This is an automated email from the ASF dual-hosted git repository.
mmarshall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new d45a2203a4e [cleanup] Consolidate certs used in tests (#20336)
d45a2203a4e is described below
commit d45a2203a4e79a2da15d572e66e28bcec762382d
Author: Michael Marshall <[email protected]>
AuthorDate: Wed May 17 10:29:45 2023 -0500
[cleanup] Consolidate certs used in tests (#20336)
Builds on: https://github.com/apache/pulsar/pull/20289
### Motivation
There are many certificates in our test code base. It would be much simpler
to have one place were we create and manage certificates so that when we need
to make changes, they are consolidated.
There is likely one or two more PRs to finish consolidating certs.
### Modifications
* Remove certs that are no longer used
* Replace references to old certs with references to the
`certificate-authority` certs
* Create new server certs with valid hostnames on them so that tests will
pass. Document the process used to create these certs.
* Fix an issue in the `PulsarTestContext` where the configuration was not
correctly updated.
* Remove configurations that allow for insecure connections in tests that
are doing some kind of TLS verification. The only places where we leave
insecure validation in place is tests that are specifically verifying the
functionality.
* Copy `certificate-authority` to the relevant `bouncy-castle` directory
### Verifying this change
When tests pass, this change will be correctly verified.
### Documentation
- [x] `doc`
This PR includes doc changes
### Matching PR in forked repository
PR in forked repository: https://github.com/michaeljmarshall/pulsar/pull/48
---
bouncy-castle/bcfips-include-test/pom.xml | 22 ++++
.../pulsar/client/TlsProducerConsumerBase.java | 23 ++--
.../resources/authentication/tls/broker-cert.pem | 71 -----------
.../resources/authentication/tls/broker-key.pem | 28 -----
.../test/resources/authentication/tls/cacert.pem | 78 ------------
.../resources/authentication/tls/client-cert.pem | 71 -----------
.../resources/authentication/tls/client-key.pem | 28 -----
build/regenerate_certs_for_tests.sh | 7 --
.../broker/admin/BrokerAdminClientTlsAuthTest.java | 2 +-
.../broker/testcontext/PulsarTestContext.java | 3 +
.../api/AuthenticatedProducerConsumerTest.java | 53 ++++----
.../AuthenticationTlsHostnameVerificationTest.java | 26 ++--
.../client/api/ClientAuthenticationTlsTest.java | 27 ++---
.../pulsar/client/api/ProducerConsumerBase.java | 5 -
.../pulsar/client/api/ProxyProtocolTest.java | 12 +-
.../pulsar/client/api/TlsHostVerificationTest.java | 36 ++++--
.../pulsar/client/api/TlsProducerConsumerBase.java | 23 ++--
.../pulsar/client/api/TlsProducerConsumerTest.java | 20 +--
.../org/apache/pulsar/client/api/TlsSniTest.java | 6 +-
.../api/TokenExpirationProduceConsumerTest.java | 10 +-
.../worker/PulsarFunctionLocalRunTest.java | 16 ++-
.../worker/PulsarFunctionPublishTest.java | 16 ++-
.../apache/pulsar/io/AbstractPulsarE2ETest.java | 16 ++-
.../apache/pulsar/io/PulsarFunctionAdminTest.java | 20 +--
.../apache/pulsar/io/PulsarFunctionTlsTest.java | 21 ++--
.../proxy/ProxyPublishConsumeTlsTest.java | 13 +-
tests/certificate-authority/.gitignore | 3 +
tests/certificate-authority/README.md | 24 ++--
tests/certificate-authority/index.txt | 2 +
tests/certificate-authority/newcerts/1007.pem | 111 +++++++++++++++++
tests/certificate-authority/newcerts/1008.pem | 110 +++++++++++++++++
tests/certificate-authority/openssl.cnf | 17 ++-
tests/certificate-authority/serial | 2 +-
.../server-keys/broker.cert.pem | 134 +++++++++++++++++----
.../server-keys/broker.csr.pem | 26 ++--
.../server-keys/broker.key-pk8.pem | 52 ++++----
.../server-keys/broker.key.pem | 50 ++++----
.../server-keys/proxy.cert.pem | 133 ++++++++++++++++----
.../server-keys/proxy.csr.pem | 26 ++--
.../server-keys/proxy.key-pk8.pem | 52 ++++----
.../server-keys/proxy.key.pem | 50 ++++----
41 files changed, 812 insertions(+), 633 deletions(-)
diff --git a/bouncy-castle/bcfips-include-test/pom.xml
b/bouncy-castle/bcfips-include-test/pom.xml
index 3b8c6754c3f..e8348be9292 100644
--- a/bouncy-castle/bcfips-include-test/pom.xml
+++ b/bouncy-castle/bcfips-include-test/pom.xml
@@ -85,6 +85,28 @@
<skip>true</skip>
</configuration>
</plugin>
+ <plugin>
+ <artifactId>maven-resources-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>copy-resources</id>
+ <phase>test-compile</phase>
+ <goals>
+ <goal>copy-resources</goal>
+ </goals>
+ <configuration>
+
<outputDirectory>${project.build.testOutputDirectory}/certificate-authority</outputDirectory>
+ <overwrite>true</overwrite>
+ <resources>
+ <resource>
+
<directory>${project.parent.parent.basedir}/tests/certificate-authority</directory>
+ <filtering>false</filtering>
+ </resource>
+ </resources>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</build>
</project>
diff --git
a/bouncy-castle/bcfips-include-test/src/test/java/org/apache/pulsar/client/TlsProducerConsumerBase.java
b/bouncy-castle/bcfips-include-test/src/test/java/org/apache/pulsar/client/TlsProducerConsumerBase.java
index 330d4fbc068..e8e12838def 100644
---
a/bouncy-castle/bcfips-include-test/src/test/java/org/apache/pulsar/client/TlsProducerConsumerBase.java
+++
b/bouncy-castle/bcfips-include-test/src/test/java/org/apache/pulsar/client/TlsProducerConsumerBase.java
@@ -37,11 +37,6 @@ import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
public class TlsProducerConsumerBase extends ProducerConsumerBase {
- protected final String TLS_TRUST_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/cacert.pem";
- protected final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- protected final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
- protected final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- protected final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
private final String clusterName = "use";
@BeforeMethod(alwaysRun = true)
@@ -63,9 +58,9 @@ public class TlsProducerConsumerBase extends
ProducerConsumerBase {
protected void internalSetUpForBroker() throws Exception {
conf.setBrokerServicePortTls(Optional.of(0));
conf.setWebServicePortTls(Optional.of(0));
- conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
- conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
- conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
+ conf.setTlsCertificateFilePath(BROKER_CERT_FILE_PATH);
+ conf.setTlsKeyFilePath(BROKER_KEY_FILE_PATH);
+ conf.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
conf.setClusterName(clusterName);
conf.setTlsRequireTrustedClientCertOnConnect(true);
Set<String> tlsProtocols = Sets.newConcurrentHashSet();
@@ -81,12 +76,12 @@ public class TlsProducerConsumerBase extends
ProducerConsumerBase {
}
ClientBuilder clientBuilder =
PulsarClient.builder().serviceUrl(lookupUrl)
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).enableTls(true).allowTlsInsecureConnection(false)
+
.tlsTrustCertsFilePath(CA_CERT_FILE_PATH).enableTls(true).allowTlsInsecureConnection(false)
.operationTimeout(1000, TimeUnit.MILLISECONDS);
if (addCertificates) {
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
clientBuilder.authentication(AuthenticationTls.class.getName(),
authParams);
}
pulsarClient = clientBuilder.build();
@@ -94,15 +89,15 @@ public class TlsProducerConsumerBase extends
ProducerConsumerBase {
protected void internalSetUpForNamespace() throws Exception {
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
if (admin != null) {
admin.close();
}
admin =
spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString())
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(false)
+
.tlsTrustCertsFilePath(CA_CERT_FILE_PATH).allowTlsInsecureConnection(false)
.authentication(AuthenticationTls.class.getName(),
authParams).build());
admin.clusters().createCluster(clusterName, ClusterData.builder()
.serviceUrl(brokerUrl.toString())
diff --git
a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
deleted file mode 100644
index e2b44e0bf0c..00000000000
---
a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
+++ /dev/null
@@ -1,71 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 15537474201172114493 (0xd7a0327703a8fc3d)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CARoot
- Validity
- Not Before: Feb 22 06:26:33 2023 GMT
- Not After : Feb 19 06:26:33 2033 GMT
- Subject: C=US, ST=CA, O=Apache, OU=Apache Pulsar, CN=localhost
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:af:bf:b7:2d:98:ad:9d:f6:da:a3:13:d4:62:0f:
- 98:be:1c:a2:89:22:ba:6f:d5:fd:1f:67:e3:91:03:
- 98:80:81:0e:ed:d8:f6:70:7f:2c:36:68:3d:53:ea:
- 58:3a:a6:d5:89:66:4b:bd:1e:57:71:13:6d:4b:11:
- e5:40:a5:76:84:24:92:40:58:80:96:c9:1f:2c:c4:
- 55:eb:a3:79:73:70:5c:37:9a:89:ed:2f:ba:6b:e3:
- 82:7c:69:4a:02:54:8b:81:5e:3c:bf:4c:8a:cb:ea:
- 2c:5e:83:e7:b7:10:08:5f:82:58:a3:89:d1:da:92:
- ba:2a:28:ee:30:28:3f:5b:ae:10:71:96:c7:e1:12:
- c5:b0:1a:ad:44:6f:44:3a:11:4a:9a:3c:0f:8d:06:
- 80:7b:34:ef:3f:6c:f4:5e:c5:44:54:1e:c8:dd:c7:
- 80:85:80:d9:68:e6:c6:53:03:77:e1:fe:18:61:07:
- 77:05:4c:ed:59:bc:5d:41:38:6a:ef:5d:a1:b2:60:
- 98:d4:48:28:95:02:8a:0e:fd:cf:7b:1b:d2:11:cc:
- 10:0c:50:73:d7:cc:38:6c:83:dd:79:26:aa:90:c8:
- 9b:84:86:bc:59:e9:62:69:f4:98:1b:c4:80:78:7e:
- a0:1a:81:9d:d2:e1:66:dd:c4:cc:fc:63:04:ac:ec:
- a7:35
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Subject Alternative Name:
- DNS:localhost, IP Address:127.0.0.1
- Signature Algorithm: sha256WithRSAEncryption
- 5f:e0:73:7b:5e:db:c0:8b:5e:4c:43:5f:80:94:ca:0b:f8:e9:
- 9b:93:91:3d:b1:3a:99:ce:1c:fb:15:32:68:3e:b9:9c:52:d0:
- 4b:7f:17:09:ec:af:6b:05:3e:e2:a3:e6:cc:bb:53:d7:ea:4a:
- 82:3c:4e:a5:37:ca:f4:1e:38:e2:d6:a5:98:4d:ee:b9:e2:9a:
- 48:d2:9f:0a:bc:61:42:70:22:b9:fb:cd:73:72:fb:94:13:ac:
- 6e:c5:b6:4b:24:ef:0f:df:2d:e6:56:da:b2:76:e8:16:be:7f:
- 3f:1b:99:6e:32:3e:b9:f4:2b:35:72:c7:e4:c6:a5:92:68:c0:
- 1f:a0:f7:17:fd:a3:b6:73:98:d3:ea:1c:af:ea:7d:f8:a0:27:
- 40:dc:4e:8b:13:28:ba:65:60:c5:90:57:e8:54:c1:83:b4:9d:
- f0:ae:2a:de:27:57:e5:a2:e5:f4:87:1c:df:6b:dc:7b:43:ff:
- b6:be:0b:3b:b2:8b:1a:36:dc:e3:57:aa:52:ef:23:d6:50:d7:
- e4:72:8f:a0:0a:43:de:3d:f2:42:5b:fa:ed:1f:8d:0e:cf:c5:
- 6a:ce:3b:8e:fd:6b:68:01:a9:f9:d2:0e:0d:ac:39:8d:f5:6c:
- 80:f8:49:af:bb:b9:d4:81:b9:f3:b2:b6:ce:75:1c:20:e8:6a:
- 53:dc:26:86
------BEGIN CERTIFICATE-----
-MIIDCTCCAfGgAwIBAgIJANegMncDqPw9MA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
-BAMMBkNBUm9vdDAeFw0yMzAyMjIwNjI2MzNaFw0zMzAyMTkwNjI2MzNaMFcxCzAJ
-BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYwFAYDVQQL
-Ew1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQCvv7ctmK2d9tqjE9RiD5i+HKKJIrpv1f0fZ+OR
-A5iAgQ7t2PZwfyw2aD1T6lg6ptWJZku9HldxE21LEeVApXaEJJJAWICWyR8sxFXr
-o3lzcFw3montL7pr44J8aUoCVIuBXjy/TIrL6ixeg+e3EAhfglijidHakroqKO4w
-KD9brhBxlsfhEsWwGq1Eb0Q6EUqaPA+NBoB7NO8/bPRexURUHsjdx4CFgNlo5sZT
-A3fh/hhhB3cFTO1ZvF1BOGrvXaGyYJjUSCiVAooO/c97G9IRzBAMUHPXzDhsg915
-JqqQyJuEhrxZ6WJp9JgbxIB4fqAagZ3S4WbdxMz8YwSs7Kc1AgMBAAGjHjAcMBoG
-A1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAX+Bz
-e17bwIteTENfgJTKC/jpm5ORPbE6mc4c+xUyaD65nFLQS38XCeyvawU+4qPmzLtT
-1+pKgjxOpTfK9B444talmE3uueKaSNKfCrxhQnAiufvNc3L7lBOsbsW2SyTvD98t
-5lbasnboFr5/PxuZbjI+ufQrNXLH5MalkmjAH6D3F/2jtnOY0+ocr+p9+KAnQNxO
-ixMoumVgxZBX6FTBg7Sd8K4q3idX5aLl9Icc32vce0P/tr4LO7KLGjbc41eqUu8j
