Thursday, June 10, 2010

How to create security tokens for testing purposes?

As part of my work responsibilities I pretty often install different WS-Security implementations to check if they are interoperable or not. If you already have secured client end server the only thing which is necessary is set of security tokens. There are different ways to create security tokens, one of them is openssl tool. OpenSSL is de-facto standard it's usually preinstalled on Unix/Linux systems and could be installed on Windows as well. I use following script to create certificates and keypairs



#create Certificate Authority Key
openssl genrsa -out ca_key.pem $KEYLENGTH
#create Certificate Authoruty Certificate
echo -e "RU\nSpb\nCA\nFAKE CA\nTesters\nCA_example_host\n\n" | \
/usr/bin/openssl req -config $CA_CFG \
-new -x509 -key ca_key.pem -out ca_cert.cer -days $DAYS

for host in $HOSTS
#create key
openssl genrsa -out ${host}_key.pem $KEYLENGTH
#create certificate request, $host is used for CN
echo -e "RU\nSpb\nFAKE Organization\nFAKE Unit\nTesters\n$host\n\n\n\n\n" | \
/usr/bin/openssl req -config $CA_CFG -extensions \
v3_ca -new -key ${host}_key.pem -out ${host}_req.pem -days $DAYS
#create certificate from request
openssl x509 -req -in ${host}_req.pem -out ${host}_cert.cer \
-CA ca_cert.cer -extfile $CA_CFG -extensions v3_ca \
-CAkey ca_key.pem -CAcreateserial -days $DAYS
# delete certificate request
rm ${host}_req.pem
#pack key-pair into pfx file with password $PASS
openssl pkcs12 -export -out ${host}.pfx -passout pass:$PASS \
-inkey ${host}_key.pem -in ${host}_cert.cer
#delete non-encrypted key
rm ${host}_key.pem

This script creates key and self-signed certificate for certificate authority. For each command-line argument script creates key-pair with certificate signed by previously created certificate authority. Certificates are stored in .cer files, keypaires are stored in .pfx files. .cer and.pfx files could be imported into Windows keystore just with doubleckick on .cer/.pfx file and these files could be imported into java keystore with following commands

keytool -importcert -keystore store.jks -storepass password -file certificate.cer
keytool -importkeystore -destkeystore store.jks -deststorepass password \
-srckeystore keypair.pfx -srcstoretype PKCS12 -srcstorepass password

No comments:

Post a Comment