mirror of https://github.com/apache/druid.git
Upgrade RSA Key from 1024 bit to 4096 to eliminate warnings (#11743)
* eliminate warnings * Change the keyStore type to PKCS12
This commit is contained in:
parent
e583033231
commit
c8ddf60851
|
@ -39,7 +39,7 @@ druid_auth_authorizers=["basic"]
|
|||
druid_client_https_certAlias=druid
|
||||
druid_client_https_keyManagerPassword=druid123
|
||||
druid_client_https_keyStorePassword=druid123
|
||||
druid_client_https_keyStorePath=/tls/server.jks
|
||||
druid_client_https_keyStorePath=/tls/server.p12
|
||||
druid_client_https_protocol=TLSv1.2
|
||||
druid_client_https_trustStoreAlgorithm=PKIX
|
||||
druid_client_https_trustStorePassword=druid123
|
||||
|
@ -56,8 +56,8 @@ druid_server_http_allowedHttpMethods=["OPTIONS"]
|
|||
druid_server_https_certAlias=druid
|
||||
druid_server_https_keyManagerPassword=druid123
|
||||
druid_server_https_keyStorePassword=druid123
|
||||
druid_server_https_keyStorePath=/tls/server.jks
|
||||
druid_server_https_keyStoreType=jks
|
||||
druid_server_https_keyStorePath=/tls/server.p12
|
||||
druid_server_https_keyStoreType=PKCS12
|
||||
druid_server_https_requireClientCertificate=true
|
||||
druid_server_https_trustStoreAlgorithm=PKIX
|
||||
druid_server_https_trustStorePassword=druid123
|
||||
|
|
|
@ -49,7 +49,7 @@ druid_auth_authorizers=["ldapauth"]
|
|||
druid_client_https_certAlias=druid
|
||||
druid_client_https_keyManagerPassword=druid123
|
||||
druid_client_https_keyStorePassword=druid123
|
||||
druid_client_https_keyStorePath=/tls/server.jks
|
||||
druid_client_https_keyStorePath=/tls/server.p12
|
||||
druid_client_https_protocol=TLSv1.2
|
||||
druid_client_https_trustStoreAlgorithm=PKIX
|
||||
druid_client_https_trustStorePassword=druid123
|
||||
|
@ -66,8 +66,8 @@ druid_server_http_allowedHttpMethods=["OPTIONS"]
|
|||
druid_server_https_certAlias=druid
|
||||
druid_server_https_keyManagerPassword=druid123
|
||||
druid_server_https_keyStorePassword=druid123
|
||||
druid_server_https_keyStorePath=/tls/server.jks
|
||||
druid_server_https_keyStoreType=jks
|
||||
druid_server_https_keyStorePath=/tls/server.p12
|
||||
druid_server_https_keyStoreType=PKCS12
|
||||
druid_server_https_requireClientCertificate=true
|
||||
druid_server_https_trustStoreAlgorithm=PKIX
|
||||
druid_server_https_trustStorePassword=druid123
|
||||
|
|
|
@ -60,7 +60,7 @@ name_opt = ca_default
|
|||
cert_opt = ca_default
|
||||
default_days = 365
|
||||
default_crl_days= 30
|
||||
default_md = default
|
||||
default_md = sha256
|
||||
preserve = no
|
||||
policy = policy_match
|
||||
serial = certs.seq
|
||||
|
@ -118,10 +118,10 @@ rm -rf certs.seq
|
|||
echo 11111115 > certs.seq
|
||||
|
||||
# Generate a client certificate for this machine
|
||||
openssl genrsa -out expired_client.key 1024
|
||||
openssl genrsa -out expired_client.key 4096
|
||||
openssl req -new -out expired_client.csr -key expired_client.key -reqexts req_ext -config expired_csr.conf
|
||||
openssl ca -batch -config root_for_expired_client.cnf -policy policy_loose -out expired_client.pem -outdir . -startdate 101010000000Z -enddate 101011000000Z -extensions v3_ca -cert root.pem -keyfile root.key -infiles expired_client.csr
|
||||
|
||||
# Create a Java keystore containing the generated certificate
|
||||
openssl pkcs12 -export -in expired_client.pem -inkey expired_client.key -out expired_client.p12 -name expired_client -CAfile root.pem -caname druid-it-root -password pass:druid123
|
||||
keytool -importkeystore -srckeystore expired_client.p12 -srcstoretype PKCS12 -destkeystore expired_client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123
|
||||
keytool -importkeystore -srckeystore expired_client.p12 -srcstoretype PKCS12 -destkeystore expired_client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123
|
||||
|
|
|
@ -50,13 +50,13 @@ DNS.2 = localhost
|
|||
EOT
|
||||
|
||||
# Generate a client certificate for this machine
|
||||
openssl genrsa -out client.key 1024
|
||||
openssl genrsa -out client.key 4096
|
||||
openssl req -new -out client.csr -key client.key -reqexts req_ext -config csr.conf
|
||||
openssl x509 -req -days 3650 -in client.csr -CA root.pem -CAkey root.key -set_serial 0x11111111 -out client.pem -sha256 -extfile csr.conf -extensions req_ext
|
||||
|
||||
# Create a Java keystore containing the generated certificate
|
||||
openssl pkcs12 -export -in client.pem -inkey client.key -out client.p12 -name druid -CAfile root.pem -caname druid-it-root -password pass:druid123