-1lDX5HKPoApD3j3yQlv67R+NDs/Fas47jv1raAGp+dIODaw5jfVsgPhJr7u51IG5
-87K2znUcIOhqU9wmhg==
------END CERTIFICATE-----
diff --git
a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-key.pem
b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-key.pem
deleted file mode 100644
index 004bf8e21a7..00000000000
---
a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCvv7ctmK2d9tqj
-E9RiD5i+HKKJIrpv1f0fZ+ORA5iAgQ7t2PZwfyw2aD1T6lg6ptWJZku9HldxE21L
-EeVApXaEJJJAWICWyR8sxFXro3lzcFw3montL7pr44J8aUoCVIuBXjy/TIrL6ixe
-g+e3EAhfglijidHakroqKO4wKD9brhBxlsfhEsWwGq1Eb0Q6EUqaPA+NBoB7NO8/
-bPRexURUHsjdx4CFgNlo5sZTA3fh/hhhB3cFTO1ZvF1BOGrvXaGyYJjUSCiVAooO
-/c97G9IRzBAMUHPXzDhsg915JqqQyJuEhrxZ6WJp9JgbxIB4fqAagZ3S4WbdxMz8
-YwSs7Kc1AgMBAAECggEAAaWEK9MwXTiA1+JJrRmETtOp2isPIBkbI/4vLZ6hASM0
-ZpoPxQIMAf58BJs/dF03xu/EaeMs4oxSC9ABG9fxAk/tZtjta3w65Ip6W5jOfHxj
-AMpb3HMEBhq9kDjUTq1IGVAutYQcEMkC3WfS9e4ahfqMpguWgbu6LsbvZFgcL9mv
-pGnKv9YVe6Xk6isvqtq6G1af0rd7c//xF0i0e/qEo83Buok3gLEZOELZbcRxjUYc
-jnyglnXnwkGjuL4E3wgS3l73ZKsb6+AYoqhMPVz8t4/PN3tTrsBJKOSYo8KzIm0U
-ek9T8XmPbP0cuheRxp9Dp8TXJJQZK0N9jz+EL0ogQQKBgQDnavm8GpR4pap9cDOc
-+YI5s823b507pNdSU8elO9gLsP0JlFzv+sqghVko29r85D7Vn3MkgYTy0S4ANLCs
-0NFDY8N2QH6U1dTkk1QXZydVZDuKJ5SSpC4v+Vafl8yDxhB4Nlxhbm9vJEMfLcXh
-2kL6UlAuFDtYD0AdczwnHu5DjQKBgQDCauocm55FpcyDMMBO2CjurxcjBYS3S1xT
-Bz+sPtxJLjlKbAt8kSHUQcCcX9zhrQBfsT38LATCmKaOFqUW5/PPh2LcrxiMqlL1
-OJBUJ3Te2LTjlUn8r+DHv/69UIh5tchwRr3YgB0DuIs7jfmr4VfiOWTBtPVhoGFR
-1Wt60j30SQKBgHzreS26J2VNAFBALgxRf6OIVMbtgDG/FOCDCyU9vazp+F2gcd61
-QYYPFYcBzx9uUiDctroBFHRCyJMh3jEbc6ruAogl3m6XUxmkEeOkMk5dEerM3N2f
-tLL+5Gy385U6aI+LwKhzhcG4EGeXPNdjC362ykNldnddnB2Jo/H2N2XNAoGAdnft
-xpbxP+GDGKIZXTIM5zzcLWQMdiC+1n1BSHVZiGJZWMczzKknYw7aDq+/iekApE79
-xW8RS373ZvfXi3i2Mcx+6pjrrbOQL4tTL2SHq8+DknaDCi4mG7IbyUKMlxW1WO1S
-e929UGogtZ6S+DCte9WbVwosyFuRUetpvgLk67kCgYBWetihZjgBWrqVYT24TTRH
-KxzSzH1JgzzF9qgTdlhXDv9hC+Kc0uTKsgViesDqVuCOjkwzY5OQr9c6duO0fwwP
-qNk/qltdgjMC5iiv7duyukfbEuqKEdGGer9HFb7en96dZdVQJpYHaaslAGurtD80
-ejCQZgzR2XaHSuIQb0IUVQ==
------END PRIVATE KEY-----
diff --git
a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
deleted file mode 100644
index 4ed454ec52a..00000000000
---
a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
+++ /dev/null
@@ -1,78 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 15358526754272834781 (0xd52472b5c5c3f4dd)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CARoot
- Validity
- Not Before: Feb 22 06:26:32 2023 GMT
- Not After : Feb 19 06:26:32 2033 GMT
- Subject: CN=CARoot
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:d0:87:45:0b:b4:83:11:ab:5a:b4:b6:1c:15:d4:
- 92:6a:0c:ac:3b:76:da:ff:8d:61:1b:bd:96:bd:d7:
- b0:70:23:87:d4:00:19:b2:e5:63:b7:80:58:4a:a4:
- d8:a8:a6:4f:eb:c8:8c:54:07:f5:56:52:23:64:fc:
- 66:54:39:f1:33:d0:e5:cc:b6:40:c8:d7:9a:9f:0e:
- c4:aa:57:b0:b3:e2:41:61:54:ca:1f:90:3b:18:ef:
- 60:d2:dc:ee:34:29:33:08:1b:37:4b:c4:ca:7e:cb:
- 94:7f:50:c4:8d:16:2f:90:03:94:07:bf:cf:52:ff:
- 24:54:56:ac:74:6c:d3:31:8c:ce:ef:b3:14:5a:5b:
- 8a:0c:83:2d:e1:f7:4d:60:2f:a1:4d:85:38:96:7f:
- 01:2f:9a:99:c7:2e:3d:09:4d:5e:53:df:fd:29:9f:
- ff:6b:e4:c2:a1:e3:67:85:db:e2:02:4d:6f:29:d4:
- e1:b3:a2:34:71:e0:90:dd:3f:b3:3f:86:41:8c:97:
- 09:e6:c3:de:a0:0e:d3:d4:3e:ce:ea:58:70:e6:9f:
- 24:a8:19:ca:df:61:b8:9c:c3:4e:53:d0:69:96:44:
- 84:76:2b:99:65:08:06:42:d4:b2:76:a7:2f:69:12:
- d5:c2:65:a6:ff:2c:77:73:00:e7:97:a5:77:6b:8a:
- 9c:3f
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Subject Key Identifier:
- A7:55:6B:51:10:75:CE:4E:5B:0B:64:FF:A9:6D:23:FB:57:88:59:69
- X509v3 Authority Key Identifier:
-
keyid:A7:55:6B:51:10:75:CE:4E:5B:0B:64:FF:A9:6D:23:FB:57:88:59:69
- DirName:/CN=CARoot
- serial:D5:24:72:B5:C5:C3:F4:DD
-
- Signature Algorithm: sha256WithRSAEncryption
- 21:b1:4d:2b:14:1e:5a:91:5d:28:9e:ba:cb:ed:f1:96:da:c3:
- fa:8d:b5:74:e4:c5:fb:2f:3e:39:b4:a6:59:69:dd:84:64:a8:
- f0:e0:39:d2:ef:87:cc:8b:09:9f:0a:84:1f:d0:96:9c:4b:64:
- ea:08:09:26:1c:84:f4:06:5f:5e:b9:ba:b3:3c:6c:81:e0:93:
- 46:89:07:51:95:36:77:96:76:5d:a6:68:71:bb:60:88:a7:83:
- 27:7c:66:5d:64:36:cb:8e:bd:02:f7:fb:52:63:83:2f:fe:57:
- 4c:d5:0c:1b:ea:ef:88:ad:8c:a9:d4:b3:2c:b8:c4:e2:90:cb:
- 0f:24:0e:df:fc:2a:c6:83:08:49:45:b0:41:85:0e:b4:6f:f7:
- 18:56:7b:a5:0b:f6:1b:7f:72:88:ee:c8:ef:b3:e3:3e:f0:68:
- 1b:c9:55:bb:4d:21:65:6b:9e:5c:dd:60:4b:7f:f1:84:f8:67:
- 51:c2:60:88:42:6e:6c:9c:14:b8:96:b0:18:10:97:2c:94:e7:
- 79:14:7b:d1:a2:a4:d8:94:84:ac:a9:ca:17:95:c2:27:8b:2b:
- d8:19:6a:14:4b:c3:03:a6:30:55:40:bd:ce:0c:c2:d5:af:7d:
- 6d:65:89:6b:74:ed:21:12:f1:aa:c9:c9:ba:da:9a:ca:14:6c:
- 39:f4:02:32
------BEGIN CERTIFICATE-----
-MIIDGjCCAgKgAwIBAgIJANUkcrXFw/TdMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
-BAMMBkNBUm9vdDAeFw0yMzAyMjIwNjI2MzJaFw0zMzAyMTkwNjI2MzJaMBExDzAN
-BgNVBAMMBkNBUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCH
-RQu0gxGrWrS2HBXUkmoMrDt22v+NYRu9lr3XsHAjh9QAGbLlY7eAWEqk2KimT+vI
-jFQH9VZSI2T8ZlQ58TPQ5cy2QMjXmp8OxKpXsLPiQWFUyh+QOxjvYNLc7jQpMwgb
-N0vEyn7LlH9QxI0WL5ADlAe/z1L/JFRWrHRs0zGMzu+zFFpbigyDLeH3TWAvoU2F
-OJZ/AS+amccuPQlNXlPf/Smf/2vkwqHjZ4Xb4gJNbynU4bOiNHHgkN0/sz+GQYyX
-CebD3qAO09Q+zupYcOafJKgZyt9huJzDTlPQaZZEhHYrmWUIBkLUsnanL2kS1cJl
-pv8sd3MA55eld2uKnD8CAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
-FgQUp1VrURB1zk5bC2T/qW0j+1eIWWkwQQYDVR0jBDowOIAUp1VrURB1zk5bC2T/
-qW0j+1eIWWmhFaQTMBExDzANBgNVBAMMBkNBUm9vdIIJANUkcrXFw/TdMA0GCSqG
-SIb3DQEBCwUAA4IBAQAhsU0rFB5akV0onrrL7fGW2sP6jbV05MX7Lz45tKZZad2E
-ZKjw4DnS74fMiwmfCoQf0JacS2TqCAkmHIT0Bl9eubqzPGyB4JNGiQdRlTZ3lnZd
-pmhxu2CIp4MnfGZdZDbLjr0C9/tSY4Mv/ldM1Qwb6u+IrYyp1LMsuMTikMsPJA7f
-/CrGgwhJRbBBhQ60b/cYVnulC/Ybf3KI7sjvs+M+8GgbyVW7TSFla55c3WBLf/GE
-+GdRwmCIQm5snBS4lrAYEJcslOd5FHvRoqTYlISsqcoXlcIniyvYGWoUS8MDpjBV
-QL3ODMLVr31tZYlrdO0hEvGqycm62prKFGw59AIy
------END CERTIFICATE-----
diff --git
a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
deleted file mode 100644
index 3cf236c4012..00000000000
---
a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
+++ /dev/null
@@ -1,71 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 15537474201172114494 (0xd7a0327703a8fc3e)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CARoot
- Validity
- Not Before: Feb 22 06:26:33 2023 GMT
- Not After : Feb 19 06:26:33 2033 GMT
- Subject: C=US, ST=CA, O=Apache, OU=Apache Pulsar, CN=superUser
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:cd:43:7d:98:40:f9:b0:5b:bc:ae:db:c0:0b:ad:
- 26:90:96:e0:62:38:ed:68:b1:70:46:3b:de:44:f9:
- 14:51:86:10:eb:ca:90:e7:88:e8:f9:91:85:e0:dd:
- b5:b4:14:b9:78:e3:86:d5:54:6d:68:ec:14:92:b4:
- f8:22:5b:05:3d:ed:31:25:65:08:05:84:ca:e6:0c:
- 21:12:58:32:c7:1a:60:a3:4f:d2:4a:9e:28:19:7c:
- 45:84:00:8c:89:dc:de:8a:e5:4f:88:91:cc:a4:f1:
- 81:45:4c:7d:c2:ff:e2:c1:89:c6:12:73:95:e2:36:
- bd:db:ae:8b:5a:68:6a:90:51:de:2b:88:5f:aa:67:
- f4:a8:e3:63:dc:be:19:82:cc:9d:7f:e6:8d:fb:82:
- be:22:01:3d:56:13:3b:5b:04:b4:e8:c5:18:e6:2e:
- 0d:fa:ba:4a:8d:e8:c6:5a:a1:51:9a:4a:62:d7:af:
- dd:b4:fc:e2:d5:cd:ae:99:6c:5c:61:56:0b:d7:0c:
- 1a:77:5c:f5:3a:6a:54:b5:9e:33:ac:a9:75:28:9a:
- 76:af:d0:7a:57:00:1b:91:13:31:fd:42:88:21:47:
- 05:10:01:2f:59:bb:c7:3a:d9:e1:58:4c:1b:6c:71:
- b6:98:ef:dd:03:82:58:a3:32:dc:90:a1:b6:a6:1e:
- e1:0b
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Subject Alternative Name:
- DNS:localhost, IP Address:127.0.0.1
- Signature Algorithm: sha256WithRSAEncryption
- b8:fc:d3:8f:8a:e0:6b:74:57:e2:a3:79:b2:18:60:0b:2c:05:
- f9:e3:ae:dd:e9:ad:52:88:52:73:b4:12:b0:39:90:65:12:f5:
- 95:0e:5f:4b:f2:06:4a:57:ab:e1:f9:b1:34:68:83:d7:d7:5e:
- 69:0a:16:44:ea:1d:97:53:51:10:51:8b:ec:0a:b3:c8:a3:3d:
- 85:4d:f4:8f:7d:b3:b5:72:e4:9e:d7:f3:01:bf:66:e1:40:92:
- 54:63:16:b6:b5:66:ed:30:38:94:1d:1a:8f:28:34:27:ab:c9:
- 5f:d5:16:7e:e4:f5:93:d2:19:35:44:0a:c4:2e:6a:25:38:1d:
- ee:5a:c8:29:fa:96:dc:95:82:38:9e:36:3a:68:34:7b:4e:d9:
- fa:0d:b2:88:a2:6c:4f:03:18:a7:e3:41:67:38:de:e5:f6:ff:
- 2a:1c:f0:ec:1a:02:a7:e8:4e:3a:c3:04:72:f8:6a:4f:28:a6:
- cf:0b:a2:db:33:74:d1:10:9e:ec:b4:ac:f8:b1:24:f4:ef:0e:
- 05:e4:9d:1b:9a:40:f7:09:66:9c:9d:86:8b:76:96:46:e8:d1:
- dc:10:c7:7d:0b:69:41:dc:a7:8e:e3:a3:36:e3:42:63:93:8c:
- 91:80:0d:27:11:1c:2d:ae:fb:92:88:6c:6b:09:40:1a:30:dd:
- 8f:ac:0f:62
------BEGIN CERTIFICATE-----
-MIIDCTCCAfGgAwIBAgIJANegMncDqPw+MA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
-BAMMBkNBUm9vdDAeFw0yMzAyMjIwNjI2MzNaFw0zMzAyMTkwNjI2MzNaMFcxCzAJ
-BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYwFAYDVQQL
-Ew1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlzdXBlclVzZXIwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDNQ32YQPmwW7yu28ALrSaQluBiOO1osXBGO95E
-+RRRhhDrypDniOj5kYXg3bW0FLl444bVVG1o7BSStPgiWwU97TElZQgFhMrmDCES
-WDLHGmCjT9JKnigZfEWEAIyJ3N6K5U+Ikcyk8YFFTH3C/+LBicYSc5XiNr3brota
-aGqQUd4riF+qZ/So42PcvhmCzJ1/5o37gr4iAT1WEztbBLToxRjmLg36ukqN6MZa
-oVGaSmLXr920/OLVza6ZbFxhVgvXDBp3XPU6alS1njOsqXUomnav0HpXABuREzH9
-QoghRwUQAS9Zu8c62eFYTBtscbaY790DglijMtyQobamHuELAgMBAAGjHjAcMBoG
-A1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAuPzT
-j4rga3RX4qN5shhgCywF+eOu3emtUohSc7QSsDmQZRL1lQ5fS/IGSler4fmxNGiD
-19deaQoWROodl1NREFGL7AqzyKM9hU30j32ztXLkntfzAb9m4UCSVGMWtrVm7TA4
-lB0ajyg0J6vJX9UWfuT1k9IZNUQKxC5qJTgd7lrIKfqW3JWCOJ42Omg0e07Z+g2y
-iKJsTwMYp+NBZzje5fb/Khzw7BoCp+hOOsMEcvhqTyimzwui2zN00RCe7LSs+LEk
-9O8OBeSdG5pA9wlmnJ2Gi3aWRujR3BDHfQtpQdynjuOjNuNCY5OMkYANJxEcLa77
-kohsawlAGjDdj6wPYg==
------END CERTIFICATE-----
diff --git
a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-key.pem
b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-key.pem
deleted file mode 100644
index 3835b3eaccc..00000000000
---
a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDNQ32YQPmwW7yu
-28ALrSaQluBiOO1osXBGO95E+RRRhhDrypDniOj5kYXg3bW0FLl444bVVG1o7BSS
-tPgiWwU97TElZQgFhMrmDCESWDLHGmCjT9JKnigZfEWEAIyJ3N6K5U+Ikcyk8YFF
-TH3C/+LBicYSc5XiNr3brotaaGqQUd4riF+qZ/So42PcvhmCzJ1/5o37gr4iAT1W
-EztbBLToxRjmLg36ukqN6MZaoVGaSmLXr920/OLVza6ZbFxhVgvXDBp3XPU6alS1
-njOsqXUomnav0HpXABuREzH9QoghRwUQAS9Zu8c62eFYTBtscbaY790DglijMtyQ
-obamHuELAgMBAAECggEBALGnokJuqiz7mTj2NSdl+6TVEOuyPbiJKpV/J4cm1XEh
-ye9qaTQcCRhH3UmcWrG75jM9KevloLRY8A1x1/lUMhtA+XJWGTU9k6a8BLut3nT4
-3X87jNTMQgSczEXNe9WudmZcxhN7rVVtOOdTpt1pP0cnCWna5HTf0D8cuLvM975j
-r1YGTjKsCF1W+tp6ZAIIMfJkUI2qBRKvSxVCSs1vZBraox3yUVnq9oRLHxZZoqOd
-d51G5phRtn6ReVPBdT8fGUBEGg3jKxTu2/vLQMUyHy0hyCAM20gzOP4FIc2g+QZU
-y42byAuc89m0OrdRWsmzHCOxcq9DwY9npaz1RscR/2ECgYEA9bHJQ0Y1afpS5gn2
-KnXenRIw9oal1utQZnohCEJ4um+K/BCEHtDnI825LPNf34IKM2rSmssvHrYN51o0
-92j9lHHXsf6MVluwsTsIu8MtNaJ1BLt96dub4ScGT6vvzObKTwsajUfIHk+FNsKq
-zps8yh1q0qyyfAcvR82+Xr6JIsMCgYEA1d+RHGewi/Ub/GCG99A1KFKsgbiIJnWB
-IFmrcyPWignhzDUcw2SV9XqAzeK8EOIHNq3e5U/tkA7aCWxtLb5UsQ8xvmwQY2cy
-X2XvSdIhO4K2PgRLgjlzZ8RHSULglqyjB2i6TjwjFl8TsRzYr6JlV6+2cMujw4Bl
-g3a8gz071BkCgYBLP7BMkmw5kRliqxph1sffg3rLhmG0eU2elTkYtoMTVqZSnRxZ
-89FW/eMBCWkLo2BMbyMhlalQ1qFbgh1GyTkhBdzx/uwsZtiu7021dAmcq6z7ThE6
-VrBfPPyJ2jcPon/DxbrUGnAIGILMSsLVlGYB4RCehZYEto6chz8O9Xw60QKBgCnd
-us1BqviqwZC04JbQJie/j09RbS2CIQXRJ9PBNzUMXCwaVYgWP5ivI1mqQcBYTqsw
-fAqNi+aAUcQ4emLS+Ec0vzsUclzTDbRJAv+DZ8f7fWtEcfeLAYFVldLMiaRVJRDF
-OnsoIII3mGY6TFyNQKNanS8VXfheQQDsFFjoera5AoGBALXYEXkESXpw4LT6qJFz
-ktQuTZDfS6LtR14/+NkYL9c5wBC4Otkg4bNbT8xGlUjethRfpkm8xRTB6zfC1/p/
-Cg6YU1cwqlkRurAhE3PEv1dCc1IDbzou8xnwqHrd6sGPDQmQ3aEtU5eJhDZKIZfx
-nQqPGK92+Jtne7+W1mFZooxs
------END PRIVATE KEY-----
diff --git a/build/regenerate_certs_for_tests.sh
b/build/regenerate_certs_for_tests.sh
index fff1c057060..9582a7496cd 100755
--- a/build/regenerate_certs_for_tests.sh
