The following certificate files are used by the SSL unit tests (ssl.py): ca-certificate.pem - contains the public certificate identifying a "trusted" Certificate Authority. This certificate is used to sign the certificates that identify the SSL servers and clients run by the tests. client-certificate.pem - the public certificate used to identify the client. Signed by the CA. client-private-key.pem - encrypted key used to create client-certificate.pem. Password is "client-password" server-certificate.pem - the public certificate used to identify the server. Signed by the CA. The CommonName is "A1.Good.Server.domain.com", and is checked by some unit tests. server-private-key.pem - encrypted key used to create server-certificate.pem. Password is "server-password" bad-server-certificate.pem, bad-server-private-key.pem - a certificate/key that is not trusted by the client, for negative test. server-wc-certificate.pem and server-wc-private-key.pem - similar to server-certificate.pem and server-private-key.pem, but contains Subject Alternate Name entries, and a wildcard CommonName. Used for certificate name checking tests. These certificates have been created using the OpenSSL tool. The following bash script can be used to create these certificates (requires keytool from Java 1.7, and openssl): --8<-- #!/bin/bash #set -x rm -f *.pem *.pkcs12 # Create a self-signed certificate for the CA, and a private key to sign certificate requests: keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -genkey -dname "O=Trust Me Inc.,CN=Trusted.CA.com" openssl pkcs12 -nokeys -passin pass:ca-password -in ca.pkcs12 -passout pass:ca-password -out ca-certificate.pem # Create a certificate request for the server certificate. Use the CA's certificate to sign it: keytool -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-certificate -keypass server-password -genkey -dname "O=Server,CN=A1.Good.Server.domain.com" keytool -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-certificate -keypass server-password -certreq -file server-request.pem keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile server-request.pem -outfile server-certificate.pem openssl pkcs12 -nocerts -passin pass:server-password -in server.pkcs12 -passout pass:server-password -out server-private-key.pem # Create a certificate request for the client certificate. Use the CA's certificate to sign it: keytool -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -genkey -dname "O=Client,CN=127.0.0.1" keytool -storetype pkcs12 -keystore client.pkcs12 -storepass client-password -alias client-certificate -keypass client-password -certreq -file client-request.pem keytool -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile client-request.pem -outfile client-certificate.pem openssl pkcs12 -nocerts -passin pass:client-password -in client.pkcs12 -passout pass:client-password -out client-private-key.pem # Create a "bad" certificate - not signed by a trusted authority keytool -storetype pkcs12 -keystore bad-server.pkcs12 -storepass server-password -alias bad-server -keypass server-password -genkey -dname "O=Not Trusted Inc,CN=127.0.0.1" openssl pkcs12 -nocerts -passin pass:server-password -in bad-server.pkcs12 -passout pass:server-password -out bad-server-private-key.pem openssl pkcs12 -nokeys -passin pass:server-password -in bad-server.pkcs12 -passout pass:server-password -out bad-server-certificate.pem # Create a server certificate with several alternate names, including a wildcarded common name: keytool -ext san=dns:alternate.name.one.com,dns:another.name.com -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-wc-certificate -keypass server-password -genkeypair -dname "O=Server,CN=*.prefix*.domain.com" keytool -ext san=dns:alternate.name.one.com,dns:another.name.com -storetype pkcs12 -keystore server.pkcs12 -storepass server-password -alias server-wc-certificate -keypass server-password -certreq -file server-wc-request.pem keytool -ext san=dns:alternate.name.one.com,dns:another.name.com -storetype pkcs12 -keystore ca.pkcs12 -storepass ca-password -alias ca -keypass ca-password -gencert -rfc -validity 99999 -infile server-wc-request.pem -outfile server-wc-certificate.pem openssl pkcs12 -nocerts -passin pass:server-password -in server.pkcs12 -passout pass:server-password -out server-wc-private-key.pem