diff --git a/.github/files/mutual_auth_client_cert_chain.pem b/.github/files/mutual_auth_client_cert_chain.pem new file mode 100644 index 000000000..b97cd89a8 --- /dev/null +++ b/.github/files/mutual_auth_client_cert_chain.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIDBDCCAeygAwIBAgICFsAwDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UEAwwNTmV0 +dHlUZXN0Um9vdDAeFw0yNDAxMTYxMzM2NTBaFw0yOTAxMTQxMzM2NTBaMCAxHjAc +BgNVBAMMFU5ldHR5VGVzdEludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMVRThUi0F77gRWM3QBEUQG6UGy6OGcOhZ5HQeCGYB0cD1+2 +n1GHqsCSPachOCFT39Se2a4qhhdO+1o2WbhMVa4GsENZz1h1yRH5d4xn1tlL3a2j +XB3pyZSdKzaGQF6OykztbiNFAwlfVuxebXDR8GP2MPuTu5WYyhqQKTZHQBAFfzlw +jArdgEPCiAl7JV85JjKRX0znJEjuGOw2obYGIZrxmaQtnHOhMT/A5bjNnBeuR9jD +VAuPFuTVaFD2xlEihWl1jbEi0HZFc6fXa1X1v1DJO4UkIFjAAMT4U0mMnRsNOX5x +CjHapOZQWcm7G36ore6WMuJ66nbYFwi7MlGpsXMCAwEAAaNQME4wHQYDVR0OBBYE +FKEzFFwds2LCU9zGeWNUsa3pTbM5MB8GA1UdIwQYMBaAFDCbp1amIi20zngZHGGt +8nLev3WBMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEkhB70bZ32o +Yqi8Qo7GbCpLscv2gs1fC5xVp44/2vlsXDe9wQFDC455OS0D1ywy3IYFjLU1qhxC +Ga3TnXDNjkEuKSCCCbM3k95W1F6etSjQjOTy8iwj/0NAvd13dzeR0nCXfyli1J3g +6EOpttmtEa0GWBQmy86jSkhHkgDIJspyMvpz6dVlEbUdm1mmkSbp8pkBEIiYRrLq +3U5C3Ex8MAVO5uTcMScVMxH59tx60mxxX8SXE1sif62ilqJ9f39FsCSRS7p5GZjK +pz4QO72A2qiZPW87I5TlFTtqILVelA4hV6GQPQ1699RdAvW9wIfEHAYZ8V3+VeeO +CuuzRHkJseU= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDEzCCAfugAwIBAgIURmIlqqwfzoAzJ7oOMgG1nQ1kc/YwDQYJKoZIhvcNAQEN +BQAwGDEWMBQGA1UEAwwNTmV0dHlUZXN0Um9vdDAgFw0yNDAxMTYxMzM2NDdaGA8y +MTIzMTIyMzEzMzY0N1owGDEWMBQGA1UEAwwNTmV0dHlUZXN0Um9vdDCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALHasZdmGMznTvhIGhj3PhWuObU3ISL8 +BLQtlu292K2N9+Ne5QO2/uB7pwrM1L/sFfxtXm71zUulySNpuMy9gSPdI9EpXH+u +GA58DSsNlvQYTgQb4HkWIszKZdVW0ggdM0RRidOJkzy8EH5Q6GlpyTcUjh/ghC2P +GvpO3pKapMVoCC1xiAgBJn3UjD8EhpZT6Y09+cyNy64sLcDMb6sj0ZrP9GQPyhdD +/R+Ly1A429vZY8KWmDOz+B4Aiqw+rRGxSnhDUirHU/avVIJfmnsqq/dTRofiSOkK +g/CDnMtetuVLZ4dljmPMHxAZTaHwsOoCrYUuZj6DuFzLp9nwVkCOEMsCAwEAAaNT +MFEwHQYDVR0OBBYEFDCbp1amIi20zngZHGGt8nLev3WBMB8GA1UdIwQYMBaAFDCb +p1amIi20zngZHGGt8nLev3WBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEN +BQADggEBADPJZ5LdZ9fe/SPsm6oai4aS7snlhuTam7IAkUveGCJY6D8O++xlK25M +2QsJ2n5lCOrH4gLtYndF2wbGUOJrNkPpQ5aH3WRXw2xWkjUiXc+SudnAhbq7du7Z +ht2+u1/L3mEGaMkq35/xcCK5N6hFCUiAspaO+Jt/12vdbedoDK/gMd8K+yCHVzed +SHX8vHJZQIBxHI8Dv0x0kex/YLg/sxy8ClXhP1yWgzBr1uL6oZK6PVl7S7Kt9NJB +MipDXVBi6aTMqTyhi2HEhh1deE4zj9MGDCT5wB4ovuABgi1M0T5tTQf3+9ky6d0F +6nxh6zboWnduCrbQwQPWSL9XowIce30= +-----END CERTIFICATE----- diff --git a/.github/files/mutual_auth_server.crt b/.github/files/mutual_auth_server.crt new file mode 100644 index 000000000..3dc32f618 --- /dev/null +++ b/.github/files/mutual_auth_server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8jCCAdqgAwIBAgICctMwDQYJKoZIhvcNAQENBQAwGDEWMBQGA1UEAwwNTmV0 +dHlUZXN0Um9vdDAgFw0yNDAxMTYxMzM2NDdaGA8yMTIzMTIyMzEzMzY0N1owGjEY +MBYGA1UEAwwPTmV0dHlUZXN0U2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAyBipKawBrkMAlBboZQor9gsWampDF2g1aLr/lIb/QQp/RHr4tloo +nW6LqN07RSyOETkjZQKNcLohzfTvajf7QbUH0SPXzQLD6MTSpKd7bbSE12MqeDzx +unJqwVhc0Yr9Zi032oV9JFE0hfyTJzG32NF7FYQnl2zZJnEda/KLXM1PS1kDy3pf +jXqO0W1VS0EglMMIp8Am+PvLR9GfOWKvyekdJ2Z2K4AcZG1Oz+fhf8JF0qzyTJ3O +ea2U9FckFacjHm/hEr+vDkSE/NNGyEtLLNrlH6yUW3+k1kzo4a1cOH86l/Q52Fo/ +TqoVGTmgcCKux51COLWa9kwrJS6IfJ8YZwIDAQABo0IwQDAdBgNVHQ4EFgQU64F1 +7IWqSMG7S+M69WwRkX1VmZMwHwYDVR0jBBgwFoAUMJunVqYiLbTOeBkcYa3yct6/ +dYEwDQYJKoZIhvcNAQENBQADggEBAH23rwZo7I4Epxf2yweXByfuFG/JHrxLt7h2 +0dun/88ZnUyKzLbBBzWvsULocA1/9XZb38UmOBJS9w73jUn/UGLbvmZ2uBDoUwrU +zF6aq7IxEc7bysnDp3wq5c8fJVuZydyHcWo72NG8b0NaDOBbISUP+ICVdEG5Rx5Z +LnmFmHb3Rh+ITvbPwHfWcfDwZYStbZKLG75JnrUMp7wjv3lPewzerXztiEJmO86R +PDOJnh3rHN4JavJtcghmO2KVGOcuc4TEaL9r3niJiicseXFPRwr0nQWmDkuHMY0W +zMbfD5SoKWlSineEZ+nRrBu3xOH3fAxfijrGpf251Fk95tvwIyI= +-----END CERTIFICATE----- diff --git a/.github/files/mutual_auth_server.key b/.github/files/mutual_auth_server.key new file mode 100644 index 000000000..d5df689f4 --- /dev/null +++ b/.github/files/mutual_auth_server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDIGKkprAGuQwCU +FuhlCiv2CxZqakMXaDVouv+Uhv9BCn9Eevi2Wiidbouo3TtFLI4ROSNlAo1wuiHN +9O9qN/tBtQfRI9fNAsPoxNKkp3tttITXYyp4PPG6cmrBWFzRiv1mLTfahX0kUTSF +/JMnMbfY0XsVhCeXbNkmcR1r8otczU9LWQPLel+Neo7RbVVLQSCUwwinwCb4+8tH +0Z85Yq/J6R0nZnYrgBxkbU7P5+F/wkXSrPJMnc55rZT0VyQVpyMeb+ESv68ORIT8 +00bIS0ss2uUfrJRbf6TWTOjhrVw4fzqX9DnYWj9OqhUZOaBwIq7HnUI4tZr2TCsl +Loh8nxhnAgMBAAECggEACRwTpNcKOIx1Bp5IXu6TSR9WGkAo5R7pwjvejjzbJXM8 +j2STKtIjTo+NgixC74eeFtX6xjV936efCbO2AVL3zb+tJxiyUXNnxz12uDz7wecv +CRNLCAWrnP5qh8+QYjspWtvXfXZdrSfuno782r2eY3DzYUEOqwvZ6FshU3HLuyIf +zIakD1CgbrP1g9NxIn013RHkll5hYA+TbWgLyeaR3k91OKHX+DMqZrG49/WwV9yE +BxRxLWRV4cFKV7DUfEFquM/AhBE4mcIClrpbWlfIQrvXjJEkcAmxUAogrJ0K3WJC +jShOwvjorM01maVFJaAtvpYBfULoS+mN1Pp9oO3hSQKBgQDkFOOs5qRjIwWAHkba +vecRvvfyO1Zqu9Ws67ZfxPGFB7zIfGSTWD6tfu3ZLWiUuVruvYyaMAuJWEzLRFk+ +xhWZkX4xHxYPJHm845dpAvbavfoTMJWMdKp41WBSUcrcerZiaTMyvV0g9BSu5CYS +iZ+vYbs66gYO5Se5E8bfDMnE+wKBgQDgltTtl4coM/gOWLEUFW4phgxh7x5WsvUH +BglbJPXG9Ef/qR07vUdx4gbTCqGYFtbj6nF19K/2TPMvBPoFBWNZmNu5D+ncSjyU +nLajy6ONeabSwcGwBsvnajEyI/jaFM3a5HaAsHPs3y8P4DsY9p0/2rUXW5Q29+a4 +Q6gEb2OmhQKBgQCVJM/IlT1zkkgbgjDlAv8hjJYIMSMOQmu0WqJ0N42TZv7cvvLp +ou/BddnEhTv43MgIi6xwevBgTHxTAwu0z8T6GbjCGEjNeBWfHdg5k/WmDkqD1+ZC +5VtADo+g5NlZmWjAK3iOOmO2k8UepBP9VT81aRwMp1F01gZGsRb/bhZWlwKBgFNZ +ZthuPei7sLmSTNWJRoL+jqXh2j6O18SthtdeliAqFHZbStAa5OLs4V99OI97GnEn +VshR8OPVlwLCNA+c+kwMIK9DqqTooCb/KgEL2DzvAuyAn+M2AoJ1tKBJHVfCFMvB +sgD8e2lTQuH/c69GBwHlpwNuJ0lnIycLZNWQiUkJAoGAHxmLyuFo9P0QyQH+PARl +F5SJ2q8Gv0YyPnI0tnj9OixO6mkei0Zj30WZ3Hr/C3EKpfRFwfMAEOESsIKClKEh +5chvL96tK4uY+in25EWaOPp/Xj1NIpdqatJMxcaiTfUXPfBoLL78t4IUxjG5gHIO +276Mwu4AD3x8/RZPQfS007Y= +-----END PRIVATE KEY----- diff --git a/.github/scripts/run-tests.sh b/.github/scripts/run-tests.sh index 8a973e6e9..2cee95165 100755 --- a/.github/scripts/run-tests.sh +++ b/.github/scripts/run-tests.sh @@ -118,8 +118,8 @@ case "${TEST_TYPE}" in # Stop CCM now so we can restart it with Management API ccm stop # Start Management API - MGMT_API_LOG_DIR=/tmp/log/cassandra1 bash -c 'nohup java -jar /tmp/datastax-mgmtapi-server.jar --db-socket=/tmp/db1.sock --host=unix:///tmp/mgmtapi1.sock --host=http://127.0.0.1:8080 --db-home=`dirname ~/.ccm/test/node1`/node1 &' - MGMT_API_LOG_DIR=/tmp/log/cassandra2 bash -c 'nohup java -jar /tmp/datastax-mgmtapi-server.jar --db-socket=/tmp/db2.sock --host=unix:///tmp/mgmtapi2.sock --host=http://127.0.0.2:8080 --db-home=`dirname ~/.ccm/test/node2`/node2 &' + MGMT_API_LOG_DIR=/tmp/log/cassandra1 MGMT_API_TLS_CA_CERT_FILE=./.github/files/mutual_auth_client_cert_chain.pem MGMT_API_TLS_CERT_FILE=./.github/files/mutual_auth_server.crt MGMT_API_TLS_KEY_FILE=./.github/files/mutual_auth_server.key bash -c 'nohup java -jar /tmp/datastax-mgmtapi-server.jar --db-socket=/tmp/db1.sock --host=unix:///tmp/mgmtapi1.sock --host=http://127.0.0.1:8080 --db-home=`dirname ~/.ccm/test/node1`/node1 &' + MGMT_API_LOG_DIR=/tmp/log/cassandra2 MGMT_API_TLS_CA_CERT_FILE=./.github/files/mutual_auth_client_cert_chain.pem MGMT_API_TLS_CERT_FILE=./.github/files/mutual_auth_server.crt MGMT_API_TLS_KEY_FILE=./.github/files/mutual_auth_server.key bash -c 'nohup java -jar /tmp/datastax-mgmtapi-server.jar --db-socket=/tmp/db2.sock --host=unix:///tmp/mgmtapi2.sock --host=http://127.0.0.2:8080 --db-home=`dirname ~/.ccm/test/node2`/node2 &' # wait for Cassandra to be ready for i in `seq 1 30` ; do # keep curl from exiting with non-zero diff --git a/src/server/src/test/java/io/cassandrareaper/acceptance/ReaperHttpIT.java b/src/server/src/test/java/io/cassandrareaper/acceptance/ReaperHttpIT.java index 36f211db1..cf6069766 100644 --- a/src/server/src/test/java/io/cassandrareaper/acceptance/ReaperHttpIT.java +++ b/src/server/src/test/java/io/cassandrareaper/acceptance/ReaperHttpIT.java @@ -49,7 +49,7 @@ public class ReaperHttpIT { private static final Logger LOG = LoggerFactory.getLogger(ReaperCassandraIT.class); private static final List RUNNER_INSTANCES = new CopyOnWriteArrayList<>(); - private static final String CASS_CONFIG_FILE = "cassandra-reaper-http-at.yaml"; + private static final String CASS_CONFIG_FILE = "cassandra-reaper-https-at.yaml"; private static final Random RAND = new Random(System.nanoTime()); private static Thread GRIM_REAPER; diff --git a/src/server/src/test/resources/cassandra-reaper-https-at.yaml b/src/server/src/test/resources/cassandra-reaper-https-at.yaml new file mode 100644 index 000000000..6221c032a --- /dev/null +++ b/src/server/src/test/resources/cassandra-reaper-https-at.yaml @@ -0,0 +1,98 @@ +# Copyright 2017-2017 Spotify AB +# Copyright 2017-2019 The Last Pickle Ltd +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Reaper for Apache Cassandra Configuration for Acceptance Tests. +# +segmentCountPerNode: 16 +repairParallelism: SEQUENTIAL +repairIntensity: 0.95 +scheduleDaysBetween: 7 +repairRunThreadCount: 15 +hangingRepairTimeoutMins: 1 +storageType: cassandra +incrementalRepair: false +blacklistTwcsTables: true +jmxConnectionTimeoutInSeconds: 10 +datacenterAvailability: LOCAL +percentRepairedCheckIntervalMinutes: 1 + +logging: + level: WARN + appenders: + - type: console + +server: + type: default + applicationConnectors: + - type: http + port: 8083 + bindHost: 127.0.0.1 + adminConnectors: + - type: http + port: 8084 + bindHost: 127.0.0.1 + +jmxPorts: + 127.0.0.1: 7100 + 127.0.0.2: 7200 + 127.0.0.3: 7300 + 127.0.0.4: 7400 + 127.0.0.5: 7500 + 127.0.0.6: 7600 + 127.0.0.7: 7700 + 127.0.0.8: 7800 + +jmxCredentials: + "test cluster": + username: cassandra + password: cassandra + test: + username: cassandra + password: cassandrapassword + +cassandra: + clusterName: "test" + contactPoints: ["127.0.0.1"] + keyspace: reaper_db + socketOptions: + connectTimeoutMillis: 20000 + readTimeoutMillis: 40000 + loadBalancingPolicy: + type: tokenAware + shuffleReplicas: true + subPolicy: + type: dcAwareRoundRobin + localDC: dc1 + usedHostsPerRemoteDC: 0 + allowRemoteDCsForLocalConsistencyLevel: false + poolingOptions: + idleTimeout: 5s + local: + coreConnections: 1 + maxConnections: 4 + maxRequestsPerConnection: 16 + remote: + coreConnections: 0 + maxConnections: 0 + maxRequestsPerConnection: 0 + +cryptograph: + type: symmetric + systemPropertySecret: REAPER_ENCRYPTION_KEY + +httpManagement: + enabled: true + keystore: keystore.jks + trustStore: truststore.jks diff --git a/src/server/src/test/resources/generate-certs.sh b/src/server/src/test/resources/generate-certs.sh new file mode 100755 index 000000000..6e3518b89 --- /dev/null +++ b/src/server/src/test/resources/generate-certs.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# Copied from management-api, modified for reaper to create JKS files also + +# Generate a new, self-signed root CA +openssl req -extensions v3_ca -new -x509 -days 36500 -nodes -subj "/CN=NettyTestRoot" -newkey rsa:2048 -sha512 -out mutual_auth_ca.pem -keyout mutual_auth_ca.key + +# Generate a certificate/key for the server +openssl req -new -keyout mutual_auth_server.key -nodes -newkey rsa:2048 -subj "/CN=NettyTestServer" | \ +openssl x509 -req -CAkey mutual_auth_ca.key -CA mutual_auth_ca.pem -days 36500 -set_serial $RANDOM -sha512 -out mutual_auth_server.crt + +# Generate a valid intermediate CA which will be used to sign the client certificate +openssl req -new -keyout mutual_auth_intermediate_ca.key -nodes -newkey rsa:2048 -out mutual_auth_intermediate_ca.key +openssl req -new -sha512 -key mutual_auth_intermediate_ca.key -subj "/CN=NettyTestIntermediate" -out intermediate.csr +openssl x509 -req -days 1825 -in intermediate.csr -extfile openssl.cnf -extensions v3_ca -CA mutual_auth_ca.pem -CAkey mutual_auth_ca.key -set_serial $RANDOM -out mutual_auth_intermediate_ca.pem + +# Generate a client certificate signed by the intermediate CA +openssl req -new -keyout mutual_auth_client.key -nodes -newkey rsa:2048 -subj "/CN=NettyTestClient/UID=Client" | \ +openssl x509 -req -CAkey mutual_auth_intermediate_ca.key -CA mutual_auth_intermediate_ca.pem -days 36500 -set_serial $RANDOM -sha512 -out mutual_auth_client.crt + +# Append +cat mutual_auth_intermediate_ca.pem mutual_auth_ca.pem > mutual_auth_client_cert_chain.pem + +# Modify to PKCS12 and JKS for Reaper (use password changeit) +openssl pkcs12 -export -out mutual_auth_client_cert_chain.pkcs12 -inkey mutual_auth_intermediate_ca.key -in mutual_auth_client_cert_chain.pem +openssl pkcs12 -export -out mutual_auth_client.pkcs12 -inkey mutual_auth_client.key -in mutual_auth_client.crt + +# Use password changeit +keytool -importkeystore -srckeystore mutual_auth_client_cert_chain.pkcs12 -srcstoretype pkcs12 -destkeystore truststore.jks -deststoretype JKS +keytool -importkeystore -srckeystore mutual_auth_client.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS diff --git a/src/server/src/test/resources/keystore.jks b/src/server/src/test/resources/keystore.jks new file mode 100644 index 000000000..ac817a40d Binary files /dev/null and b/src/server/src/test/resources/keystore.jks differ diff --git a/src/server/src/test/resources/openssl.cnf b/src/server/src/test/resources/openssl.cnf new file mode 100644 index 000000000..78db4231b --- /dev/null +++ b/src/server/src/test/resources/openssl.cnf @@ -0,0 +1,124 @@ +# +# This OpenSSL configuration file is necessary to generate an Intermediate CA +# which is capable of signing other certificates. The most important part is +# the [ v3_ca ] profile and the "basicConstraints = CA:true" value +# + +# This definition stops the following lines choking if HOME isn't +# defined. +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + diff --git a/src/server/src/test/resources/truststore.jks b/src/server/src/test/resources/truststore.jks new file mode 100644 index 000000000..6a9bc127e Binary files /dev/null and b/src/server/src/test/resources/truststore.jks differ