+++ b/build/regenerate_certs_for_tests.sh
@@ -68,13 +68,6 @@ reissue_certificate_no_subject \
$ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/no-subject-alt-key.pem
\
$ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/no-subject-alt-cert.pem
-generate_ca
-cp ca-cert.pem
$ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
-reissue_certificate
$ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-key.pem
\
-
$ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
-reissue_certificate
$ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-key.pem
\
-
$ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
-
generate_ca
cp ca-cert.pem
$ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
reissue_certificate
$ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-key.pem
\
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/admin/BrokerAdminClientTlsAuthTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/admin/BrokerAdminClientTlsAuthTest.java
index 19a550457a4..0e4f1bccc81 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/admin/BrokerAdminClientTlsAuthTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/admin/BrokerAdminClientTlsAuthTest.java
@@ -63,7 +63,7 @@ public class BrokerAdminClientTlsAuthTest extends
MockedPulsarServiceBaseTest {
conf.setTlsKeyFilePath(BROKER_KEY_FILE_PATH);
conf.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
conf.setAuthenticationEnabled(true);
- conf.setSuperUserRoles(Set.of("superproxy",
"broker.pulsar.apache.org"));
+ conf.setSuperUserRoles(Set.of("superproxy", "broker-localhost-SAN"));
conf.setAuthenticationProviders(
Set.of("org.apache.pulsar.broker.authentication.AuthenticationProviderTls"));
conf.setAuthorizationEnabled(true);
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/testcontext/PulsarTestContext.java
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/testcontext/PulsarTestContext.java
index e170425ffe4..d3d4b7cf934 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/testcontext/PulsarTestContext.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/testcontext/PulsarTestContext.java
@@ -323,6 +323,9 @@ public class PulsarTestContext implements AutoCloseable {
*/
public Builder configCustomizer(Consumer<ServiceConfiguration>
configCustomerizer) {
configCustomerizer.accept(svcConfig);
+ if (config != null) {
+ configCustomerizer.accept(config);
+ }
return this;
}
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticatedProducerConsumerTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticatedProducerConsumerTest.java
index 71e30c21b3c..75ae91f18a3 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticatedProducerConsumerTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticatedProducerConsumerTest.java
@@ -64,12 +64,6 @@ import org.testng.annotations.Test;
public class AuthenticatedProducerConsumerTest extends ProducerConsumerBase {
private static final Logger log =
LoggerFactory.getLogger(AuthenticatedProducerConsumerTest.class);
- private final String TLS_TRUST_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/cacert.pem";
- private final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- private final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
- private final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- private final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
-
private final String BASIC_CONF_FILE_PATH =
"./src/test/resources/authentication/basic/.htpasswd";
private final SecretKey SECRET_KEY =
AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
@@ -88,9 +82,9 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
conf.setBrokerServicePortTls(Optional.of(0));
conf.setWebServicePortTls(Optional.of(0));
- conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
- conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
- conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
+ conf.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
+ conf.setTlsCertificateFilePath(BROKER_CERT_FILE_PATH);
+ conf.setTlsKeyFilePath(BROKER_KEY_FILE_PATH);
conf.setTlsAllowInsecureConnection(true);
conf.setTopicLevelPoliciesEnabled(false);
@@ -104,7 +98,8 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
conf.setBrokerClientTlsEnabled(true);
conf.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
conf.setBrokerClientAuthenticationParameters(
- "tlsCertFile:" + TLS_CLIENT_CERT_FILE_PATH + "," +
"tlsKeyFile:" + TLS_CLIENT_KEY_FILE_PATH);
+ "tlsCertFile:" + getTlsFileForClient("admin.cert")
+ + ",tlsKeyFile:" +
getTlsFileForClient("admin.key-pk8"));
Set<String> providers = new HashSet<>();
providers.add(AuthenticationProviderTls.class.getName());
@@ -126,7 +121,7 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
protected final void internalSetup(Authentication auth) throws Exception {
admin =
spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString())
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true).authentication(auth)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH).authentication(auth)
.build());
String lookupUrl;
// For http basic authentication test
@@ -136,7 +131,7 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
lookupUrl = pulsar.getBrokerServiceUrlTls();
}
replacePulsarClient(PulsarClient.builder().serviceUrl(lookupUrl).statsInterval(0,
TimeUnit.SECONDS)
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true).authentication(auth)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH).authentication(auth)
.enableTls(true));
}
@@ -188,8 +183,8 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
log.info("-- Starting {} test --", methodName);
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
internalSetup(authTls);
@@ -246,8 +241,8 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
log.info("-- Starting {} test --", methodName);
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
internalSetup(authTls);
@@ -291,8 +286,8 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
log.info("-- Starting {} test --", methodName);
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
internalSetup(authTls);
@@ -324,8 +319,8 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
log.info("-- Starting {} test --", methodName);
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
internalSetup(authTls);
@@ -362,8 +357,8 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
@Test
public void testDeleteAuthenticationPoliciesOfTopic() throws Exception {
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
internalSetup(authTls);
@@ -424,7 +419,8 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
admin.clusters().deleteCluster("test");
}
- private final Authentication tlsAuth = new
AuthenticationTls(TLS_CLIENT_CERT_FILE_PATH, TLS_CLIENT_KEY_FILE_PATH);
+ private final Authentication tlsAuth =
+ new AuthenticationTls(getTlsFileForClient("admin.cert"),
getTlsFileForClient("admin.key-pk8"));
private final Authentication tokenAuth = new
AuthenticationToken(ADMIN_TOKEN);
@DataProvider
@@ -454,10 +450,9 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
@Cleanup
PulsarClient client = PulsarClient.builder().serviceUrl(url.get())
- .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
- .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
- .tlsKeyFilePath(TLS_CLIENT_KEY_FILE_PATH)
- .tlsCertificateFilePath(TLS_CLIENT_CERT_FILE_PATH)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH)
+ .tlsKeyFilePath(getTlsFileForClient("admin.key-pk8"))
+ .tlsCertificateFilePath(getTlsFileForClient("admin.cert"))
.authentication(auth)
.allowTlsInsecureConnection(false)
.enableTlsHostnameVerification(false)
@@ -470,8 +465,8 @@ public class AuthenticatedProducerConsumerTest extends
ProducerConsumerBase {
@Test
public void testCleanupEmptyTopicAuthenticationMap() throws Exception {
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
internalSetup(authTls);
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
index f2631f59121..e3bd321d763 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
@@ -46,17 +46,10 @@ public class AuthenticationTlsHostnameVerificationTest
extends ProducerConsumerB
private final String TLS_MIM_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/hn-verification/broker-cert.pem";
private final String TLS_MIM_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/hn-verification/broker-key.pem";
- private final String TLS_TRUST_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/cacert.pem";
- private final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- private final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
-
- private final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- private final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
-
private final String BASIC_CONF_FILE_PATH =
"./src/test/resources/authentication/basic/.htpasswd";
private boolean hostnameVerificationEnabled = true;
- private String clientTrustCertFilePath = TLS_TRUST_CERT_FILE_PATH;
+ private String clientTrustCertFilePath = CA_CERT_FILE_PATH;
protected void setup() throws Exception {
super.internalSetup();
@@ -81,7 +74,8 @@ public class AuthenticationTlsHostnameVerificationTest
extends ProducerConsumerB
conf.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
conf.setBrokerClientAuthenticationParameters(
- "tlsCertFile:" + TLS_CLIENT_CERT_FILE_PATH + "," +
"tlsKeyFile:" + TLS_SERVER_KEY_FILE_PATH);
+ "tlsCertFile:" + getTlsFileForClient("admin.cert")
+ + ",tlsKeyFile:" +
getTlsFileForClient("admin.key-pk8"));
Set<String> providers = new HashSet<>();
providers.add(AuthenticationProviderTls.class.getName());
@@ -100,8 +94,8 @@ public class AuthenticationTlsHostnameVerificationTest
extends ProducerConsumerB
protected void setupClient() throws Exception {
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
@@ -147,11 +141,11 @@ public class AuthenticationTlsHostnameVerificationTest
extends ProducerConsumerB
// setup broker cert which has CN = "pulsar" different than broker's
hostname="localhost"
conf.setBrokerServicePortTls(Optional.of(0));
conf.setWebServicePortTls(Optional.of(0));
- conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
+ conf.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
conf.setTlsCertificateFilePath(TLS_MIM_SERVER_CERT_FILE_PATH);
conf.setTlsKeyFilePath(TLS_MIM_SERVER_KEY_FILE_PATH);
conf.setBrokerClientAuthenticationParameters(
- "tlsCertFile:" + TLS_CLIENT_CERT_FILE_PATH + "," +
"tlsKeyFile:" + TLS_MIM_SERVER_KEY_FILE_PATH);
+ "tlsCertFile:" + getTlsFileForClient("admin.cert") + "," +
"tlsKeyFile:" + TLS_MIM_SERVER_KEY_FILE_PATH);
setup();
@@ -188,9 +182,9 @@ public class AuthenticationTlsHostnameVerificationTest
extends ProducerConsumerB
// setup broker cert which has CN = "localhost"
conf.setBrokerServicePortTls(Optional.of(0));
conf.setWebServicePortTls(Optional.of(0));
- conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
- conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
- conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
+ conf.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
+ conf.setTlsCertificateFilePath(BROKER_CERT_FILE_PATH);
+ conf.setTlsKeyFilePath(BROKER_KEY_FILE_PATH);
setup();
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ClientAuthenticationTlsTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ClientAuthenticationTlsTest.java