|
||||
keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123
|
||||
keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123
|
||||
|
||||
# Create a Java truststore with the druid test cluster root CA
|
||||
keytool -import -alias druid-it-root -keystore truststore.jks -file root.pem -storepass druid123 -noprompt
|
||||
|
|
|
@ -46,11 +46,11 @@ DNS.1 = thisisprobablywrongtoo
|
|||
|
||||
EOT
|
||||
|
||||
openssl genrsa -out invalid_hostname_client.key 1024
|
||||
openssl genrsa -out invalid_hostname_client.key 4096
|
||||
openssl req -new -out invalid_hostname_client.csr -key invalid_hostname_client.key -reqexts req_ext -config invalid_hostname_csr.conf
|
||||
openssl x509 -req -days 3650 -in invalid_hostname_client.csr -CA root.pem -CAkey root.key -set_serial 0x11111112 -out invalid_hostname_client.pem -sha256 -extfile invalid_hostname_csr.conf -extensions req_ext
|
||||
|
||||
# Create a Java keystore containing the generated certificate
|
||||
openssl pkcs12 -export -in invalid_hostname_client.pem -inkey invalid_hostname_client.key -out invalid_hostname_client.p12 -name invalid_hostname_client -CAfile root.pem -caname druid-it-root -password pass:druid123
|
||||
keytool -importkeystore -srckeystore invalid_hostname_client.p12 -srcstoretype PKCS12 -destkeystore invalid_hostname_client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123
|
||||
keytool -importkeystore -srckeystore invalid_hostname_client.p12 -srcstoretype PKCS12 -destkeystore invalid_hostname_client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ IP.1 = 9.9.9.9
|
|||
EOT
|
||||
|
||||
# Generate a bad intermediate certificate
|
||||
openssl genrsa -out invalid_ca_intermediate.key 1024
|
||||
openssl genrsa -out invalid_ca_intermediate.key 4096
|
||||
openssl req -new -out invalid_ca_intermediate.csr -key invalid_ca_intermediate.key -reqexts req_ext -config invalid_ca_intermediate.conf
|
||||
openssl x509 -req -days 3650 -in invalid_ca_intermediate.csr -CA root.pem -CAkey root.key -set_serial 0x33333331 -out invalid_ca_intermediate.pem -sha256 -extfile invalid_ca_intermediate.conf -extensions req_ext
|
||||
|
||||
|
@ -81,7 +81,7 @@ DNS.2 = localhost
|
|||
EOT
|
||||
|
||||
# Generate a client certificate for this machine
|
||||
openssl genrsa -out invalid_ca_client.key 1024
|
||||
openssl genrsa -out invalid_ca_client.key 4096
|
||||
openssl req -new -out invalid_ca_client.csr -key invalid_ca_client.key -reqexts req_ext -config invalid_ca_client.conf
|
||||
openssl x509 -req -days 3650 -in invalid_ca_client.csr -CA invalid_ca_intermediate.pem -CAkey invalid_ca_intermediate.key -set_serial 0x33333333 -out invalid_ca_client.pem -sha256 -extfile invalid_ca_client.conf -extensions req_ext
|
||||
|
||||
|
@ -91,4 +91,4 @@ cat invalid_ca_intermediate.pem >> invalid_ca_client.pem
|
|||
|
||||
# Create a Java keystore containing the generated certificate
|
||||
openssl pkcs12 -export -in invalid_ca_client.pem -inkey invalid_ca_client.key -out invalid_ca_client.p12 -name invalid_ca_client -CAfile invalid_ca_intermediate.pem -caname druid-it-root -password pass:druid123
|
||||
keytool -importkeystore -srckeystore invalid_ca_client.p12 -srcstoretype PKCS12 -destkeystore invalid_ca_client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123
|
||||
keytool -importkeystore -srckeystore invalid_ca_client.p12 -srcstoretype PKCS12 -destkeystore invalid_ca_client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123
|
||||
|
|
|
@ -61,13 +61,12 @@ DNS.2 = localhost
|
|||
EOT
|
||||
|
||||
# Generate a server certificate for this machine
|
||||
openssl genrsa -out server.key 1024
|
||||
openssl genrsa -out server.key 4096
|
||||
openssl req -new -out server.csr -key server.key -reqexts req_ext -config csr.conf
|
||||
openssl x509 -req -days 3650 -in server.csr -CA root.pem -CAkey root.key -set_serial 0x22222222 -out server.pem -sha256 -extfile csr.conf -extensions req_ext
|
||||
|
||||
# Create a Java keystore containing the generated certificate
|
||||
# Create a Java keystore containing the generated certificate in PKCS12 format
|
||||
openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -name druid -CAfile root.pem -caname druid-it-root -password pass:druid123
|
||||
keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore server.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123
|
||||
|
||||
# Create a Java truststore with the druid test cluster root CA
|
