-
Notifications
You must be signed in to change notification settings - Fork 80
Ssl testmain
This section will provide one example of setting up an environment for testing SSL connections using certificates.
The following assumptions are made in this discussion:
- The target server environment is Active MQ
- Openssl is installed, and the 'openssl' command is available
- Java's 'keytool' command is at least at a 1.6 level
The example here was developed on a Unix (Linux) system. It may be possible to adapt the example for Windows OS environments. That is left as an exercise for the reader. It is very unlikely that any of this will be appropriate for OSX environments.
At the end of this process, you will have created:
- A Test CA's private key
- A CSR for the Test CA's certificate
- The Test CA's self signed certificate
- The server's private key
- A CSR for the server's certificate
- The server's certificate, signed by the Test CA
- A client's private key
- A CSR for the client's certificate
- The clients's certificate, signed by the Test CA
- A truststore for use by the server
- A keystore for use by the server
The server's keystore will contain a single entry: the server's signed certificate.
The server's truststore will contain a single entry: the client's signed certificate.
Note that Java application 'stores' are usually in a format known as JKS (Java Key Store), and that 'openssl' generated keys and certifications are usually in PEM formats. We will use openssl and keytool to bridge between these formats using an intermediate PKCS12 format.
It is suggested that you create a work directory, where the steps documented will be executed. For example:
mkdir sslwork
cd sslwork
Then proceed with the example as follows:
- Create Test CA
- Create Server Data
- Create Client Data
- Convert Certificate Formats
- Create Server Keystore
- Create Server Truststore
- Configure AMQ
- Test Client Code
The previous scenario is reasonable for basic testing.
It is likely that production environments will have significantly different requirements.
Consider the case where:
- The server CA and the client CA are different
- Many clients certified by the same CA connect to the server
In this case, the previous scenario can be changed slightly to good effect:
- Convert the client CA's certificate to PKCS12 format (not the client's certificate)
- Import only the client CA's certificate into the server truststore
This allows many clients to connect, with only a single entry in the server's truststore.