/docs/HowToContribute">How To Contribute</a></li> |
| </ul> |
| </div> |
| <div class="span6"> |
| <a href="http://www.apache.org/"><img src="/static/images/feather.svg" onerror="this.src='/static/images/feather.png';this.onerror=null;" /></a> |
| Copyright © 2024 <a href="http://www.apache.org/">Apache Software Foundation</a>. |
| Licensed under the <a href="http://www.apache.org/licenses/">Apache License v2.0</a>. |
| Apache, Apache Thrift, and the Apache feather logo are trademarks of The Apache Software Foundation. |
| </div> |
| </div> |
| </footer> |
| </div> |
| |
| </body> |
| </html> |