Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More portable expired cert gen for IT (#6481)

This commit is contained in:
Jonathan Wei 2018-10-17 08:24:15 -07:00 committed by Fangjin Yang
parent c780aacc03
commit b9d01f5770
1 changed files with 69 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
integration-tests/docker/tls/generate-expired-client-cert.sh
View File

@ -32,10 +32,78 @@ DNS.1 = ${HOSTNAME}
DNS.2 = localhost DNS.2 = localhost
EOT EOT
cat <<EOT > root_for_expired_client.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
database = cert_db.txt
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = default
preserve = no
policy = policy_match
serial = certs.seq
email_in_dn=integration-test@druid.io
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = v3_ca
distinguished_name = dn
[ dn ]
C=DR
ST=DR
L=Druid City
O=Druid
OU=IntegrationTests
emailAddress=integration-test@druid.io
CN = itroot
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectAltName = @alt_names
[ usr_cert ]
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ alt_names ]
IP.1 = ${DOCKER_HOST_IP}
IP.2 = 127.0.0.1
IP.3 = 172.172.172.1
IP.4 = ${DOCKER_MACHINE_IP:=127.0.0.1}
DNS.1 = ${HOSTNAME}
DNS.2 = localhost
EOT
rm -f cert_db.txt
touch cert_db.txt
rm -f cert_db.txt.attr
touch cert_db.txt.attr
rm -rf certs.seq
echo 11111115 > certs.seq
# Generate a client certificate for this machine # Generate a client certificate for this machine
openssl genrsa -out expired_client.key 1024 -sha256 openssl genrsa -out expired_client.key 1024 -sha256
openssl req -new -out expired_client.csr -key expired_client.key -reqexts req_ext -config expired_csr.conf openssl req -new -out expired_client.csr -key expired_client.key -reqexts req_ext -config expired_csr.conf
openssl x509 -req -days -3650 -in expired_client.csr -CA root.pem -CAkey root.key -set_serial 0x11111115 -out expired_client.pem -sha256 -extfile expired_csr.conf -extensions req_ext openssl ca -batch -config root_for_expired_client.cnf -policy policy_loose -out expired_client.pem -outdir . -startdate 101010000000Z -enddate 101011000000Z -extensions v3_ca -cert root.pem -keyfile root.key -infiles expired_client.csr
# Create a Java keystore containing the generated certificate # Create a Java keystore containing the generated certificate
openssl pkcs12 -export -in expired_client.pem -inkey expired_client.key -out expired_client.p12 -name expired_client -CAfile root.pem -caname druid-it-root -password pass:druid123 openssl pkcs12 -export -in expired_client.pem -inkey expired_client.key -out expired_client.p12 -name expired_client -CAfile root.pem -caname druid-it-root -password pass:druid123