Name: boundless-test-certs
Owner: Boundless
Description: null
Created: 2016-03-24 03:18:32.0
Updated: 2017-05-31 01:36:21.0
Pushed: 2017-10-12 20:10:49.0
Homepage: null
Size: 213
Language: Shell
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
The certs/keys are generated/edited using XCA (see xca-project directory):
https://sourceforge.net/projects/xca/
The Java keystore files are generated/edited using KeyStore Explorer:
http://keystore-explorer.sourceforge.net/
The default password for the encrypted XCA project and Java keystore files is
password. The certificate signing structure can be reviewed in
certs_hierarchy.png
.
WARNING: These components are just for testing and should NOT be used in a production environment.
NOTE: The .[crt|pem]
choice for files (below) is because some applications
filter file open dialogs to specific extensions, e.g. pgAdmin3 always filters
.crt
or .key
and QGIS generally filters on .pem
.
User certs: [alice|tom|jane|joe]-cert.[crt|pem]
User keys: [alice|tom|jane|joe]-key.[key|pem]
Combined user certs/keys: [alice|tom|jane|joe].p12
The default password for encrypted client keys is password.
root-ca-cert.[crt|pem]
The test root cert for all server certs is self-signed. You will need to have this CA trusted in your OS's or application's cert/key store or passed during connections, so as to validate the cert of the connected server.
See Client hosts file configuration below for configuring non-DNS host resolution for the test server connections.
Three certificates are available for general SSL/TLS servers:
server-localhost-[cert|key].[crt|pem]
for localhost test servers
accessed from the same host.
server-boundless-test-[cert|key].[crt|pem]
provides for a boundless-test
domain, for testing non-localhost connections. All services are on one test
machine.
server-wildcard-boundless-test-[cert|key].[crt|pem]
provides for
*.boundless.test domains, e.g. whatever.boundless.test
or
boundless.test
, for testing non-localhost connections. Services are
on different test machines, e.g. Docker containers.
The default password for encrypted server keys is password.
All are signed under the issuer-root-ca-chain.[crt|pem]
certificate chain.
Domains of the non-localhost certificates can be associated locally for an IP
address of a remote test server or an (essentially remote) a VM or docker
container using the host OS's hosts
file. This setup allows for testing where
a remote localhost domain or and IP address will result in a 'hostname
mismatch' SSL error from clients.
Example entries in hosts
file:
<some-remote-or-virtual-machine-ip> boundless-test
<docker-container-on-linux-ip> geoserver.boundless.test
<another-docker-container-on-linux-ip> gwc.boundless.test
<some-docker-machine-ip> postgis.boundless.test
When a server validates client certificates, some client certs maybe be signed
by the Boundless Test Root 2 CA
, which is not the same as the root self-signed
CA for the server certificates (Boundless Test Root CA
). This is similar to
enterprise PKI setups where client certs are signed by a different root CA than
the server.
Add the root and intermediate chains to the server's configuration, so that such clients can be authenticated. (This setup is already pre-configured in the Java keystore file.)
subissuer-issuer-root-ca_issuer-2-root-2-ca_chains.[crt|pem]