||||
keytool -import -alias druid-it-root -keystore truststore.jks -file root.pem -storepass druid123 -noprompt
|
||||
|
|
|
@ -52,10 +52,10 @@ DNS.2 = localhost
|
|||
EOT
|
||||
|
||||
# Generate a client certificate for this machine
|
||||
openssl genrsa -out revoked_client.key 1024
|
||||
openssl genrsa -out revoked_client.key 4096
|
||||
openssl req -new -out revoked_client.csr -key revoked_client.key -reqexts req_ext -config revoked_csr.conf
|
||||
openssl x509 -req -days 3650 -in revoked_client.csr -CA root.pem -CAkey root.key -set_serial 0x11111113 -out revoked_client.pem -sha256 -extfile revoked_csr.conf -extensions req_ext
|
||||
|
||||
# Create a Java keystore containing the generated certificate
|
||||
openssl pkcs12 -export -in revoked_client.pem -inkey revoked_client.key -out revoked_client.p12 -name revoked_druid -CAfile root.pem -caname druid-it-root -password pass:druid123
|
||||
keytool -importkeystore -srckeystore revoked_client.p12 -srcstoretype PKCS12 -destkeystore revoked_client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123
|
||||
keytool -importkeystore -srckeystore revoked_client.p12 -srcstoretype PKCS12 -destkeystore revoked_client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123
|
||||
|
|
|
@ -50,11 +50,11 @@ DNS.2 = localhost
|
|||
EOT
|
||||
|
||||
# Generate a client certificate for this machine
|
||||
openssl genrsa -out client_another_root.key 1024
|
||||
openssl genrsa -out client_another_root.key 4096
|
||||
openssl req -new -out client_another_root.csr -key client_another_root.key -reqexts req_ext -config csr_another_root.conf
|
||||
openssl x509 -req -days 3650 -in client_another_root.csr -CA untrusted_root.pem -CAkey untrusted_root.key -set_serial 0x11111114 -out client_another_root.pem -sha256 -extfile csr_another_root.conf -extensions req_ext
|
||||
|
||||
# Create a Java keystore containing the generated certificate
|
||||
openssl pkcs12 -export -in client_another_root.pem -inkey client_another_root.key -out client_another_root.p12 -name druid_another_root -CAfile untrusted_root.pem -caname druid-it-untrusted-root -password pass:druid123
|
||||
keytool -importkeystore -srckeystore client_another_root.p12 -srcstoretype PKCS12 -destkeystore client_another_root.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123
|
||||
keytool -importkeystore -srckeystore client_another_root.p12 -srcstoretype PKCS12 -destkeystore client_another_root.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ IP.1 = 9.9.9.9
|
|||
EOT
|
||||
|
||||
# Generate an intermediate certificate
|
||||
openssl genrsa -out ca_intermediate.key 1024
|
||||
openssl genrsa -out ca_intermediate.key 4096
|
||||
openssl req -new -out ca_intermediate.csr -key ca_intermediate.key -reqexts req_ext -config ca_intermediate.conf
|
||||
openssl x509 -req -days 3650 -in ca_intermediate.csr -CA root.pem -CAkey root.key -set_serial 0x33333332 -out ca_intermediate.pem -sha256 -extfile ca_intermediate.conf -extensions req_ext
|
||||
|
||||
|
@ -81,7 +81,7 @@ DNS.2 = localhost
|
|||
EOT
|
||||
|
||||
# Generate a client certificate for this machine
|
||||
openssl genrsa -out intermediate_ca_client.key 1024
|
||||
openssl genrsa -out intermediate_ca_client.key 4096
|
||||
openssl req -new -out intermediate_ca_client.csr -key intermediate_ca_client.key -reqexts req_ext -config intermediate_ca_client.conf
|
||||
openssl x509 -req -days 3650 -in intermediate_ca_client.csr -CA ca_intermediate.pem -CAkey ca_intermediate.key -set_serial 0x33333333 -out intermediate_ca_client.pem -sha256 -extfile intermediate_ca_client.conf -extensions req_ext
|
||||
|
||||
|
@ -91,4 +91,4 @@ cat ca_intermediate.pem >> intermediate_ca_client.pem
|
|||
|
||||
# Create a Java keystore containing the generated certificate
|
||||
openssl pkcs12 -export -in intermediate_ca_client.pem -inkey intermediate_ca_client.key -out intermediate_ca_client.p12 -name intermediate_ca_client -CAfile ca_intermediate.pem -caname druid-it-root -password pass:druid123
|
||||
keytool -importkeystore -srckeystore intermediate_ca_client.p12 -srcstoretype PKCS12 -destkeystore intermediate_ca_client.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123
|
||||
keytool -importkeystore -srckeystore intermediate_ca_client.p12 -srcstoretype PKCS12 -destkeystore intermediate_ca_client.jks -deststoretype pkcs12 -srcstorepass druid123 -deststorepass druid123
|
||||
|
|
Loading…
Reference in New Issue