index 186bf9d736e..c9b243257c4 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ClientAuthenticationTlsTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ClientAuthenticationTlsTest.java
@@ -37,15 +37,9 @@ import org.testng.annotations.Test;
@Test(groups = "broker-api")
public class ClientAuthenticationTlsTest extends ProducerConsumerBase {
- private final String TLS_TRUST_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/cacert.pem";
- private final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- private final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
-
- private final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- private final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
private final Authentication authenticationTls =
- new AuthenticationTls(TLS_CLIENT_CERT_FILE_PATH,
TLS_CLIENT_KEY_FILE_PATH);
+ new AuthenticationTls(getTlsFileForClient("admin.cert"),
getTlsFileForClient("admin.key-pk8"));
@Override
protected void doInitConf() throws Exception {
@@ -57,17 +51,18 @@ public class ClientAuthenticationTlsTest extends
ProducerConsumerBase {
providers.add(AuthenticationProviderTls.class.getName());
conf.setAuthenticationProviders(providers);
- conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
- conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
- conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
+ conf.setTlsKeyFilePath(BROKER_KEY_FILE_PATH);
+ conf.setTlsCertificateFilePath(BROKER_CERT_FILE_PATH);
+ conf.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
conf.setTlsAllowInsecureConnection(false);
conf.setBrokerClientTlsEnabled(true);
conf.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
conf.setBrokerClientAuthenticationParameters(
- "tlsCertFile:" + TLS_CLIENT_CERT_FILE_PATH + "," +
"tlsKeyFile:" + TLS_CLIENT_KEY_FILE_PATH);
- conf.setBrokerClientTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
+ "tlsCertFile:" + getTlsFileForClient("admin.cert")
+ + ",tlsKeyFile:" +
getTlsFileForClient("admin.key-pk8"));
+ conf.setBrokerClientTrustCertsFilePath(CA_CERT_FILE_PATH);
}
@BeforeClass(alwaysRun = true)
@@ -94,7 +89,7 @@ public class ClientAuthenticationTlsTest extends
ProducerConsumerBase {
@Cleanup
PulsarAdmin pulsarAdmin =
PulsarAdmin.builder().serviceHttpUrl(getPulsar().getWebServiceAddressTls())
.sslProvider("JDK")
- .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH)
.build();
pulsarAdmin.clusters().getClusters();
}
@@ -105,7 +100,7 @@ public class ClientAuthenticationTlsTest extends
ProducerConsumerBase {
PulsarAdmin pulsarAdmin =
PulsarAdmin.builder().serviceHttpUrl(getPulsar().getWebServiceAddressTls())
.sslProvider("JDK")
.authentication(authenticationTls)
- .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH)
.build();
pulsarAdmin.clusters().getClusters();
}
@@ -139,7 +134,7 @@ public class ClientAuthenticationTlsTest extends
ProducerConsumerBase {
PulsarClient pulsarClient =
PulsarClient.builder().serviceUrl(getPulsar().getBrokerServiceUrlTls())
.sslProvider("JDK")
.operationTimeout(3, TimeUnit.SECONDS)
- .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH)
.build();
@Cleanup
Producer<byte[]> ignored =
pulsarClient.newProducer().topic(UUID.randomUUID().toString()).create();
@@ -152,7 +147,7 @@ public class ClientAuthenticationTlsTest extends
ProducerConsumerBase {
.sslProvider("JDK")
.operationTimeout(3, TimeUnit.SECONDS)
.authentication(authenticationTls)
- .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH)
.build();
@Cleanup
Producer<byte[]> ignored =
pulsarClient.newProducer().topic(UUID.randomUUID().toString()).create();
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ProducerConsumerBase.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ProducerConsumerBase.java
index ca58bddf13c..f58c1fa26af 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ProducerConsumerBase.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ProducerConsumerBase.java
@@ -31,11 +31,6 @@ import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
public abstract class ProducerConsumerBase extends MockedPulsarServiceBaseTest
{
- protected final String TLS_TRUST_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/cacert.pem";
- protected final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- protected final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
- protected final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- protected final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
protected String methodName;
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ProxyProtocolTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ProxyProtocolTest.java
index 7f632d5a764..19009689dc8 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ProxyProtocolTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/ProxyProtocolTest.java
@@ -45,11 +45,11 @@ public class ProxyProtocolTest extends
TlsProducerConsumerBase {
String topicName = "persistent://my-property/use/my-ns/my-topic1";
ClientBuilder clientBuilder =
PulsarClient.builder().serviceUrl(brokerServiceUrl)
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).enableTls(true).allowTlsInsecureConnection(false)
+
.tlsTrustCertsFilePath(CA_CERT_FILE_PATH).enableTls(true).allowTlsInsecureConnection(false)
.proxyServiceUrl(proxyUrl,
ProxyProtocol.SNI).operationTimeout(1000, TimeUnit.MILLISECONDS);
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
clientBuilder.authentication(AuthenticationTls.class.getName(),
authParams);
@Cleanup
@@ -68,11 +68,11 @@ public class ProxyProtocolTest extends
TlsProducerConsumerBase {
String topicName = "persistent://my-property/use/my-ns/my-topic1";
ClientBuilder clientBuilder =
PulsarClient.builder().serviceUrl(brokerServiceUrl)
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).enableTls(true).allowTlsInsecureConnection(false)
+
.tlsTrustCertsFilePath(CA_CERT_FILE_PATH).enableTls(true).allowTlsInsecureConnection(false)
.proxyServiceUrl(proxyUrl,
ProxyProtocol.SNI).operationTimeout(1000, TimeUnit.MILLISECONDS);
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
clientBuilder.authentication(AuthenticationTls.class.getName(),
authParams);
@Cleanup
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsHostVerificationTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsHostVerificationTest.java
index 95a78d7ffce..fff61c5c8c9 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsHostVerificationTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsHostVerificationTest.java
@@ -21,6 +21,7 @@ package org.apache.pulsar.client.api;
import java.util.HashMap;
import java.util.Map;
+import org.apache.pulsar.broker.testcontext.PulsarTestContext;
import org.apache.pulsar.client.admin.PulsarAdmin;
import org.apache.pulsar.client.admin.PulsarAdminException;
import org.apache.pulsar.client.impl.auth.AuthenticationTls;
@@ -30,21 +31,38 @@ import org.testng.annotations.Test;
@Test(groups = "broker-api")
public class TlsHostVerificationTest extends TlsProducerConsumerBase {
+ @Override
+ @Test(enabled = false)
+ protected void
customizeMainPulsarTestContextBuilder(PulsarTestContext.Builder builder) {
+ builder.configCustomizer(config -> {
+ // Advertise a hostname that routes but is not on the certificate
+ // Note that if you are on a Mac, you'll need to run the following
to make loopback work for 127.0.0.2
+ // $ sudo ifconfig lo0 alias 127.0.0.2 up
+ config.setAdvertisedAddress("127.0.0.2");
+ });
+ }
+
@Test
public void testTlsHostVerificationAdminClient() throws Exception {
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
- String websocketTlsAddress = pulsar.getWebServiceAddressTls();
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
+
Assert.assertTrue(pulsar.getWebServiceAddressTls().startsWith("https://127.0.0.2:";),
+ "Test relies on this address");
PulsarAdmin adminClientTls = PulsarAdmin.builder()
- .serviceHttpUrl(websocketTlsAddress.replace("localhost",
"127.0.0.1"))
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(false)
+ .serviceHttpUrl(pulsar.getWebServiceAddressTls())
+
.tlsTrustCertsFilePath(CA_CERT_FILE_PATH).allowTlsInsecureConnection(false)
.authentication(AuthenticationTls.class.getName(),
authParams).enableTlsHostnameVerification(true)
+ .requestTimeout(1, java.util.concurrent.TimeUnit.SECONDS)
.build();
try {
adminClientTls.tenants().getTenants();
Assert.fail("Admin call should be failed due to
hostnameVerification enabled");
+ } catch (PulsarAdminException.TimeoutException e) {
+ // The test was previously able to fail here, but that is not the
right way for the test to pass.
+ // If you hit this error and are running on OSX, you may need to
run "sudo ifconfig lo0 alias 127.0.0.2 up"
+ Assert.fail("Admin call should not timeout, it should fail due to
SSL error");
} catch (PulsarAdminException e) {
// Ok
}
@@ -53,11 +71,13 @@ public class TlsHostVerificationTest extends
TlsProducerConsumerBase {
@Test
public void testTlsHostVerificationDisabledAdminClient() throws Exception {
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
+
Assert.assertTrue(pulsar.getWebServiceAddressTls().startsWith("https://127.0.0.2:";),
+ "Test relies on this address");
PulsarAdmin adminClient = PulsarAdmin.builder()
.serviceHttpUrl(pulsar.getWebServiceAddressTls())
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(false)
+
.tlsTrustCertsFilePath(CA_CERT_FILE_PATH).allowTlsInsecureConnection(false)
.authentication(AuthenticationTls.class.getName(),
authParams).enableTlsHostnameVerification(false)
.build();
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerBase.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerBase.java
index 6a2109836a2..39bab20d97d 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerBase.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerBase.java
@@ -38,11 +38,6 @@ import org.testng.annotations.Test;
@Test(groups = "broker-api")
public abstract class TlsProducerConsumerBase extends ProducerConsumerBase {
- protected final String TLS_TRUST_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/cacert.pem";
- protected final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- protected final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
- protected final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- protected final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
private final String clusterName = "use";
@BeforeMethod
@@ -64,9 +59,9 @@ public abstract class TlsProducerConsumerBase extends
ProducerConsumerBase {
protected void internalSetUpForBroker() {
conf.setBrokerServicePortTls(Optional.of(0));
conf.setWebServicePortTls(Optional.of(0));
- conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
- conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
- conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
+ conf.setTlsCertificateFilePath(BROKER_CERT_FILE_PATH);
+ conf.setTlsKeyFilePath(BROKER_KEY_FILE_PATH);
+ conf.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
conf.setClusterName(clusterName);
conf.setTlsRequireTrustedClientCertOnConnect(true);
Set<String> tlsProtocols = Sets.newConcurrentHashSet();
@@ -81,12 +76,12 @@ public abstract class TlsProducerConsumerBase extends
ProducerConsumerBase {
pulsarClient.close();
}
ClientBuilder clientBuilder =
PulsarClient.builder().serviceUrl(lookupUrl)
