2018-02-20 20:49:34 +00:00
|
|
|
# Keycloak Arquillian Integration Testsuite
|
|
|
|
|
|
|
|
|
|
This directory contains a OpenSSL CA and Intermediate CA that can be used to manage certificates.
|
|
|
|
|
|
|
|
|
|
## Passwords
|
|
|
|
|
|
|
|
|
|
Passwords for any key file is `password`.
|
|
|
|
|
|
2021-02-10 21:22:33 +00:00
|
|
|
## Steps to create a client certificate
|
|
|
|
|
|
2021-09-23 07:33:41 +00:00
|
|
|
In the instructions below, you may usually need to create your own files for private key, CSR request, certificate , p12 and
|
|
|
|
|
also possibly custom openssl configuration. For the instructions below, replace the file names according your needs (For example
|
|
|
|
|
replace `test-user@localhost.key.pem` with something like `test-user-some@localhost.key.pem` )
|
|
|
|
|
|
2021-02-10 21:22:33 +00:00
|
|
|
### Create a private key for the client
|
|
|
|
|
|
2021-09-23 07:33:41 +00:00
|
|
|
openssl genrsa -aes256 -out certs/clients/test-user@localhost.key.pem 4096
|
|
|
|
|
chmod 400 certs/clients/test-user@localhost.key.pem
|
2021-02-10 21:22:33 +00:00
|
|
|
|
|
|
|
|
### Create a CSR for the client
|
|
|
|
|
|
2021-09-23 07:33:41 +00:00
|
|
|
openssl req -config intermediate/openssl.cnf -key certs/clients/test-user@localhost.key.pem -new -sha256 -out certs/clients/test-user@localhost.csr.pem
|
2021-02-10 21:22:33 +00:00
|
|
|
|
|
|
|
|
If you want to generate a CSR with extensions you can use a command similar to the following:
|
|
|
|
|
|
2021-09-23 07:33:41 +00:00
|
|
|
openssl req -config intermediate/openssl-san.cnf -key certs/clients/test-user@localhost.key.pem -new -sha256 -out certs/clients/test-user@localhost.csr.pem
|
2021-02-10 21:22:33 +00:00
|
|
|
|
|
|
|
|
### Create a certificate using the CSR
|
|
|
|
|
|
2021-09-23 07:33:41 +00:00
|
|
|
openssl ca -config intermediate/openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in certs/clients/test-user@localhost.csr.pem -out certs/clients/test-user@localhost.cert.pem
|
2021-02-10 21:22:33 +00:00
|
|
|
|
2021-09-23 07:33:41 +00:00
|
|
|
chmod 444 certs/clients/test-user@localhost.cert.pem
|
2021-02-10 21:22:33 +00:00
|
|
|
|
|
|
|
|
### Verify the certificate
|
|
|
|
|
|
2021-09-23 07:33:41 +00:00
|
|
|
openssl x509 -noout -text -in certs/clients/test-user@localhost.cert.pem
|
2021-02-10 21:22:33 +00:00
|
|
|
|
|
|
|
|
### Check if certificate has a valid chain of trust
|
|
|
|
|
|
2021-09-23 07:33:41 +00:00
|
|
|
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem certs/clients/test-user@localhost.cert.pem
|
2021-02-10 21:22:33 +00:00
|
|
|
|
|
|
|
|
### Transform both certificate and private key to PKCS12 format
|
|
|
|
|
|
2021-09-23 07:33:41 +00:00
|
|
|
openssl pkcs12 -export -in certs/clients/test-user@localhost.cert.pem -inkey certs/clients/test-user@localhost.key.pem -out certs/clients/test-user@localhost.p12 -name test-user -CAfile intermediate/certs/ca-chain.cert.pem
|
