go.temporal.io/server@v1.23.0/common/auth/testdata/README.md

go.temporal.io/server@v1.23.0/common/auth/testdata/README.md (about)

     1  # TLS Test Data
     2  This directory contains various TLS-related files generated using OpenSSL. The set includes private keys, valid certificates, and intentionally invalid certificates for testing purposes.
     3  
     4  ## Overview
     5  - **Important**: The `localhost.cnf` file, which contains configuration details for the localhost server, cannot be regenerated as it was manually created.
     6  - Private keys (`*.key`) are RSA keys. Exact regeneration commands are unspecified, but their recreation may not be necessary.
     7  - Certificates (`*.crt`) include a valid Certificate Authority (CA), a valid server certificate, an invalid CA, and an invalid server certificate.
     8  
     9  ## Private Keys Generation
    10  Several RSA private keys were initially generated and are stored in `*.key` files. The specific configuration of these keys is not documented, but they were likely generated with commands similar to the following:
    11  
    12  ```shell
    13  openssl genrsa -out ca.key 2048
    14  openssl genrsa -out invalid_ca.key 2048
    15  openssl genrsa -out localhost.key 2048
    16  openssl genrsa -out invalid_localhost.key 2048
    17  ```
    18  
    19  **Note**: Regenerating private keys should not be necessary for testing, as the relevant information is embedded within the certificates.
    20  
    21  ## Certificates
    22  
    23  ### Valid Certificate Authority (CA)
    24  - **File**: `ca.crt`
    25  - **Description**: Self-signed CA certificate.
    26  - **Regeneration Command**:
    27    ```shell
    28    # Generate a new CSR for the CA
    29    openssl req -new -key ca.key -out ca.csr -nodes -batch
    30  
    31    # Self-Sign the new CA certificate
    32    openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt -days 36500 -sha256
    33  
    34    # Verify the new CA certificate
    35    openssl verify -CAfile ca.crt ca.crt
    36  
    37    # Clean up the CSR
    38    rm ca.csr
    39    ```
    40    **Note**: The CA is set with a 100-year expiry to avoid frequent regeneration.
    41  
    42  ### Valid Server Certificate
    43  - **File**: `localhost.crt`
    44  - **Description**: Server certificate signed by the valid CA.
    45  - **Regeneration Command**:
    46    ```shell
    47    openssl req -new -key localhost.key -out localhost.csr -config localhost.cnf
    48    openssl x509 -req -in localhost.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out localhost.crt -days 36500 -sha256 -extensions req_ext -extfile localhost.cnf
    49    openssl verify -CAfile ca.crt localhost.crt
    50    rm ca.srl localhost.csr
    51    ```
    52    **Note**: Includes `127.0.0.1` as an IP SAN. Regeneration or resigning is not required if the CA certificate changes but its private key remains the same.
    53  
    54  ### Invalid CA
    55  - **File**: `invalid_ca.crt`
    56  - **Description**: Another CA certificate that client systems should not trust.
    57  - **Regeneration Command**:
    58    ```shell
    59    openssl req -new -key invalid_ca.key -out invalid_ca.csr -nodes -batch
    60    openssl x509 -req -in invalid_ca.csr -signkey invalid_ca.key -out invalid_ca.crt -days 36500 -sha256
    61    openssl verify -CAfile invalid_ca.crt invalid_ca.crt
    62    rm invalid_ca.csr
    63    ```
    64  
    65  ### Invalid Server Certificate
    66  - **File**: `invalid_localhost.crt`
    67  - **Description**: A self-signed server certificate expected to be rejected by clients.
    68  - **Regeneration Command**:
    69    ```shell
    70    openssl req -new -key invalid_localhost.key -out invalid_localhost.csr -config localhost.cnf
    71    openssl x509 -req -in invalid_localhost.csr -signkey invalid_localhost.key -out invalid_localhost.crt -days 36500 -sha256
    72    openssl verify -CAfile invalid_localhost.crt invalid_localhost.crt
    73    rm invalid_localhost.csr
    74    ```