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).enableTls(true).allowTlsInsecureConnection(false)
+
.tlsTrustCertsFilePath(CA_CERT_FILE_PATH).enableTls(true).allowTlsInsecureConnection(false)
.operationTimeout(1000, TimeUnit.MILLISECONDS);
if (addCertificates) {
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
clientBuilder.authentication(AuthenticationTls.class.getName(),
authParams);
}
replacePulsarClient(clientBuilder);
@@ -94,15 +89,15 @@ public abstract class TlsProducerConsumerBase extends
ProducerConsumerBase {
protected void internalSetUpForNamespace() throws Exception {
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
if (admin != null) {
admin.close();
}
admin =
spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString())
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(false)
+
.tlsTrustCertsFilePath(CA_CERT_FILE_PATH).allowTlsInsecureConnection(false)
.authentication(AuthenticationTls.class.getName(),
authParams).build());
admin.clusters().createCluster(clusterName,
ClusterData.builder()
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerTest.java
index 0563fc3b9da..879289eb65d 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsProducerConsumerTest.java
@@ -146,9 +146,9 @@ public class TlsProducerConsumerTest extends
TlsProducerConsumerBase {
.operationTimeout(1000, TimeUnit.MILLISECONDS);
AtomicInteger index = new AtomicInteger(0);
- ByteArrayInputStream certStream =
createByteInputStream(TLS_CLIENT_CERT_FILE_PATH);
- ByteArrayInputStream keyStream =
createByteInputStream(TLS_CLIENT_KEY_FILE_PATH);
- ByteArrayInputStream trustStoreStream =
createByteInputStream(TLS_TRUST_CERT_FILE_PATH);
+ ByteArrayInputStream certStream =
createByteInputStream(getTlsFileForClient("admin.cert"));
+ ByteArrayInputStream keyStream =
createByteInputStream(getTlsFileForClient("admin.key-pk8"));
+ ByteArrayInputStream trustStoreStream =
createByteInputStream(CA_CERT_FILE_PATH);
Supplier<ByteArrayInputStream> certProvider = () -> getStream(index,
certStream);
Supplier<ByteArrayInputStream> keyProvider = () -> getStream(index,
keyStream);
@@ -203,9 +203,9 @@ public class TlsProducerConsumerTest extends
TlsProducerConsumerBase {
AtomicInteger certIndex = new AtomicInteger(1);
AtomicInteger keyIndex = new AtomicInteger(0);
AtomicInteger trustStoreIndex = new AtomicInteger(1);
- ByteArrayInputStream certStream =
createByteInputStream(TLS_CLIENT_CERT_FILE_PATH);
- ByteArrayInputStream keyStream =
createByteInputStream(TLS_CLIENT_KEY_FILE_PATH);
- ByteArrayInputStream trustStoreStream =
createByteInputStream(TLS_TRUST_CERT_FILE_PATH);
+ ByteArrayInputStream certStream =
createByteInputStream(getTlsFileForClient("admin.cert"));
+ ByteArrayInputStream keyStream =
createByteInputStream(getTlsFileForClient("admin.key-pk8"));
+ ByteArrayInputStream trustStoreStream =
createByteInputStream(CA_CERT_FILE_PATH);
Supplier<ByteArrayInputStream> certProvider = () ->
getStream(certIndex, certStream,
keyStream/* invalid cert file */);
Supplier<ByteArrayInputStream> keyProvider = () -> getStream(keyIndex,
keyStream);
@@ -252,7 +252,8 @@ public class TlsProducerConsumerTest extends
TlsProducerConsumerBase {
return streams[index.intValue()];
}
- private final Authentication tlsAuth = new
AuthenticationTls(TLS_CLIENT_CERT_FILE_PATH, TLS_CLIENT_KEY_FILE_PATH);
+ private final Authentication tlsAuth =
+ new AuthenticationTls(getTlsFileForClient("admin.cert"),
getTlsFileForClient("admin.key-pk8"));
@DataProvider
public Object[] tlsTransport() {
@@ -276,13 +277,14 @@ public class TlsProducerConsumerTest extends
TlsProducerConsumerBase {
internalSetUpForNamespace();
ClientBuilder clientBuilder =
PulsarClient.builder().serviceUrl(url.get())
- .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH)
.allowTlsInsecureConnection(false)
.enableTlsHostnameVerification(false)
.authentication(auth);
if (auth == null) {
-
clientBuilder.tlsKeyFilePath(TLS_CLIENT_KEY_FILE_PATH).tlsCertificateFilePath(TLS_CLIENT_CERT_FILE_PATH);
+ clientBuilder.tlsKeyFilePath(getTlsFileForClient("admin.key-pk8"))
+ .tlsCertificateFilePath(getTlsFileForClient("admin.cert"));
}
@Cleanup
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsSniTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsSniTest.java
index fd722e52e5f..173fa8acb0f 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsSniTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TlsSniTest.java
@@ -50,12 +50,12 @@ public class TlsSniTest extends TlsProducerConsumerBase {
brokerServiceUrlTls.getPort());
ClientBuilder clientBuilder =
PulsarClient.builder().serviceUrl(brokerServiceIpAddressUrl)
-
.tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(false)
+
.tlsTrustCertsFilePath(CA_CERT_FILE_PATH).allowTlsInsecureConnection(false)
.enableTlsHostnameVerification(false)
.operationTimeout(1000, TimeUnit.MILLISECONDS);
Map<String, String> authParams = new HashMap<>();
- authParams.put("tlsCertFile", TLS_CLIENT_CERT_FILE_PATH);
- authParams.put("tlsKeyFile", TLS_CLIENT_KEY_FILE_PATH);
+ authParams.put("tlsCertFile", getTlsFileForClient("admin.cert"));
+ authParams.put("tlsKeyFile", getTlsFileForClient("admin.key-pk8"));
clientBuilder.authentication(AuthenticationTls.class.getName(),
authParams);
@Cleanup
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TokenExpirationProduceConsumerTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TokenExpirationProduceConsumerTest.java
index e955a9ae706..4fc0d315d22 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TokenExpirationProduceConsumerTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TokenExpirationProduceConsumerTest.java
@@ -101,9 +101,9 @@ public class TokenExpirationProduceConsumerTest extends
TlsProducerConsumerBase
protected void internalSetUpForBroker() {
conf.setBrokerServicePortTls(Optional.of(0));
conf.setWebServicePortTls(Optional.of(0));
- conf.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
- conf.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
- conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
+ conf.setTlsCertificateFilePath(BROKER_CERT_FILE_PATH);
+ conf.setTlsKeyFilePath(BROKER_KEY_FILE_PATH);
+ conf.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
conf.setClusterName(configClusterName);
conf.setAuthenticationRefreshCheckSeconds(1);
conf.setTlsRequireTrustedClientCertOnConnect(false);
@@ -121,7 +121,7 @@ public class TokenExpirationProduceConsumerTest extends
TlsProducerConsumerBase
private PulsarClient getClient(String token) throws Exception {
ClientBuilder clientBuilder = PulsarClient.builder()
.serviceUrl(pulsar.getBrokerServiceUrlTls())
- .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH)
.enableTls(true)
.allowTlsInsecureConnection(false)
.enableTlsHostnameVerification(true)
@@ -132,7 +132,7 @@ public class TokenExpirationProduceConsumerTest extends
TlsProducerConsumerBase
private PulsarAdmin getAdmin(String token) throws Exception {
PulsarAdminBuilder clientBuilder =
PulsarAdmin.builder().serviceHttpUrl(pulsar.getWebServiceAddressTls())
- .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
+ .tlsTrustCertsFilePath(CA_CERT_FILE_PATH)
.allowTlsInsecureConnection(false)
.authentication(AuthenticationToken.class.getName(),"token:"
+token)
.enableTlsHostnameVerification(true);
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/functions/worker/PulsarFunctionLocalRunTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/functions/worker/PulsarFunctionLocalRunTest.java
index c832cba163d..aa190cd2e0a 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/functions/worker/PulsarFunctionLocalRunTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/functions/worker/PulsarFunctionLocalRunTest.java
@@ -89,6 +89,7 @@ import
org.apache.pulsar.functions.runtime.thread.ThreadRuntimeFactoryConfig;
import org.apache.pulsar.functions.utils.FunctionCommon;
import org.apache.pulsar.io.core.Sink;
import org.apache.pulsar.io.core.SinkContext;
+import org.apache.pulsar.utils.ResourceUtils;
import org.apache.pulsar.zookeeper.LocalBookkeeperEnsemble;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -121,11 +122,16 @@ public class PulsarFunctionLocalRunTest {
private static final String CLUSTER = "local";
- private final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- private final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
- private final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- private final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
- private final String TLS_TRUST_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/cacert.pem";
+ private final String TLS_SERVER_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/server-keys/broker.cert.pem");
+ private final String TLS_SERVER_KEY_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/server-keys/broker.key-pk8.pem");
+ private final String TLS_CLIENT_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/client-keys/admin.cert.pem");
+ private final String TLS_CLIENT_KEY_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/client-keys/admin.key-pk8.pem");
+ private final String TLS_TRUST_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/certs/ca.cert.pem");
private static final String SYSTEM_PROPERTY_NAME_NAR_FILE_PATH =
"pulsar-io-data-generator.nar.path";
private PulsarFunctionTestTemporaryDirectory tempDirectory;
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/functions/worker/PulsarFunctionPublishTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/functions/worker/PulsarFunctionPublishTest.java
index 95923586fe2..c820f512a68 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/functions/worker/PulsarFunctionPublishTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/functions/worker/PulsarFunctionPublishTest.java
@@ -71,6 +71,7 @@ import org.apache.pulsar.common.util.FutureUtil;
import org.apache.pulsar.common.util.ObjectMapperFactory;
import org.apache.pulsar.functions.runtime.thread.ThreadRuntimeFactory;
import org.apache.pulsar.functions.runtime.thread.ThreadRuntimeFactoryConfig;
+import org.apache.pulsar.utils.ResourceUtils;
import org.apache.pulsar.zookeeper.LocalBookkeeperEnsemble;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
@@ -99,11 +100,16 @@ public class PulsarFunctionPublishTest {
String primaryHost;
String workerId;
- private final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- private final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
- private final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- private final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
- private final String TLS_TRUST_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/cacert.pem";
+ private final String TLS_SERVER_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/server-keys/broker.cert.pem");
+ private final String TLS_SERVER_KEY_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/server-keys/broker.key-pk8.pem");
+ private final String TLS_CLIENT_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/client-keys/admin.cert.pem");
+ private final String TLS_CLIENT_KEY_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/client-keys/admin.key-pk8.pem");
+ private final String TLS_TRUST_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/certs/ca.cert.pem");
