Skip to content

Generating SSL KeyStores

Jump to bottom
Phillip Webb edited this page Jun 8, 2020 · 10 revisions

Our embedded container tests use KeyStores containing self-signed certificates to test various aspects of the container’s SSL support. The KeyStores can be created using the following steps.

  1. Delete the old .jks KeyStore:

    rm spring-boot-project/spring-boot/src/test/resources/test.jks

  2. Create a new .jks KeyStore with spring-boot and test-alias entries:

    keytool -genkeypair -storepass secret -keypass password -keystore spring-boot-project/spring-boot/src/test/resources/test.jks -dname "CN=Spring Boot, OU=Spring, O=Pivotal, L=San Francisco, ST=California, C=US" -validity 3650 -alias spring-boot -keyalg RSA
keytool -genkeypair -storepass secret -keypass password -keystore spring-boot-project/spring-boot/src/test/resources/test.jks -dname "CN=Spring Boot, OU=Spring, O=Pivotal, L=San Francisco, ST=California, C=US" -validity 3650 -alias test-alias -keyalg RSA

  3. Delete the old .p12 KeyStore:

    rm spring-boot-project/spring-boot/src/test/resources/test.p12

  4. Create a new .p12 KeyStore from the .jks KeyStore:

    keytool -importkeystore -srckeystore spring-boot-project/spring-boot/src/test/resources/test.jks -destkeystore spring-boot-project/spring-boot/src/test/resources/test.p12 -deststoretype pkcs12 -srcstorepass secret -deststorepass secret -destkeypass secret
    Tip
    		 Use password when prompted for the passwords for the spring-boot and test-alias entries.

  5. Create a trusted cert entry (required by Tomcat) in the two new KeyStores:

    keytool -keystore spring-boot-project/spring-boot/src/test/resources/test.jks -storepass secret -alias spring-boot -exportcert > exported
keytool -keystore spring-boot-project/spring-boot/src/test/resources/test.jks -storepass secret -importcert -file exported
keytool -keystore spring-boot-project/spring-boot/src/test/resources/test.p12 -storepass secret -importcert -file exported
rm exported

  6. List the test-alias entry to find the serial number used to create SerialNumberValidatingTrustSelfSignedStrategy in the tests:

    keytool -list -keystore spring-boot-project/spring-boot/src/test/resources/test.jks -v -storepass secret -alias test-alias
Alias name: test-alias
Creation date: 01-Sep-2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Spring Boot, OU=Spring, O=Pivotal, L=San Francisco, ST=California, C=US
Issuer: CN=Spring Boot, OU=Spring, O=Pivotal, L=San Francisco, ST=California, C=US
Serial number: 26ca0d5b
Valid from: Sun Sep 01 19:52:31 BST 2019 until: Wed Aug 29 19:52:31 BST 2029
Certificate fingerprints:
	 MD5:  57:85:F8:8A:40:40:CD:C1:20:67:96:80:03:A2:6E:D2
	 SHA1: 6A:AE:73:CD:B7:CB:E4:76:96:70:6B:8B:2F:CF:D1:B6:8F:3B:F6:70
	 SHA256: 5D:1C:6F:3C:80:A4:BC:0F:50:B3:5A:63:91:7D:E1:36:64:6D:9E:9C:0B:D6:AA:AB:9D:5F:40:3C:47:0C:8E:CD
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AB E4 0F 65 23 FC 6D 3F   28 5B F9 A4 EB 1D 62 38  ...e#.m?([....b8
0010: 31 31 D6 CC                                        11..
]
]

    In this case, the serial number is 26ca0d5b.

Pages

Clone this wiki locally