From 897a51ce8679063f7b88b069ec4e578d3fb88c23 Mon Sep 17 00:00:00 2001 From: ryjiang Date: Fri, 5 Jul 2024 14:59:42 +0800 Subject: [PATCH] update tls docs and files (#335) Signed-off-by: ryjiang --- test/cert/README.md | 120 ++++++++++++++- test/cert/ca.key | 55 +++---- test/cert/ca.pem | 40 ++--- test/cert/ca.srl | 2 +- test/cert/client.csr | 31 ++-- test/cert/client.key | 52 +++---- test/cert/client.pem | 37 ++--- test/cert/gen.sh | 24 +++ test/cert/openssl.cnf | 351 ++++++++++++++++++++++++++++++++++++++++++ test/cert/server.csr | 17 ++ test/cert/server.key | 28 ++++ test/cert/server.pem | 22 +++ 12 files changed, 667 insertions(+), 112 deletions(-) create mode 100755 test/cert/gen.sh create mode 100644 test/cert/openssl.cnf create mode 100644 test/cert/server.csr create mode 100644 test/cert/server.key create mode 100644 test/cert/server.pem diff --git a/test/cert/README.md b/test/cert/README.md index 00f4e874..c6525b68 100644 --- a/test/cert/README.md +++ b/test/cert/README.md @@ -1,6 +1,118 @@ -# Milvus TLS +# Milvus TLS Guide -This folder contains test crediential files to connect to the TLS enabled Milvus. +This guide describes how to enable TLS proxy in Milvus for the Milvus Node SDK. -Please refere to the documentation. -https://milvus.io/docs/tls.md#Modify-Milvus-server-configurations +## Step 1: Install Milvus in Docker and Identify the Mounted Folder + +```bash +$ cd ~ +$ curl -sfL https://raw.githubusercontent.com/milvus-io/milvus/master/scripts/standalone_embed.sh -o standalone_embed.sh + +# Start the Docker container +$ bash standalone_embed.sh start + +# Get mounted info +$ docker inspect -f '{{ json .Mounts }}' milvus-standalone | jq . +[ + { + "Type": "bind", + "Source": "/Users/zilliz/workspace/embedEtcd.yaml", + "Destination": "/milvus/configs/embedEtcd.yaml", + "Mode": "", + "RW": true, + "Propagation": "rprivate" + }, + { + "Type": "bind", + "Source": "/Users/zilliz/workspace/user.yaml", + "Destination": "/milvus/configs/user.yaml", + "Mode": "", + "RW": true, + "Propagation": "rprivate" + }, + { + "Type": "bind", + "Source": "/Users/zilliz/workspace/volumes/milvus", + "Destination": "/var/lib/milvus", + "Mode": "", + "RW": true, + "Propagation": "rprivate" + } +] + +``` + +Please remember these two mounts: + +1. /Users/zilliz/workspace/user.yaml +2. /Users/zilliz/workspace/volumes/milvus + +## Step 2: Generate Certificate Files + +More detail please refer to [Create your own certificate](https://milvus.io/docs/tls.md#Create-your-own-certificate) + +Or you can just clone this repo, and execute [this file](./gen.sh): + +```bash +% ./gen.sh [0] +generate ca.key +generate ca.pem +generate server SAN certificate +....+.........+......+....+........+...+.+++++++++++++++++++++++++++++++++++++++*....+.....+.+............+..+....+..+.......+........+....+...+.....+++++++++++++++++++++++++++++++++++++++*.............+.+......+...+.....+......+.+..+...+.............+..........................+.........+......+.+..............+.+............+...+.....+...+....+..+....+..+.........+......+...+.+...+.....+......+.+...+...+..............+.+............+..+.+........+....+...+.................+..........+......+.....+.......+..+..........+..+.+.........+........+.............+..+...+.......+..+.+.................+.+..+.......+...........+..........+..+.......+......+...........+....+.....+.+...+..+......+....+.....+.+............+.....+.+..+....+...........+...+.+...+...+..+.+......+.....+.........+.+.........+...........+......+..................+....+..+.+............+..+...+...............+.+.....