private PulsarFunctionTestTemporaryDirectory tempDirectory;
@DataProvider(name = "validRoleName")
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/io/AbstractPulsarE2ETest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/io/AbstractPulsarE2ETest.java
index 9991e9f1b70..3a99cc647ed 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/io/AbstractPulsarE2ETest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/io/AbstractPulsarE2ETest.java
@@ -62,6 +62,7 @@ import
org.apache.pulsar.functions.worker.PulsarFunctionTestTemporaryDirectory;
import org.apache.pulsar.functions.worker.PulsarWorkerService;
import org.apache.pulsar.functions.worker.WorkerConfig;
import org.apache.pulsar.functions.worker.WorkerService;
+import org.apache.pulsar.utils.ResourceUtils;
import org.apache.pulsar.zookeeper.LocalBookkeeperEnsemble;
import org.awaitility.Awaitility;
import org.slf4j.Logger;
@@ -75,11 +76,16 @@ public abstract class AbstractPulsarE2ETest {
public static final Logger log =
LoggerFactory.getLogger(AbstractPulsarE2ETest.class);
- protected final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- protected final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
- protected final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- protected final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
- protected final String TLS_TRUST_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/cacert.pem";
+ protected final String TLS_SERVER_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/server-keys/broker.cert.pem");
+ protected final String TLS_SERVER_KEY_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/server-keys/broker.key-pk8.pem");
+ protected final String TLS_CLIENT_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/client-keys/admin.cert.pem");
+ protected final String TLS_CLIENT_KEY_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/client-keys/admin.key-pk8.pem");
+ protected final String TLS_TRUST_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/certs/ca.cert.pem");
protected final String tenant = "external-repl-prop";
protected LocalBookkeeperEnsemble bkEnsemble;
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/io/PulsarFunctionAdminTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/io/PulsarFunctionAdminTest.java
index 16218f6ce64..d31d0c66bdf 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/io/PulsarFunctionAdminTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/io/PulsarFunctionAdminTest.java
@@ -51,6 +51,7 @@ import
org.apache.pulsar.functions.runtime.thread.ThreadRuntimeFactoryConfig;
import org.apache.pulsar.functions.worker.PulsarWorkerService;
import org.apache.pulsar.functions.worker.WorkerConfig;
import org.apache.pulsar.functions.worker.WorkerService;
+import org.apache.pulsar.utils.ResourceUtils;
import org.apache.pulsar.zookeeper.LocalBookkeeperEnsemble;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -77,10 +78,16 @@ public class PulsarFunctionAdminTest {
String pulsarFunctionsNamespace = tenant + "/pulsar-function-admin";
String primaryHost;
- private final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- private final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
- private final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- private final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
+ private final String TLS_SERVER_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/server-keys/broker.cert.pem");
+ private final String TLS_SERVER_KEY_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/server-keys/broker.key-pk8.pem");
+ private final String TLS_CLIENT_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/client-keys/admin.cert.pem");
+ private final String TLS_CLIENT_KEY_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/client-keys/admin.key-pk8.pem");
+ private final String TLS_TRUST_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/certs/ca.cert.pem");
private static final Logger log =
LoggerFactory.getLogger(PulsarFunctionAdminTest.class);
@@ -113,8 +120,7 @@ public class PulsarFunctionAdminTest {
config.setAuthenticationProviders(providers);
config.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
config.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
- config.setTlsAllowInsecureConnection(true);
-
+ config.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
functionsWorkerService = createPulsarFunctionWorker(config);
Optional<WorkerService> functionWorkerService =
Optional.of(functionsWorkerService);
@@ -132,7 +138,6 @@ public class PulsarFunctionAdminTest {
PulsarAdmin.builder()
.serviceHttpUrl(pulsar.getWebServiceAddressTls())
.tlsTrustCertsFilePath(TLS_CLIENT_CERT_FILE_PATH)
- .allowTlsInsecureConnection(true)
.authentication(authTls)
.build());
@@ -203,7 +208,6 @@ public class PulsarFunctionAdminTest {
workerConfig.setBrokerClientAuthenticationParameters(
String.format("tlsCertFile:%s,tlsKeyFile:%s",
TLS_CLIENT_CERT_FILE_PATH, TLS_CLIENT_KEY_FILE_PATH));
workerConfig.setUseTls(true);
- workerConfig.setTlsAllowInsecureConnection(true);
workerConfig.setTlsTrustCertsFilePath(TLS_CLIENT_CERT_FILE_PATH);
PulsarWorkerService workerService = new PulsarWorkerService();
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/io/PulsarFunctionTlsTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/io/PulsarFunctionTlsTest.java
index 5de3d4f7e08..810ac69ac3e 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/io/PulsarFunctionTlsTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/io/PulsarFunctionTlsTest.java
@@ -66,6 +66,7 @@ import org.apache.pulsar.functions.worker.PulsarWorkerService;
import
org.apache.pulsar.functions.worker.PulsarWorkerService.PulsarClientCreator;
import org.apache.pulsar.functions.worker.WorkerConfig;
import org.apache.pulsar.functions.worker.rest.WorkerServer;
+import org.apache.pulsar.utils.ResourceUtils;
import org.apache.pulsar.zookeeper.LocalBookkeeperEnsemble;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -90,10 +91,16 @@ public class PulsarFunctionTlsTest {
PulsarAdmin functionAdmin;
private final List<String> namespaceList = new LinkedList<>();
- private final String TLS_SERVER_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/broker-cert.pem";
- private final String TLS_SERVER_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/broker-key.pem";
- private final String TLS_CLIENT_CERT_FILE_PATH =
"./src/test/resources/authentication/tls/client-cert.pem";
- private final String TLS_CLIENT_KEY_FILE_PATH =
"./src/test/resources/authentication/tls/client-key.pem";
+ private final String TLS_SERVER_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/server-keys/broker.cert.pem");
+ private final String TLS_SERVER_KEY_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/server-keys/broker.key-pk8.pem");
+ private final String TLS_CLIENT_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/client-keys/admin.cert.pem");
+ private final String TLS_CLIENT_KEY_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/client-keys/admin.key-pk8.pem");
+ private final String TLS_TRUST_CERT_FILE_PATH =
+
ResourceUtils.getAbsolutePath("certificate-authority/certs/ca.cert.pem");
private static final Logger log =
LoggerFactory.getLogger(PulsarFunctionTlsTest.class);
private PulsarFunctionTestTemporaryDirectory tempDirectory;
@@ -121,7 +128,7 @@ public class PulsarFunctionTlsTest {
config.setAuthenticationProviders(providers);
config.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
config.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
- config.setTlsAllowInsecureConnection(true);
+ config.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
config.setAdvertisedAddress("localhost");
PulsarAdmin admin = mock(PulsarAdmin.class);
@@ -163,7 +170,7 @@ public class PulsarFunctionTlsTest {
authTls.configure(authParams);
functionAdmin = PulsarAdmin.builder().serviceHttpUrl(functionTlsUrl)
-
.tlsTrustCertsFilePath(TLS_CLIENT_CERT_FILE_PATH).allowTlsInsecureConnection(true)
+ .tlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH)
.authentication(authTls).build();
Thread.sleep(100);
@@ -217,7 +224,7 @@ public class PulsarFunctionTlsTest {
String.format("tlsCertFile:%s,tlsKeyFile:%s",
TLS_CLIENT_CERT_FILE_PATH, TLS_CLIENT_KEY_FILE_PATH));
workerConfig.setUseTls(true);
workerConfig.setTlsAllowInsecureConnection(true);
- workerConfig.setTlsTrustCertsFilePath(TLS_CLIENT_CERT_FILE_PATH);
+ workerConfig.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
workerConfig.setWorkerPortTls(0);
workerConfig.setTlsEnabled(true);
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyPublishConsumeTlsTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyPublishConsumeTlsTest.java
index 3ee9b6127de..91cd4fab470 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyPublishConsumeTlsTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyPublishConsumeTlsTest.java
@@ -64,12 +64,13 @@ public class ProxyPublishConsumeTlsTest extends
TlsProducerConsumerBase {
config.setWebServicePort(Optional.of(0));
config.setWebServicePortTls(Optional.of(0));
config.setBrokerClientTlsEnabled(true);
- config.setTlsKeyFilePath(TLS_SERVER_KEY_FILE_PATH);
- config.setTlsCertificateFilePath(TLS_SERVER_CERT_FILE_PATH);
- config.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
- config.setBrokerClientTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
+ config.setTlsKeyFilePath(BROKER_KEY_FILE_PATH);
+ config.setTlsCertificateFilePath(BROKER_CERT_FILE_PATH);
+ config.setTlsTrustCertsFilePath(CA_CERT_FILE_PATH);
+ config.setBrokerClientTrustCertsFilePath(CA_CERT_FILE_PATH);
config.setClusterName("use");
- config.setBrokerClientAuthenticationParameters("tlsCertFile:" +
TLS_CLIENT_CERT_FILE_PATH + ",tlsKeyFile:" + TLS_CLIENT_KEY_FILE_PATH);
+ config.setBrokerClientAuthenticationParameters("tlsCertFile:" +
getTlsFileForClient("admin.cert") +
+ ",tlsKeyFile:" + getTlsFileForClient("admin.key-pk8"));
config.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
config.setConfigurationMetadataStoreUrl(GLOBAL_DUMMY_VALUE);
service = spyWithClassAndConstructorArgs(WebSocketService.class,
config);
@@ -103,7 +104,7 @@ public class ProxyPublishConsumeTlsTest extends
TlsProducerConsumerBase {
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setSslContext(SecurityUtility
- .createSslContext(false,
SecurityUtility.loadCertificatesFromPemFile(TLS_TRUST_CERT_FILE_PATH), null));
+ .createSslContext(false,
SecurityUtility.loadCertificatesFromPemFile(CA_CERT_FILE_PATH), null));
WebSocketClient consumeClient = new WebSocketClient(sslContextFactory);
SimpleConsumerSocket consumeSocket = new SimpleConsumerSocket();
diff --git a/tests/certificate-authority/.gitignore
b/tests/certificate-authority/.gitignore
new file mode 100644
index 00000000000..de3be754636
--- /dev/null
+++ b/tests/certificate-authority/.gitignore
@@ -0,0 +1,3 @@
+# Files generated when running openssl
+*.old
+*.attr
diff --git a/tests/certificate-authority/README.md
b/tests/certificate-authority/README.md
index 008120a35f4..02ebbdf9258 100644
--- a/tests/certificate-authority/README.md
+++ b/tests/certificate-authority/README.md
@@ -3,23 +3,33 @@
Generated based on instructions from
https://jamielinux.com/docs/openssl-certificate-authority/introduction.html,
though the intermediate CA has been omitted for simplicity.
