Skip to content

Generating SSL KeyStores

Jump to bottom
Andy Wilkinson edited this page Aug 19, 2021 · 10 revisions

Our embedded container tests use KeyStores containing self-signed certificates to test various aspects of the container’s SSL support. The KeyStores can be created using the following steps.

  1. Delete the old .jks KeyStore:

    rm spring-boot-project/spring-boot/src/test/resources/test.jks

  2. Create a new .jks KeyStore with spring-boot and test-alias entries:

    keytool -genkeypair -storepass secret -keypass password -keystore spring-boot-project/spring-boot/src/test/resources/test.jks -dname "CN=127.0.0.1, OU=Spring, O=VMware, L=Palo Alto, ST=California, C=US" -validity 3650 -alias spring-boot -keyalg RSA -ext "SAN=IP:::1"
keytool -genkeypair -storepass secret -keypass password -keystore spring-boot-project/spring-boot/src/test/resources/test.jks -dname "CN=127.0.0.1, OU=Spring, O=VMware, L=Palo Alto, ST=California, C=US" -validity 3650 -alias test-alias -keyalg RSA -ext "SAN=IP:::1"

  3. Delete the old .p12 KeyStore:

    rm spring-boot-project/spring-boot/src/test/resources/test.p12

  4. Create a new .p12 KeyStore from the .jks KeyStore:

    keytool -importkeystore -srckeystore spring-boot-project/spring-boot/src/test/resources/test.jks -destkeystore spring-boot-project/spring-boot/src/test/resources/test.p12 -deststoretype pkcs12 -srcstorepass secret -deststorepass secret -destkeypass secret
    Tip
    		 Use password when prompted for the passwords for the spring-boot and test-alias entries.

  5. Create a trusted cert entry (required by Tomcat) in the two new KeyStores:

    keytool -keystore spring-boot-project/spring-boot/src/test/resources/test.jks -storepass secret -alias spring-boot -exportcert > exported
keytool -keystore spring-boot-project/spring-boot/src/test/resources/test.jks -storepass secret -importcert -file exported
keytool -keystore spring-boot-project/spring-boot/src/test/resources/test.p12 -storepass secret -importcert -file exported
rm exported

  6. List the test-alias entry to find the serial number used to create SerialNumberValidatingTrustSelfSignedStrategy in the tests:

    keytool -list -keystore spring-boot-project/spring-boot/src/test/resources/test.jks -v -storepass secret -alias test-alias
    Alias name: test-alias
Creation date: 19-Aug-2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=127.0.0.1, OU=Spring, O=VMware, L=Palo Alto, ST=California, C=US
Issuer: CN=127.0.0.1, OU=Spring, O=VMware, L=Palo Alto, ST=California, C=US
Serial number: 18d36252
Valid from: Thu Aug 19 13:40:16 BST 2021 until: Sun Aug 17 13:40:16 BST 2031
Certificate fingerprints:
	 SHA1: CD:1D:C0:EC:6A:EB:01:18:EF:47:9A:6D:5D:28:CF:67:EB:02:AD:E9
	 SHA256: 44:E8:4A:15:D0:8B:12:5B:51:6A:66:2D:19:82:3C:59:F8:F3:8B:0F:8C:35:60:79:31:FA:FE:86:BB:B6:81:76
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  IPAddress: 0:0:0:0:0:0:0:1
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E1 56 CE 8F CB 7B 42 C3   FD 45 D6 1F 5C 6D DB 2B  .V....B..E..\m.+
0010: DE E1 17 82                                        ....
]
]

    In this case, the serial number is 26ca0d5b.

Pages

Clone this wiki locally