+..........+............+..+......+......+...+...+...............+.........+......+....+.........+.........+...+..+.......+...+..+..........+......+.................+......+........................+.+..+.........+......+....+........+......+.+.......................+...+..........+.....+.........+.........+......+.............+..+...+...+.......+......+......+.....+.+........+............+....+......+........+.+...+..+.............+...+..+.+......+..............+.......+..+...+...+.+...+......+......+...........+.........................+............+..+.+..+.......+........+.+..+.............+......+...+.....+.............+..+......+............+...+....+...+...+.....+......+.+...+.........+..+......+...+....+...+..+.+..+..................+.+.....+....+..+...+......+...+...+.......+...+...+..+...+............+....+...+............+...+...........+....+...........+.+.....+.+...+..+...+......+.+..............+..............................+...+.............+.........+.....+.+...+..............+.+.........+..+............................+........+....+.....+...+.+......+...+...+...+..+...+.........+.+.....+.......+............+...+...........................+..+.+..+...............+.............+........+.+...+..+...+.......+...............+.....+......+...+.+...+..+.+.....+.........+...+...+.............+......+......+..+......+......+.+..+.............+..+.++++++ +.+..........+...+......+.....+...+.+..+.........+...+.......+..............+....+...+...+..+....+...+++++++++++++++++++++++++++++++++++++++*....+...+....+........+.......+...+..+++++++++++++++++++++++++++++++++++++++*......++++++ +Ignoring -days without -x509; not generating a certificate +Certificate request self-signature ok +subject=C=CN, O=milvus, OU=milvus, CN=localhost +generate client SAN certificate +......+......+.....+++++++++++++++++++++++++++++++++++++++*..+.......+.....+.+..+...+....+..+++++++++++++++++++++++++++++++++++++++*...............+...+....+...+...+..+....+......+.........+......+..+...+...+................+...+........+...+......++++++ +....+....+...+..+.+...+.....+.........+.+......+...+++++++++++++++++++++++++++++++++++++++*.+........+.+......+..+.+.........+...+..+......+.+++++++++++++++++++++++++++++++++++++++*...+...+..+.+.....+.......+.....+...+....+........+...+.......+......+......+...+............+......+............+...........+.+...+..+......+............+............+.........+............++++++ +Ignoring -days without -x509; not generating a certificate +Certificate request self-signature ok +subject=C=CN, O=milvus, OU=milvus, CN=localhost +``` + +## Step 3: Copy the Generated Certificate Files to the Mounted Folder + +```bash +# create a tls folder +mkdir -p /Users/zilliz/workspace/volumes/milvus/tls +# copy certs file +cp server.csr server.key server.pem ca.pem /Users/zilliz/workspace/volumes/milvus/tls/ +``` + +## Step 4: Modify user.yaml to Override Milvus TLS Settings + +```yaml +# Extra config to override default milvus.yaml +tls: + serverPemPath: /var/lib/milvus/tls/server.pem + serverKeyPath: /var/lib/milvus/tls/server.key + caPemPath: /var/lib/milvus/tls/ca.pem + +common: + security: + tlsMode: 2 +``` + +## Step 5: Restart Your Milvus Container and Run the Tests + +```bash +# restart milvus container +docker restart milvus-standalone +``` + +```javascript +const mc = new MilvusClient({ + address: 'https://localhost:19530', + tls: { + rootCertPath: `test/cert/ca.pem`, + privateKeyPath: `test/cert/client.key`, + certChainPath: `test/cert/client.pem`, + serverName: `localhost`, + }, + logLevel: `debug`, // optional +}); + +const healthy = await mc.checkHealth(); +expect(healthy.isHealthy).toEqual(true); +``` diff --git a/test/cert/ca.key b/test/cert/ca.key index 28039876..477ed4ae 100644 --- a/test/cert/ca.key +++ b/test/cert/ca.key @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAwuH3vwsOYCgW/+S9Z+qH2Ly0AU7Z2Igct4K+oOTC/jXJNTdy -4mYLxGu5ptfXoo8T3oEB/LtAGYXxDj+NSCQjXnU0mHb3pyKbw7p/jCOdnTZ0ZyJf -IAXYRHyej8hlnSPjwJLEA/Ue9OE8SA/k5sjyCgP7pbvFJt6ZL5ZN1/Tx86O5BNH7 -3kD2rW6R0XO2KwiH3acyf292GF7R0uBbQQOMF/bFv7IkinIIjc3MT/Iaj3MoBczs -d6FArdtS2kvRNSYuK9LNTNnlcIRSsYaqXykSOIyxTSAPbyZbnB+4UuUVNqftmvTQ -TqoGJGq1Sg9MSFrXKB6GoysKmZ5JQZDDPJ4SYQIDAQABAoIBACv96nkbu9EE+7wk -HIV6sdPBNTkeXZq9jw3126ZiPYo5BgSXUb29n2ZlkvEQxEKT3b5ajOJKOrwIOlQn -EHN6hOlrt8W7BUibTWIvlV9DIu88PaaSYbrO1vUO1JRMfnOsiFsORmVGTgilV4BE -5j0am1ibcZEGBAk0MoxFd6kKSBvhMiCw0i4jZ/LAvgfzH3Bv/ZvbPfPHCs2OOwtY -1X86dTCcDbWcDrjTMnVdEPN8/SvW4JXf5EdVL35xiSrVSZxcZGks8oid+P6JSFdG -uBnxSTt9q5V3Ya421/I1CG9VYIrJdpNAmog3Jbi+HZTmBaNX6Wf5GOKgKjIt5J6U -qqaicOECgYEA94xfP/LiuEKuusB9CkGW/9Yep8fV8T3cjYBz7Fc+WGOuqaBnvIv4 -PBO16uz6Nze1x58z25Qatrm4pp9aTov/bRkKVaW6Ua/R0KcUbVjV/aN5cgjjLrIL -0wYpufFFbGzSK4vzbRWOQbdZhgYSVk97VyXYCPrzr3s6S+JozA3+vqUCgYEAyYlJ -QgLf4t/aXxDxj14MwBA9ccgFhb43OZnBCWetYk22/Yi2afxvbbV0jo791E7p6ReC -SnTSYv2ijvHpTOttRfGALM1Js9xYRKKr1oCkWxEP8NLgutlniPLDqWBP0cMe7oSw -X14Kmj1yz1j3wp+6oP4uzb8KLW3rbx8/EBPrlA0CgYBdWbgJm4RXy/2sOy5sEbPp -oktJJhjNsnBbhBczButh1aVmHjFAbuAbd6tgfiEVdZK9RpH9ueohAgRaATnC6RRX -hdvZ1Hdgmpbawkb3vUplLaJ8mFFjqIzA9VAC6LMvYhIXjd0sQ7aznXrLCbschTiT -8pd3O3ttr2CagTTXzmdEaQKBgCfwqTAH2c7ghipo9TZwcR5vGX4/IbkLpW4o5nSy -s03UEPvV6DDA8mRPnbXS6ML2kKy9F/khhcBQe7LQhmfUEGfYIIrAdGbMuEGB64Qr -ImdZzkrvv9HH3Bjr45Lhn2/2t16VtU5xGLDQlLw66X8MoLPfK+9ieOXf7tSq4JiT -GhDRAoGBAK9xYpqb070deaKk/EBZhbp8baz1/x/RmKd38GRvf4LbOJ1jd1ufFWih -cMOjz8iO3CAU2BnvUqD72cTALVxjyv9PdIg7i84s56hZ9fjxF+fFK1zv5TO5snsL -ocwYTD5n0FvzgpwJFnGMnfiPc0h1RnwRJrWrDZS/M6+89ptNWQla ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDZi25A8PaFiUr4 +hojq4DEiMyDLYxecfxEorURotVieduNgS5rGIiPqtj/UfB/ABDlw5wbEKFqRIzKY +k8solOEsgFHJRV0IgHV7BT7uOcUlPt87khQZ6uOHZbiEEc2pzNTZjaDOcWp/Qd5Y +mZc4/+BfaJ616VUBSt8kO9bKIuMEalJwvUJ3fp4s8+yyZDMQN7EKXhDH/CcWXU6K +2IqS8WJLgGJ9Uttc8b0hvGXr3r87BFw3uNrDYL3AM5A2Pf+GplS/PtU9jMVznudu +FwZYdVyIW5l9lYOXgDvmbkqhLqvVVf3ze3uKJSUkYOlfrfiBgZ+gjntUZ35nxvBe +M3z83tepAgMBAAECggEAAUkM1n7ybQyrniyFUltIFiX6E4Q7JZgffpvr6sZ2oz9G +lN9oJwkY06zANyGFD9aaG2THYx9ReMiBdM2NahNpyLzABhHcSvitjlrbPxv6t6os +4QoBI7vXOPuwUqE4vmrfExUazyECbDAQqpYD9JxfUDuqyp5dieD40MVvhKyswu49 +UvmTJjbIpC0EsaT0ZRm+WYkLS44LE7viWwgGCpA9Y/sR2ylC+vFWv7TmGdUaBVov +a2mxXZ6uLeZ/9OSWMkAYfb85cBuErp1J+GGsv715ej09yDPTZ7Iar4Xes2dy0lcT +C2+DcFhjnbEDqQl7lE+Ppeb5HdcnFLxaM037WoBilQKBgQDtmlLmG7TeO81TupJ8 +kVYHZHIgzBEZXGkg+iEOZ171vtoo9YjD/8h9POgoCL+vZ9AdAIR0nOCZxRoYFqBq +zA5GQwzGgJkfP0I6DVfChVVHOziZx5n5IN2WzNlEKKkNm91EEvWNS7q67pdJInno +8UeUPAvRPzc0qzUc9vK5AEP6QwKBgQDqY4VicsBLwjdI+armuIcV4yUzGH1nffbp +AvyPis7DYKM/U+yF2yaD4rYau1H90lVOikjR2l4wYOdRl6dKt8GoVgnmoZS77wmB +AcfYvjBk0ymYk6St90pRKfaTeawIux6iCI5Qege2oFNF/8WKTP5ZwmtdqcMujr1I +D39bbkUVowKBgDMM4lzgfRb2oGIqBwlOrL4/3amgTtg1G71jILEYkrWYQQVl4/HA +xlHqQTNA1faZBoUEtHDduAAx8i5UxjjMCREdnOQVg1DMZa1VapK31R/N4JZh5Xo6 +joG1F8VmOxRadcsHi8zFBaTeWJD1IF5lYOy/jgZyX6koU+waPwJyxShDAoGBAJJ2 +TcsO2Yp9ef5nxJsXg5HxtjUPgI1C8R75dshbfIgpwti3oHykTJTs/c4Gb12kKRpC +3u4C/ghNBT6+/RJ7cM+3s8gh/8bPv6iVbEPL1IGsUbm9yJHMjOvaxPGyfgWWp7Wo +kwVGu7sqw95hzRZ2thlwm5aTlhtppm15AaQoa5LxAoGAdwFpSQ5pR/RWYaih4gPI +wJdBlQ7pygyrSjc8542vWjGKB5GrxvMua3l7mlVRKvwodObRaDoslbd6+RbiVw6U +UPpqZbWkBhCTSM2eILUbizi5UcPwSBd8VgFkgcaPwW2Rj41Ca1KpD1wCS4mnWRaW +AeFJgHb+OOi0Dw9fSdd4yaY= +-----END PRIVATE KEY----- diff --git a/test/cert/ca.pem b/test/cert/ca.pem index 922a2094..e7e6dda1 100644 --- a/test/cert/ca.pem +++ b/test/cert/ca.pem @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDpzCCAo+gAwIBAgIUXZen56S+MZE8UTb09jyM6szs/ukwDQYJKoZIhvcNAQEL -BQAwYzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdaMQswCQYDVQQHDAJHWjESMBAG -A1UECgwJcm9uZXRoaW5nMRIwEAYDVQQLDAlyb25ldGhpbmcxEjAQBgNVBAMMCWxv -Y2FsaG9zdDAeFw0yMjA1MDEwODU3MzRaFw0zMjA0MjgwODU3MzRaMGMxCzAJBgNV -BAYTAkNOMQswCQYDVQQIDAJHWjELMAkGA1UEBwwCR1oxEjAQBgNVBAoMCXJvbmV0 -aGluZzESMBAGA1UECwwJcm9uZXRoaW5nMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC4fe/Cw5gKBb/5L1n6ofYvLQB -TtnYiBy3gr6g5ML+Nck1N3LiZgvEa7mm19eijxPegQH8u0AZhfEOP41IJCNedTSY -dvenIpvDun+MI52dNnRnIl8gBdhEfJ6PyGWdI+PAksQD9R704TxID+TmyPIKA/ul -u8Um3pkvlk3X9PHzo7kE0fveQPatbpHRc7YrCIfdpzJ/b3YYXtHS4FtBA4wX9sW/ -siSKcgiNzcxP8hqPcygFzOx3oUCt21LaS9E1Ji4r0s1M2eVwhFKxhqpfKRI4jLFN -IA9vJlucH7hS5RU2p+2a9NBOqgYkarVKD0xIWtcoHoajKwqZnklBkMM8nhJhAgMB -AAGjUzBRMB0GA1UdDgQWBBT8tV8mSqY4ujxUPTNNue7ty9ad8DAfBgNVHSMEGDAW -gBT8tV8mSqY4ujxUPTNNue7ty9ad8DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 -DQEBCwUAA4IBAQCbaK5wizgoH3AS0AYgHRHbvVaLXEgihcmdsFGqszmkOS50dpcm -bqs0wS0g7Ibgpv8bS9tn9gXhdTR04F08PrbbALBF0I1zIbT5F6rp2w7P78gWZDa7 -iPYCTYA1WRZEEVJD4eyFC4cM8uG0wVCbKuOFUJaUPONbdJ1S26xtBSJHy0g8JeNK -3N70/xYa0AFk4D9EoX39oiCOnj1QWN2M0IjUJHUcu1Bm50dxDcpiaoWR6sCFJU4r -gMlFpeZ9Sg6zh4sUs2X0YYusEp3ATz+0E0iRChEM0213yvBR3HwaJKSegBocflCZ -SKrjAyIpRkscR0JKWUPICf+rr0B0mPeEYfgK +MIIDszCCApugAwIBAgIUfs3PljeDsh48pWvbSthxnmHgMNMwDQYJKoZIhvcNAQEL +BQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhT +aGFuZ2hhaTEPMA0GA1UECgwGbWlsdnVzMQ8wDQYDVQQLDAZtaWx2dXMxEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yNDA3MDUwMzE0MDBaFw0zNDA3MDMwMzE0MDBaMGkx +CzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTERMA8GA1UEBwwIU2hhbmdo +YWkxDzANBgNVBAoMBm1pbHZ1czEPMA0GA1UECwwGbWlsdnVzMRIwEAYDVQQDDAls +b2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZi25A8PaF +iUr4hojq4DEiMyDLYxecfxEorURotVieduNgS5rGIiPqtj/UfB/ABDlw5wbEKFqR +IzKYk8solOEsgFHJRV0IgHV7BT7uOcUlPt87khQZ6uOHZbiEEc2pzNTZjaDOcWp/ +Qd5YmZc4/+BfaJ616VUBSt8kO9bKIuMEalJwvUJ3fp4s8+yyZDMQN7EKXhDH/CcW +XU6K2IqS8WJLgGJ9Uttc8b0hvGXr3r87BFw3uNrDYL3AM5A2Pf+GplS/PtU9jMVz +nuduFwZYdVyIW5l9lYOXgDvmbkqhLqvVVf3ze3uKJSUkYOlfrfiBgZ+gjntUZ35n +xvBeM3z83tepAgMBAAGjUzBRMB0GA1UdDgQWBBSxqQYgBgD9FwbDP71CXmh3alBs +izAfBgNVHSMEGDAWgBSxqQYgBgD9FwbDP71CXmh3alBsizAPBgNVHRMBAf8EBTAD +AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC0vSVL+jZep3WUzCiP3MX9AoRp0jNTA/HN +TjGIFuJxqA3seP7Jz2JGnCQVoskDSFFRMdLnpHfjJpqcQihdHTMyfPiDwMGcz6kd +ITSHVqW0Q99YMdKJXDHpezxGIGYvAhrG9FeiJG86cVIJsDrN34s97kSqIrZXd1Zt +efTLYWh0i0o2VgZlGkEIJgaiJ6onoNYlfb82NxUQer7xu4tliIfngqBr9T6XlnzP +H1darfxtWoWcfYMM+Rr4ikZxfyrT9SYDLHq8j1vkoX9e5CDQtK3+Vh2t2ZCiM7KN +3nxg0awtlTEb16qdg0G/t8/qJ/JwR10Xq3Kp6ksssAMf3p9feqCK -----END CERTIFICATE----- diff --git a/test/cert/ca.srl b/test/cert/ca.srl index 13e3f18b..e16ff957 100644 --- a/test/cert/ca.srl +++ b/test/cert/ca.srl @@ -1 +1 @@ -342790CE3BD09229C9C14810E2AB86D28A4700BF +342790CE3BD09229C9C14810E2AB86D28A4700C3 diff --git a/test/cert/client.csr b/test/cert/client.csr index e6080464..22d52d41 100644 --- a/test/cert/client.csr +++ b/test/cert/client.csr @@ -1,18 +1,17 @@ -----BEGIN CERTIFICATE REQUEST----- -MIIC7jCCAdYCAQAwSTELMAkGA1UEBhMCQ04xEjAQBgNVBAoMCXJvbmV0aGluZzES -MBAGA1UECwwJcm9uZXRoaW5nMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwQ/qyS53J8XdpM26LcFGdtTMzjfzPoNtw -nSdfqrMi2iMZeMwDPRkHoeHE9lyHYPssDbFuLNJPLibcBCfd5SeELLlyG3GDP+W0 -inUs3kE0voXbH4LmSOCKLnzw0GfblINWMB7aqgpHPtRTcdWHcPo+KJA66ZbD5cNI -w77aBxcsDJa40GunzxVOKtGQopypjrj6mkpauVzT9DwhylYvMR+VL12pjozGCvST -NSgJfP7DX2UwHTMEBbxiTNQ7F8w4X5d2xuS2HepLy0/+uWo1e7jDGAWN27Alr176 -6n2os3WClL06U6mmlT7HE2TvunhiBNjWnWafENaeH9W5rmVNDCmLAgMBAAGgYDBe -BgkqhkiG9w0BCQ4xUTBPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMDUGA1UdEQQu -MCyCCWxvY2FsaG9zdIIOKi5yb25ldGhpbmcuY26CDyoucm9uZXRoaW5nLmNvbTAN -BgkqhkiG9w0BAQsFAAOCAQEAS+OhS9i+Cjy4VM+gXknoaOWHqI73eSq/ODzUe4M4 -7lg314CPbWHTrSP0yw2NZ9s/Nw7l8It3DMaXgAioAXOTlcRnH0JOmWuj53nTHnHY -DVgnP0JLIcOeAiGfCV9rU4FR/eegE/bpHa4K1zz1l1S+Pk8227SnhqtjXvSm+TZr -LwvsxpuMRQcj0vKtatPMhI1KhucNAYh3Aps/Lx0sGB18UnL12gMp9s82LQ2urRtF -WrVFVtMG9o+59fPNB7Lxf1efMCc3LUxR3AaYGUaZWqgFeXrFmKj+VTGCQFPEAQxn -ZwSHi5NA0ikYfgb9LxHc7nbgehHUPv5ztIq/lMPSad6xtw== +MIICsTCCAZkCAQAwQzELMAkGA1UEBhMCQ04xDzANBgNVBAoMBm1pbHZ1czEPMA0G +A1UECwwGbWlsdnVzMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDC0kGQoLmkWJmuFJSPfnu3rSCWwFcj8AlwHCIDFPLV +mZpBvMDmcML7L4eDp5M5CEihOA8IApG00PhpjwFs+TMRrHC9K19egsjACkqhgbmR +DZ5XDXSS979MJ1fSrG/bBmzR4rvLNME5rcqI2OrIw81y/b0qXGIq3CWeq5bqBQFE +Q3HpT6mi1CEil0Hn70cnsh+x6YxMJq6MyAZg9nAHxcY/ONaC9iFMnWYpMICI7/0y +kHrpcJ5pqNg1UA1xI/8S20LTUB9X8NM6+IJMviqT9J1spxM3YARakd5/pBghhUC7 +vgtG66DW7dM9pWASeJf1AzBpun+gjX5U4i11aXyyR1l3AgMBAAGgKTAnBgkqhkiG +9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBCwUA +A4IBAQAKYuXShvc4cSgJ/cjRgJ253B0FDGwoQltynnHpRkyQd4SEn/hXlILHg0G+ +Gix2/8yeTWQa4TIM8PgBNK5aa4konjlS56pqQH5CvvGZiZ8KDVHjMjGq46bbd2ry +sTHAFw+ZHXYbkdcIgpp9yxirh9flQXjZrrWNK+15la+j9iazN/hfK2SDqUCzvqgn +la2v6WnXX4EGgwKBTYNOJ6Lbxo9AmG51nAVXVb4ct5MLRJ7iwv36DrTevRj/+GI+ +xGggn6xKhJlR5/zk+KzMlC6J1U/J0HWutEuAWEUdTb5d5lrrgpG4WmZlPvfl5nt1 +eXB8y/aed7c+kvRq/CSxUeBXQIBT -----END CERTIFICATE REQUEST----- diff --git a/test/cert/client.key b/test/cert/client.key index 66f4fa84..91c3bfdc 100644 --- a/test/cert/client.key +++ b/test/cert/client.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCwQ/qyS53J8Xdp -M26LcFGdtTMzjfzPoNtwnSdfqrMi2iMZeMwDPRkHoeHE9lyHYPssDbFuLNJPLibc -BCfd5SeELLlyG3GDP+W0inUs3kE0voXbH4LmSOCKLnzw0GfblINWMB7aqgpHPtRT -cdWHcPo+KJA66ZbD5cNIw77aBxcsDJa40GunzxVOKtGQopypjrj6mkpauVzT9Dwh -ylYvMR+VL12pjozGCvSTNSgJfP7DX2UwHTMEBbxiTNQ7F8w4X5d2xuS2HepLy0/+ -uWo1e7jDGAWN27Alr1766n2os3WClL06U6mmlT7HE2TvunhiBNjWnWafENaeH9W5 -rmVNDCmLAgMBAAECggEBAJLcUOh08EbtlRxl6djsAFRyQPLXfqhP0gYGKmQfCZok -PdJfPzwDj/M4Aa/lxDpXp26RCiBN3/xw65etLrpGz6Hk0a4tB2rftjeylOaJV7Lm -ewiTPLE6TztSeG78dUwSdUs+VLbDrkSmKKpN0idDDnzztxgev6sAqLDbxwxJlBjy -EeERzCG4JCc4aZlFtz1oWgFGXr3lxxxXbfzdhY/M87IkenGNZges0iSRbcFsGq8z -oVaFV9KkVZ6lxLCMXIIfen9E6g/nq01mnTXM+LHd9Laqj0q6wpULCi5X/v/igS5I -1fsUT8V+s+LjpWMBu6Bd0uY2tr3Li4Fn46p+HvVe6cECgYEA3eqSfUowlEs3WLBl -acfb6/Vo9GeRnJpmLeTdXAO3NeOX4qLISQFQEUopG2qOrXSo4t40o8xX0iMe6uIQ -7BVFJgdE12kdx0cQGqFACIxAiM6VbeqfKt4i8EB1ld/8fXusdH71b/ZkudbQ8gUx -S3HNsid7Y7qIgXlQ3zZel8+juakCgYEAy1Z8R6bnyF7W0D09SkVfpuMsMoFIi6ZP -w+rrk/8E85S2Ag8LnbQtJICiMgBYWQSu5IoGMoBw6N0j9OhaSOsbNYZjwmC9UqWH -8ZbPrAqt3q0B76i9f7+K75gIyXEhVQBtlKUw53wGd9dgUkq5o+YZxK4ABqji+r+2 -d1rj49PLkhMCgYANQpL2QZSdh9EKz59/rp2Jf+SBlh6xSNiKLX68nMw5wBu3QxrM -ofNy1QeXx8o2ux3MUJK8pt0ohUi3qEJymOLE3vJSHMnWunxP2wrEd/zzL8TmCHry -SMu1p2RfTD7+EIHBhESOKB7kq91YWM8VPvuXhZxt3RuDAQjADbOhRpr14QKBgGIy -2D46SsGnm5JhoNHXgwQzvcp+SSy4GtmBAFgu1pNUBDomTfPRaeOxA6OmKwSCkHvq -dGe7Q8wR0CWceM2yTSeiSVc8JPJe4rI3pP9vAN0DLGYzVaD2PgDLqaKvMeu9Ey6w -QFfqu6zwpKHZWKHgpB0p8vVEZqm2IEav7FLAnBVlAoGBAI1KJJ0Z18lOQDqpZtH/ -tYYmCMlYLOkHOVJ5/Fi+UjLLwCk2yyXw3Tr5PqxNaI1va4wp5lt/VZqRZibFm9hW -ecsBuCDVZFPcu5UUHNrwXxb3wwidjsjJso0PVxw7FI7d7rlTqRYm5dntjlxBHhtd -IPkBc4ceeMp14AaItE9f1HE5 +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDC0kGQoLmkWJmu +FJSPfnu3rSCWwFcj8AlwHCIDFPLVmZpBvMDmcML7L4eDp5M5CEihOA8IApG00Php +jwFs+TMRrHC9K19egsjACkqhgbmRDZ5XDXSS979MJ1fSrG/bBmzR4rvLNME5rcqI +2OrIw81y/b0qXGIq3CWeq5bqBQFEQ3HpT6mi1CEil0Hn70cnsh+x6YxMJq6MyAZg +9nAHxcY/ONaC9iFMnWYpMICI7/0ykHrpcJ5pqNg1UA1xI/8S20LTUB9X8NM6+IJM +viqT9J1spxM3YARakd5/pBghhUC7vgtG66DW7dM9pWASeJf1AzBpun+gjX5U4i11 +aXyyR1l3AgMBAAECggEANWbEqgwkVrQii+EAR8T3zIUcJbZbLHKjY6OSfx3C4mHU +Mqi2h3PpPkjs8F2CsWNf5TEkjaGGpvWQ4f5c+a3lHbcSwAefgJyAwoMPqe2RG/2L +pXj+tzpJqWovXIP/tR2xvmZT64NuY40Lsy8iTB2/twFuVKo2DmGBvlhyaXstubP4 +VJtOPE5YEtW6ORLmR2T0kUz6K/pgVt2Kz8jd9ZkjkyU/EqjA4PjDMOi3CaNRhi7X +Faso0pHO/nsfrVOY/gXOn6VNW4Gfzr1dW4buFByRGJjE114EDy0y+NX105OJKB8r +cZ9weHHqI3vIKosb+1jO3bubmxBWMA5eqkt7BQ/IwQKBgQDuz7lhSPLStwVasbsP +8Cfd3sCuNmbUbBoo2bqBnPWS059tlP3EDat6V1cMaxrs8GIqudI2ac4ps+k0af0O +dATSYofKjtb130NQwGdwydstK0eGN6anRVe+Qs60zckZjF26V/WNAdumMnRyC7AV +T7arAYBlXiGnz67/qnkv1BTm7wKBgQDQ1/tdgTQu4Xu2xr9P3dQTkDdakM+UkQFL +LtPDHe3h9YjY8Q0BgO5T4hi6QOmYs7m5Z/ZwsjxcwlrYrfPyQB2vAk/eqf3xawZd +QbfHXqsQTYuX8QibFcd2ZaJjtEdJZEUwX51oe7amRNnHAN2CJ5ilPEyqnBZuB0XH +sOouphD1+QKBgDPRBpxBQ87Mv3CqV7hhl4TgrFYgn7c/rX1noLw23mH5YQJZ7aX4 +gViOUujy5Gi8z9ANebsswfryeotQ5AOa0OEFWAlvbNz0kJqY5NjoM5JdbauFr7dj +qGI0BL3eWOAeQMgKBdGOsaYiFHoaZx54qV35eW6FOjA7M/Ftf9YM4mwpAoGBAK+H +yNr3XI/Grv+ZnnSXQsfKn+u76Oy6z7aMPioxvp37jDCiscbAwg+46gWpx2y0Kna9 +/bEM7ZUdOdQCqRXEc+6DZ/QDNtAxnyDEup2UYP0L4DctvIj0zjgiBlH81SnHYCvf +QWLvED5BgjUz8fmSJEdFHj8LgAKslCbZ+IqKw5ipAoGBALU1NtYY9rxnoJYKx8wB +0qexNAvnFpQH2kUrsc59O8eMOm60lIrp1gZxAUu4CZ7B9O7luYQ44N4L3IXQRyun +VW4IMz435cPHOpLt7XF7LGIExjqn1nnC8OJKbp6gilCZ6whOYVv+T0xY3wXrMtCn +o8HtATTQbap0kzIga7/BNS3Z -----END PRIVATE KEY----- diff --git a/test/cert/client.pem b/test/cert/client.pem index a1b0416d..43e72309 100644 --- a/test/cert/client.pem +++ b/test/cert/client.pem @@ -1,21 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDizCCAnOgAwIBAgIUNCeQzjvQkinJwUgQ4quG0opHAL8wDQYJKoZIhvcNAQEL -BQAwYzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdaMQswCQYDVQQHDAJHWjESMBAG -A1UECgwJcm9uZXRoaW5nMRIwEAYDVQQLDAlyb25ldGhpbmcxEjAQBgNVBAMMCWxv -Y2FsaG9zdDAeFw0yMjA1MDEwODU3MzRaFw0zMjA0MjgwODU3MzRaMEkxCzAJBgNV -BAYTAkNOMRIwEAYDVQQKDAlyb25ldGhpbmcxEjAQBgNVBAsMCXJvbmV0aGluZzES +MIIDlDCCAnygAwIBAgIUNCeQzjvQkinJwUgQ4quG0opHAMMwDQYJKoZIhvcNAQEL +BQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhT +aGFuZ2hhaTEPMA0GA1UECgwGbWlsdnVzMQ8wDQYDVQQLDAZtaWx2dXMxEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yNDA3MDUwMzE0MDBaFw0zNDA3MDMwMzE0MDBaMEMx +CzAJBgNVBAYTAkNOMQ8wDQYDVQQKDAZtaWx2dXMxDzANBgNVBAsMBm1pbHZ1czES MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEAsEP6skudyfF3aTNui3BRnbUzM438z6DbcJ0nX6qzItojGXjMAz0ZB6HhxPZc -h2D7LA2xbizSTy4m3AQn3eUnhCy5chtxgz/ltIp1LN5BNL6F2x+C5kjgii588NBn -25SDVjAe2qoKRz7UU3HVh3D6PiiQOumWw+XDSMO+2gcXLAyWuNBrp88VTirRkKKc -qY64+ppKWrlc0/Q8IcpWLzEflS9dqY6Mxgr0kzUoCXz+w19lMB0zBAW8YkzUOxfM -OF+Xdsbkth3qS8tP/rlqNXu4wxgFjduwJa9e+up9qLN1gpS9OlOpppU+xxNk77p4 -YgTY1p1mnxDWnh/Vua5lTQwpiwIDAQABo1EwTzAJBgNVHRMEAjAAMAsGA1UdDwQE -AwIF4DA1BgNVHREELjAsgglsb2NhbGhvc3SCDioucm9uZXRoaW5nLmNugg8qLnJv -bmV0aGluZy5jb20wDQYJKoZIhvcNAQELBQADggEBAHBmcrQBtOcY776CHfRnHkWG -2JX595eY9cTEi+xB3n3q6Uo9GkGpGkg0T9U67dj68aB5ETm9+F8augS/5e2vbyJ/ -GfwtwbmJFkM4SVrSYpHLYQc72j6kG4oLauz8C3IZxirX4nAxGDEnHbpLrS2HIZ+l -/G5YQeaYStxmleOD4CwrOOIUdRATMTaQgRu6pUJhuhC9Fm1v+ueg6b24RB9V+jvU -FOFiR29PPRyyAm3UBEv4yyVSoW6RgD+5QpD/HTGbXumT1xASKDeLY7HBVU9FXxN+ -wojcbIyFkXNo3C+5P7zN7S1zJV6Fp4TeOJpIeQn8ARf7XFQYREVesf9QC7yHxPk= +AQEAwtJBkKC5pFiZrhSUj357t60glsBXI/AJcBwiAxTy1ZmaQbzA5nDC+y+Hg6eT +OQhIoTgPCAKRtND4aY8BbPkzEaxwvStfXoLIwApKoYG5kQ2eVw10kve/TCdX0qxv +2wZs0eK7yzTBOa3KiNjqyMPNcv29KlxiKtwlnquW6gUBRENx6U+potQhIpdB5+9H +J7IfsemMTCaujMgGYPZwB8XGPzjWgvYhTJ1mKTCAiO/9MpB66XCeaajYNVANcSP/ +EttC01AfV/DTOviCTL4qk/SdbKcTN2AEWpHef6QYIYVAu74LRuug1u3TPaVgEniX +9QMwabp/oI1+VOItdWl8skdZdwIDAQABo1owWDAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIF4DAdBgNVHQ4EFgQUpFwKBZmK0R4TTygkz8xfOFytom4wHwYDVR0jBBgwFoAU +sakGIAYA/RcGwz+9Ql5od2pQbIswDQYJKoZIhvcNAQELBQADggEBABsrB1z7PSeI +QJo4s/SzuIxh0UtFpvUHvppNW3Zm4UralnCqKSJFtD1qaqumFrGzDL/9El5xv1To +NxFYWWornhX42L174hZkxuQpngGn6tDyHSuXhIH3ng4cyn1qPxvvgwJJCV/RcEQs +nd0j4SIydgVPAVEqDZeIyH+5w+BD5y0B718CZpXeKmrhkFd4xqfR/VPK0rIB2GJe +ZXChXyPVYRnbiSjle6BCGkiEpcqNdMDvac/JxdpXlk8OPu+nLjXhIIILVJpilhHW +VYFQC0SQuwwjcfw3Ny2Hr+50zw4RtinW7Dhm/G9CQ8ddLhVK207tQiLCGliiPy6/ +yF/fW92kRgU= -----END CERTIFICATE----- diff --git a/test/cert/gen.sh b/test/cert/gen.sh new file mode 100755 index 00000000..48253d80 --- /dev/null +++ b/test/cert/gen.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +Country="CN" +State="Shanghai" +Location="Shanghai" +Organization="milvus" +Organizational="milvus" +CommonName="localhost" + +echo "generate ca.key" +openssl genrsa -out ca.key 2048 + +echo "generate ca.pem" +openssl req -new -x509 -key ca.key -out ca.pem -days 3650 -subj "/C=$Country/ST=$State/L=$Location/O=$Organization/OU=$Organizational/CN=$CommonName" + +echo "generate server SAN certificate" +openssl genpkey -algorithm RSA -out server.key +openssl req -new -nodes -key server.key -out server.csr -days 3650 -subj "/C=$Country/O=$Organization/OU=$Organizational/CN=$CommonName" -config ./openssl.cnf -extensions v3_req +openssl x509 -req -days 3650 -in server.csr -out server.pem -CA ca.pem -CAkey ca.key -CAcreateserial -extfile ./openssl.cnf -extensions v3_req + +echo "generate client SAN certificate" +openssl genpkey -algorithm RSA -out client.key +openssl req -new -nodes -key client.key -out client.csr -days 3650 -subj "/C=$Country/O=$Organization/OU=$Organizational/CN=$CommonName" -config ./openssl.cnf -extensions v3_req +openssl x509 -req -days 3650 -in client.csr -out client.pem -CA ca.pem -CAkey ca.key -CAcreateserial -extfile ./openssl.cnf -extensions v3_req + diff --git a/test/cert/openssl.cnf b/test/cert/openssl.cnf new file mode 100644 index 00000000..8d6c1287 --- /dev/null +++ b/test/cert/openssl.cnf @@ -0,0 +1,351 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object≈∂ +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) + +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = md5, sha1 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) diff --git a/test/cert/server.csr b/test/cert/server.csr new file mode 100644 index 00000000..6299a2bd --- /dev/null +++ b/test/cert/server.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICsTCCAZkCAQAwQzELMAkGA1UEBhMCQ04xDzANBgNVBAoMBm1pbHZ1czEPMA0G +A1UECwwGbWlsdnVzMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC2WPSeGDpzHoY6k4a+i/KX+b9XvxPKQ3YnlxGfICF/ +KvoJLSdVALUqT0dL+L3irEIQN0TVLq00yEo+jrGB/aHWvCqtzHTQsJPbisll+SKt +UoW+DTZ5PQOsaz/pFYQv43bythN/yuqHIW1xJgd3/avy155OWTHcEhQ84rR1kj+x +wbMC1hYflskz5w57PV72dnuc1dxAv9PFaKyRLAYG/eZ/eTtIeWFNMB2fcKXVKRwQ +AHQ0uTKXVZxPYS3+HrX5OczSnbTLjXEgFaqRZ3JZkXqlvwE9X97idvlCKzuz515b +ABqlq3Sid4x6isHOLk35IEwlAD4Dkm3grf/aLy78jGI7AgMBAAGgKTAnBgkqhkiG +9w0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBCwUA +A4IBAQBYcaA7KTn4DEzuaHWdMyK5RNWH1gJeniCPyqMf/nYT3XmSYW6MIQF4vJ5u +WeBrIsNINWTStxUHOhCKcgLkN4kg/3zFVDprH34LMJBkLl4TD/SslwgxDvVg4eZ/ +KN+t9GZEzyjG/5JejMGgof3EOc73psD9O/lJWfL6SY8q6R22YivWjcFLcj7j6xms +Ef94NkH3mfT2loXQkuitylUFxUlLy5Q7zUkXy5JoJwTTARiEYuCX2tYV2PjFGitL +ci6ZzardG4xT88KhtiGb6xOGSW+0wCi8+/MqtotfN2zaBJE0qKfjgnOE2yxvGlg4 +NDXVGtQ7p+qqWxVg8pK4RSMNiBQQ +-----END CERTIFICATE REQUEST----- diff --git a/test/cert/server.key b/test/cert/server.key new file mode 100644 index 00000000..ef3a670e --- /dev/null +++ b/test/cert/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC2WPSeGDpzHoY6 +k4a+i/KX+b9XvxPKQ3YnlxGfICF/KvoJLSdVALUqT0dL+L3irEIQN0TVLq00yEo+ +jrGB/aHWvCqtzHTQsJPbisll+SKtUoW+DTZ5PQOsaz/pFYQv43bythN/yuqHIW1x +Jgd3/avy155OWTHcEhQ84rR1kj+xwbMC1hYflskz5w57PV72dnuc1dxAv9PFaKyR +LAYG/eZ/eTtIeWFNMB2fcKXVKRwQAHQ0uTKXVZxPYS3+HrX5OczSnbTLjXEgFaqR +Z3JZkXqlvwE9X97idvlCKzuz515bABqlq3Sid4x6isHOLk35IEwlAD4Dkm3grf/a +Ly78jGI7AgMBAAECggEAGZHjy3+OQrJXFEO3s2Sgghstb7qFpelL2kVe3Td+Ovzl +zv+b8lmFDgfL8aVRy0VohimZ52MCOtKTRq5vydCtLxV3zqNLBjCcqz6M+1WyPSfD +RWFI8DtUFot7jM3NmYGGHobVuSfVN1nCpQk2JudVg1olAsuTKE8Is3j+4TW+5MgN +SxtRncXrib4wCOrNDxl8oCDIoj8i/zpNgW3/8Qde8Qs+ClLU3XgWq66roPPmg/0y +Ge2mG5OeQ54f/bAAqfVoMrOfGwhzDZDw9R706ppLBd2Ip9MkNPsTEpg8c9iDmuZW +ALJlB1KcV3dth3F8JW9eVMj+FPwUL8P8s86PM+vXsQKBgQD+7jtM7mrLSMB/BQIp +wvwmFwGfXxrmI54Qt4sphe5b3Um+lQL25qB2UhpWaNBdvehSACX2UMBiFY70feRS +PmXBFRskXn80xjqAVLw9IWDDUkHwaiZrBtMRFe5wZv/wqmWMv/2JVWMb/6pivq+p +fxM84URezKlWaGPUgwzdLDy5DQKBgQC3HMcAbb6XXF3VaABR852p4fBLul+IAHeF +Sz2LBgKsN32Q79S0RHA6R1ap6USI1uvlKyqpYgBPzteHObIpgtXEwlyvVA2QlpVJ +YPCuPWTDIgAIJtrZ+dtIrS0N0bI89SHMtl5B8Tg3X04ZAV8CU7vyyoWVZVCSxDip +l1Xv6b4mZwKBgQCn4wx6paj/J3JeNFYwWpDkJNKUunVkiqBWMgob1nAbX6hpMok5 +QLj8MyXVMkHG+oI9PovBo3yPG9OBgEcVQrKQbe3qDbGId+OfEC7Hs2ueNlXmloGm +imAGKINW0v5K6GzoPKgkAW+7yKvVS+8zmNR6i4ATToVWunjEQ2n9Xly/IQKBgQC0 +3PvCdKN4JYeZLiyCxbnI/p22btPFJZDoW7TiCIHDUNv5uKnDlIW1SplTIlDLSF2f +8c8lluLv8UH5Ewfi8JPs0H1zv/XWBqZV4CZaM9G+22pkotwvyRbK5iJGMAV5KDbG +WKspPvVj3ALrt+r8BXDzEw52zaeUD7RX7l63pYxnqQKBgQCuYUSmQ78t4aw5dhQI +QllCfwKqozky8PTNGO/wzMHYthZV616hKP7MEC1Ih0JoMNKeBvCrFNvFhhKVy1Ek +vwz/NwASb92F/+vQ3kIaNn1wMXM13NDwQFWtE/kPFcJ8dVVKNGYG6Z8cKBkEOYg9 +t7D5fBkSAahcFZa0nHLkdHhgqA== +-----END PRIVATE KEY----- diff --git a/test/cert/server.pem b/test/cert/server.pem new file mode 100644 index 00000000..17a69230 --- /dev/null +++ b/test/cert/server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDlDCCAnygAwIBAgIUNCeQzjvQkinJwUgQ4quG0opHAMIwDQYJKoZIhvcNAQEL +BQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhT +aGFuZ2hhaTEPMA0GA1UECgwGbWlsdnVzMQ8wDQYDVQQLDAZtaWx2dXMxEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yNDA3MDUwMzE0MDBaFw0zNDA3MDMwMzE0MDBaMEMx +CzAJBgNVBAYTAkNOMQ8wDQYDVQQKDAZtaWx2dXMxDzANBgNVBAsMBm1pbHZ1czES +MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAtlj0nhg6cx6GOpOGvovyl/m/V78TykN2J5cRnyAhfyr6CS0nVQC1Kk9HS/i9 +4qxCEDdE1S6tNMhKPo6xgf2h1rwqrcx00LCT24rJZfkirVKFvg02eT0DrGs/6RWE +L+N28rYTf8rqhyFtcSYHd/2r8teeTlkx3BIUPOK0dZI/scGzAtYWH5bJM+cOez1e +9nZ7nNXcQL/TxWiskSwGBv3mf3k7SHlhTTAdn3Cl1SkcEAB0NLkyl1WcT2Et/h61 ++TnM0p20y41xIBWqkWdyWZF6pb8BPV/e4nb5Qis7s+deWwAapat0oneMeorBzi5N ++SBMJQA+A5Jt4K3/2i8u/IxiOwIDAQABo1owWDAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIF4DAdBgNVHQ4EFgQUibWh3bOdB76Mam35k6PQu3HOOC0wHwYDVR0jBBgwFoAU +sakGIAYA/RcGwz+9Ql5od2pQbIswDQYJKoZIhvcNAQELBQADggEBAEIRzE8ELeO6 +u3myzI0/oniVsGGwALdtXlJ+ASc6u15lcSKvVjrmomS5LwuFoGT5WctjK6Fn4al5 +kmTxLUuFljQPFw4rpRGMKaCDCWWR6pyYcFft3PmqzkgRYUFBIsns33LDHm8SwPhr +LFz4QWOxBzBCpdQ5f//N03XdY1OWmQQDct19qsj/u7VWstn2BDXQCt3Zd6ubK5GF +m3coHLWXrKwvgLEokwA1AGATxxJgnpgrKrqfd4kdAXk1UbA7f8+JmuK5hzTZD1s8 +0CpEX/EQIoBvx/YoIQeEUzj+IZm2In2WiYCdKK3UpP8lL3UDsUbG4JfEohikoI5/ +s2RuTfRPyWU= +-----END CERTIFICATE-----