-The environment variable, CA_HOME, must be set to point to the directory
-containing this file before running any openssl commands.
+The following commands must be run in the same directory as this README due to
the configuration for the openssl.cnf file.
The password for the CA private key is ```PulsarTesting```.
## Generating server keys
-In this example, we're generating a key for the broker.
+In this example, we're generating a key for the broker and the proxy. If there
is a need to create them again, a new
+CN will need to be used because we have the index.txt database in this
directory. It's also possible that we could
+remove this file and start over. At the time of adding this change, I didn't
see a need to change the paradigm.
-The common name when generating the CSR should be the domain name of the
broker.
+The common name when generating the CSR used to be the domain name of the
broker. However, now we rely on the Subject
+Alternative Name, or the SAN, to be the domain name. This is because the CN is
deprecated in the certificate spec. The
+[openssl.cnf](openssl.cnf) file has been updated to reflect this change. The
proxy and the broker have the following
+SAN: ```DNS:localhost, IP:127.0.0.1```.
```bash
openssl genrsa -out server-keys/broker.key.pem 2048
-openssl req -config openssl.cnf -key server-keys/broker.key.pem -new -sha256
-out server-keys/broker.csr.pem
-openssl ca -config openssl.cnf -extensions server_cert \
- -days 100000 -notext -md sha256 -in server-keys/broker.csr.pem -out
server-keys/broker.cert.pem
+openssl req -config openssl.cnf -subj "/CN=broker-localhost-SAN" -key
server-keys/broker.key.pem -new -sha256 -out server-keys/broker.csr.pem
+openssl ca -config openssl.cnf -extensions broker_cert -days 100000 -md sha256
-in server-keys/broker.csr.pem \
+ -out server-keys/broker.cert.pem -batch -key PulsarTesting
openssl pkcs8 -topk8 -inform PEM -outform PEM -in server-keys/broker.key.pem
-out server-keys/broker.key-pk8.pem -nocrypt
+
+openssl genrsa -out server-keys/proxy.key.pem 2048
+openssl req -config openssl.cnf -subj "/CN=proxy-localhost-SAN" -key
server-keys/proxy.key.pem -new -sha256 -out server-keys/proxy.csr.pem
+openssl ca -config openssl.cnf -extensions proxy_cert -days 100000 -md sha256
-in server-keys/proxy.csr.pem \
+ -out server-keys/proxy.cert.pem -batch -key PulsarTesting
+openssl pkcs8 -topk8 -inform PEM -outform PEM -in server-keys/proxy.key.pem
-out server-keys/proxy.key-pk8.pem -nocrypt
```
You need to configure the server with broker.key-pk8.pem and broker.cert.pem.
diff --git a/tests/certificate-authority/index.txt
b/tests/certificate-authority/index.txt
index 376f86725c2..acb5eed051c 100644
--- a/tests/certificate-authority/index.txt
+++ b/tests/certificate-authority/index.txt
@@ -5,3 +5,5 @@ V 22920409135604Z 1003 unknown /CN=proxy
V 22920410132517Z 1004 unknown /CN=superproxy
V 22920411084025Z 1005 unknown /CN=user1
V 22960802101401Z 1006 unknown /CN=proxy.pulsar.apache.org
+V 22970222155018Z 1007 unknown /CN=broker-localhost-SAN
+V 22970222155019Z 1008 unknown /CN=proxy-localhost-SAN
diff --git a/tests/certificate-authority/newcerts/1007.pem
b/tests/certificate-authority/newcerts/1007.pem
new file mode 100644
index 00000000000..4237719f20e
--- /dev/null
+++ b/tests/certificate-authority/newcerts/1007.pem
@@ -0,0 +1,111 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4103 (0x1007)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=foobar
+ Validity
+ Not Before: May 10 15:50:18 2023 GMT
+ Not After : Feb 22 15:50:18 2297 GMT
+ Subject: CN=broker-localhost-SAN
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:de:d1:da:bb:91:b3:16:c4:b2:e8:89:30:9e:c1:
+ 5e:0b:cf:db:c4:c3:d9:b1:af:40:a5:0b:38:36:1b:
+ 14:fe:0f:22:9c:e6:59:6a:15:5b:db:f6:f7:f3:a5:
+ 02:29:94:7a:d2:0c:67:ad:aa:63:62:7e:fc:58:11:
+ 29:48:b8:3c:91:b2:73:7e:12:6b:f2:ea:36:77:0f:
+ 15:9b:46:95:ce:73:15:8d:c8:d9:97:57:03:90:33:
+ 2d:7d:f3:ee:e5:01:6d:d8:c6:da:ab:07:b9:dd:1c:
+ e0:4b:ce:6a:de:a8:d2:e3:c1:52:6d:83:3a:0a:f0:
+ ed:cf:f7:56:6a:87:0e:73:e3:12:82:2b:65:ab:d8:
+ a9:44:5b:4a:2f:a5:92:94:32:f1:a1:e4:af:18:0f:
+ 0f:18:60:cd:f7:d0:9d:03:9f:d7:e9:a8:60:54:bb:
+ 3b:9a:05:db:fd:38:04:3c:b4:23:41:16:6c:7c:3b:
+ d9:b6:e0:2f:bd:cb:62:55:1b:e8:d0:8f:43:76:ef:
+ 55:86:cf:25:c3:bc:ae:e3:46:50:89:f7:71:ad:06:
+ 5e:28:e6:f6:f0:76:27:ea:7e:1b:67:53:39:26:20:
+ 19:18:82:b1:11:5f:ea:91:c2:e3:d3:f6:5a:c7:fd:
+ 61:a2:92:de:7d:7c:da:6d:e8:bf:39:52:10:31:60:
+ 4b:e1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Cert Type:
+ SSL Server
+ Netscape Comment:
+ OpenSSL Generated Server Certificate
+ X509v3 Subject Key Identifier:
+ 17:07:3B:AA:85:83:B5:04:83:EC:B2:6C:1E:3A:F0:F5:59:AA:61:28
+ X509v3 Subject Alternative Name:
+ DNS:localhost, DNS:unresolvable-broker-address, IP
Address:127.0.0.1
+ X509v3 Authority Key Identifier:
+
keyid:57:0B:E9:CB:23:E8:BF:47:3E:50:7A:3F:45:7E:A1:18:43:9D:15:27
+ DirName:/CN=foobar
+ serial:D7:E2:87:4F:A0:79:E2:0C
+
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication
+ Signature Algorithm: sha256WithRSAEncryption
+ e4:27:61:e2:0f:b6:a0:ca:9f:ce:e3:53:0b:44:ab:86:a1:e2:
+ 4d:88:e1:7d:2e:b0:aa:32:96:2b:3d:da:60:70:6a:c3:62:c5:
+ 76:f2:8f:0d:16:31:f2:ad:e5:2f:43:f3:cb:e4:fa:95:6c:20:
+ 81:33:1a:c7:5a:55:57:c9:ab:ca:66:45:30:58:00:db:e8:51:
+ c9:2c:a9:72:c1:18:f5:01:87:9f:73:20:85:6c:e5:6c:3f:c9:
+ 67:b4:f0:20:e5:ed:e2:4a:08:0b:af:68:43:e5:a9:c7:e1:39:
+ e8:b5:49:cb:47:4a:6d:e5:16:ae:88:92:13:85:8e:42:1e:0a:
+ eb:59:ed:a7:c1:9b:bc:4b:7b:99:f8:1d:f0:d7:1d:90:c9:cf:
+ 86:6a:d3:10:d0:36:e4:f5:b9:33:79:c7:a2:68:31:f7:bb:8d:
+ 1e:d6:33:79:bd:e7:0e:4f:4d:e9:2e:15:04:4f:6b:4b:2e:93:
+ 28:72:d1:0e:aa:ee:e6:ef:68:be:58:2b:cc:56:01:27:16:f9:
+ 34:8e:66:86:27:0a:b0:fb:32:56:a9:8a:d9:6f:b1:86:bd:ba:
+ fd:50:6c:d5:b2:54:e7:4e:c6:2d:19:88:a9:89:2c:ef:be:08:
+ 0d:2b:49:91:0b:09:42:64:06:a3:9d:d7:94:ed:e8:74:74:48:
+ 43:57:41:6f:e5:06:98:46:1d:c5:60:9c:69:f8:fb:fe:a6:01:
+ 4a:35:be:21:36:c2:a3:44:c8:c4:2c:21:09:f4:28:9a:ad:a0:
+ 97:1e:00:29:cc:0f:26:fa:59:21:25:c0:9e:fa:22:53:67:6d:
+ ab:a6:56:08:fd:37:1d:69:fe:ef:6f:29:89:1a:66:7b:c7:ff:
+ b1:34:f1:d6:be:21:81:e3:bc:4f:13:02:a7:4b:9d:13:05:46:
+ 40:88:4a:aa:db:fb:64:f8:6b:fb:5d:a0:b1:0c:1a:b8:4c:ab:
+ 6f:69:fe:0b:55:4e:b3:38:1f:91:0b:71:77:1e:11:39:54:9a:
+ 62:51:ea:6d:a8:5e:0d:4a:91:fb:d8:be:5d:93:e8:43:f3:4a:
+ 11:fb:31:cf:14:1a:1c:8d:31:1b:99:31:e0:2b:81:01:91:6f:
+ da:ba:cb:1f:51:21:55:29:3f:4c:71:e3:d0:29:41:de:a0:00:
+ da:07:ed:5e:c9:af:32:61:6d:55:f8:f5:2d:46:03:34:33:fb:
+ 2e:1e:aa:7c:fe:d2:30:4d:40:cc:ed:76:ec:f6:bd:ed:35:c8:
+ d8:b3:46:56:aa:2c:53:84:56:45:b0:a3:f6:35:66:93:da:8c:
+ 17:39:c1:29:7c:99:c5:0b:73:c1:f9:16:d0:57:fc:57:59:06:
+ af:39:9f:a9:51:35:0b:c7
+-----BEGIN CERTIFICATE-----
+MIIExzCCAq+gAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAwwGZm9v
+YmFyMCAXDTIzMDUxMDE1NTAxOFoYDzIyOTcwMjIyMTU1MDE4WjAfMR0wGwYDVQQD
+DBRicm9rZXItbG9jYWxob3N0LVNBTjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAN7R2ruRsxbEsuiJMJ7BXgvP28TD2bGvQKULODYbFP4PIpzmWWoVW9v2
+9/OlAimUetIMZ62qY2J+/FgRKUi4PJGyc34Sa/LqNncPFZtGlc5zFY3I2ZdXA5Az
+LX3z7uUBbdjG2qsHud0c4EvOat6o0uPBUm2DOgrw7c/3VmqHDnPjEoIrZavYqURb
+Si+lkpQy8aHkrxgPDxhgzffQnQOf1+moYFS7O5oF2/04BDy0I0EWbHw72bbgL73L
+YlUb6NCPQ3bvVYbPJcO8ruNGUIn3ca0GXijm9vB2J+p+G2dTOSYgGRiCsRFf6pHC
+49P2Wsf9YaKS3n182m3ovzlSEDFgS+ECAwEAAaOCARcwggETMAkGA1UdEwQCMAAw
+EQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVy
+YXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBcHO6qFg7UEg+yybB46
+8PVZqmEoMDcGA1UdEQQwMC6CCWxvY2FsaG9zdIIbdW5yZXNvbHZhYmxlLWJyb2tl
+ci1hZGRyZXNzhwR/AAABMEEGA1UdIwQ6MDiAFFcL6csj6L9HPlB6P0V+oRhDnRUn
+oRWkEzARMQ8wDQYDVQQDDAZmb29iYXKCCQDX4odPoHniDDAOBgNVHQ8BAf8EBAMC
+BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAOQnYeIP
+tqDKn87jUwtEq4ah4k2I4X0usKoylis92mBwasNixXbyjw0WMfKt5S9D88vk+pVs
+IIEzGsdaVVfJq8pmRTBYANvoUcksqXLBGPUBh59zIIVs5Ww/yWe08CDl7eJKCAuv
+aEPlqcfhOei1SctHSm3lFq6IkhOFjkIeCutZ7afBm7xLe5n4HfDXHZDJz4Zq0xDQ
+NuT1uTN5x6JoMfe7jR7WM3m95w5PTekuFQRPa0sukyhy0Q6q7ubvaL5YK8xWAScW
++TSOZoYnCrD7MlapitlvsYa9uv1QbNWyVOdOxi0ZiKmJLO++CA0rSZELCUJkBqOd
+15Tt6HR0SENXQW/lBphGHcVgnGn4+/6mAUo1viE2wqNEyMQsIQn0KJqtoJceACnM
+Dyb6WSElwJ76IlNnbaumVgj9Nx1p/u9vKYkaZnvH/7E08da+IYHjvE8TAqdLnRMF
+RkCISqrb+2T4a/tdoLEMGrhMq29p/gtVTrM4H5ELcXceETlUmmJR6m2oXg1KkfvY
+vl2T6EPzShH7Mc8UGhyNMRuZMeArgQGRb9q6yx9RIVUpP0xx49ApQd6gANoH7V7J
+rzJhbVX49S1GAzQz+y4eqnz+0jBNQMztduz2ve01yNizRlaqLFOEVkWwo/Y1ZpPa
+jBc5wSl8mcULc8H5FtBX/FdZBq85n6lRNQvH
+-----END CERTIFICATE-----
diff --git a/tests/certificate-authority/newcerts/1008.pem
b/tests/certificate-authority/newcerts/1008.pem
new file mode 100644
index 00000000000..85687bdfd30
--- /dev/null
+++ b/tests/certificate-authority/newcerts/1008.pem
@@ -0,0 +1,110 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4104 (0x1008)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=foobar
+ Validity
+ Not Before: May 10 15:50:19 2023 GMT
+ Not After : Feb 22 15:50:19 2297 GMT
+ Subject: CN=proxy-localhost-SAN
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:cc:15:c9:85:06:43:47:bd:46:9f:4f:03:1a:e0:
+ 6e:94:13:4e:b0:30:ea:88:ca:3a:e4:39:92:12:c1:
+ 77:51:8c:0d:3c:b9:26:5c:2f:dc:fc:b1:5a:bf:0e:
+ 47:ff:09:60:30:79:8e:55:26:fe:d0:a1:ed:9f:6d:
+ 8a:6a:06:85:f0:d0:dc:94:a6:54:a1:a6:c9:3e:57:
+ d5:69:7d:e9:25:c1:ef:6b:77:e1:62:76:d8:e4:54:
+ 91:40:bc:0b:11:74:b8:30:bb:d4:02:77:d6:bd:d2:
+ d0:e7:ad:df:7d:98:96:74:42:ad:53:b3:88:c8:dc:
+ 1d:db:51:63:84:ee:7e:85:73:14:5e:d4:c8:f0:01:
+ 5f:67:52:ed:94:87:f7:d6:aa:28:8b:2c:84:98:8c:
+ b9:91:b5:38:99:80:5d:b3:d4:db:95:96:09:ef:1d:
+ a1:6f:86:c8:17:86:f7:0a:1e:72:3b:50:8c:53:e5:
+ ce:d4:8c:cf:cc:81:3d:46:55:ff:65:25:0b:36:31:
+ 31:a6:22:27:47:96:59:38:c1:cd:66:a6:9a:83:98:
+ dc:b8:2e:10:8d:ba:45:ae:aa:20:6e:e3:0b:bd:ec:
+ e6:63:b5:40:55:d4:fe:97:b1:f1:8d:9a:c0:a2:46:
+ 8e:a3:ed:a0:1b:ed:40:b0:00:a5:28:f9:da:03:bd:
+ c1:a9
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Cert Type:
+ SSL Server
+ Netscape Comment:
+ OpenSSL Generated Server Certificate
+ X509v3 Subject Key Identifier:
+ C5:33:73:67:03:B7:51:08:F4:BD:D3:CD:4F:DC:CF:83:11:53:AD:39
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
+ X509v3 Authority Key Identifier:
+
keyid:57:0B:E9:CB:23:E8:BF:47:3E:50:7A:3F:45:7E:A1:18:43:9D:15:27
+ DirName:/CN=foobar
+ serial:D7:E2:87:4F:A0:79:E2:0C
+
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication
+ Signature Algorithm: sha256WithRSAEncryption
+ 43:ef:67:29:9a:0c:53:97:7c:fc:72:73:6c:8d:48:78:4e:ec:
+ e3:14:9d:d9:1e:83:4c:d6:f0:56:e9:c4:d8:de:f5:54:fb:a5:
+ 3b:ff:59:23:75:26:74:f0:86:90:d0:4d:41:25:03:87:e0:60:
+ a4:9b:33:3d:bd:1c:79:b8:db:86:1c:38:09:26:0d:80:3e:f9:
+ 1e:28:11:0d:3d:6b:1e:1a:7a:9a:fa:fc:18:22:7f:fd:46:55:
+ c2:2f:56:5c:5c:8a:45:f2:74:7a:e4:6c:d0:e0:ea:ec:74:b7:
+ 0d:a8:f3:ca:18:cf:a4:be:a0:e0:4a:32:ca:15:7e:5d:06:56:
+ b7:71:7c:e0:dc:19:fa:be:3e:94:84:20:be:96:34:61:0b:f0:
+ d1:d6:31:49:0b:b0:20:b8:f9:5c:49:08:13:9b:45:c0:6f:58:
+ 16:81:0b:0c:f8:66:38:58:83:d4:b0:bc:14:35:8d:e2:1d:d5:
+ 2d:ea:02:ae:42:e1:88:22:5a:b0:cf:e5:31:b1:cb:d3:e9:d2:
+ 5e:88:55:bd:62:ac:85:aa:4e:fc:18:6b:65:f9:9e:fc:93:27:
+ 0c:c6:29:aa:f0:64:6e:72:dc:d9:95:ae:38:ae:64:9e:c6:44:
+ 8a:0b:0f:0e:d4:69:7e:79:e0:46:d0:75:96:2a:1a:60:af:30:
+ 23:dc:d2:67:0d:08:2a:9d:58:29:09:1e:c8:08:d5:3a:88:2d:
+ 1a:dc:47:dc:5d:bd:0d:5c:54:f1:5d:5a:6d:0d:de:bc:18:67:
+ 2d:dd:1b:fe:8b:0e:03:19:b0:0f:f2:59:69:d0:7a:4f:a1:33:
+ 74:f7:22:ef:ff:90:e1:4b:8e:ac:13:00:6f:00:9b:55:83:d2:
+ 96:db:a8:81:c9:a9:8d:c6:a6:21:3d:14:d3:43:71:28:c6:ea:
+ 6d:2d:91:b9:58:bf:ec:18:75:c4:8c:10:43:88:60:08:c0:bb:
+ 9d:fb:90:80:1e:d5:a3:ea:e7:8a:16:f7:f4:d7:cb:35:93:03:
+ 55:e4:cc:58:31:1e:df:6e:e4:1b:6e:ad:3a:76:56:e5:8b:4e:
+ d9:71:af:11:92:a7:7a:e2:66:cc:d2:73:f3:ec:e8:3b:67:f0:
+ 6a:31:10:82:e8:c4:1e:ae:c3:54:a7:e2:42:86:fe:43:75:ad:
+ ef:83:d7:1c:2f:91:94:1c:57:9d:1c:43:94:b1:47:b2:6c:96:
+ fd:83:69:0f:6c:e2:18:9b:65:8e:71:08:01:b3:73:46:aa:3c:
+ 2e:07:14:cd:03:ae:dc:5a:51:da:c5:41:53:cc:f5:fc:c8:db:
+ 4e:76:27:99:9a:ec:40:68:07:d6:10:e1:f9:68:6b:5d:52:95:
+ 3d:01:f4:a7:40:11:61:0a
+-----BEGIN CERTIFICATE-----
+MIIEpzCCAo+gAwIBAgICEAgwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAwwGZm9v
+YmFyMCAXDTIzMDUxMDE1NTAxOVoYDzIyOTcwMjIyMTU1MDE5WjAeMRwwGgYDVQQD
+DBNwcm94eS1sb2NhbGhvc3QtU0FOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAzBXJhQZDR71Gn08DGuBulBNOsDDqiMo65DmSEsF3UYwNPLkmXC/c/LFa
+vw5H/wlgMHmOVSb+0KHtn22KagaF8NDclKZUoabJPlfVaX3pJcHva3fhYnbY5FSR
+QLwLEXS4MLvUAnfWvdLQ563ffZiWdEKtU7OIyNwd21FjhO5+hXMUXtTI8AFfZ1Lt
+lIf31qooiyyEmIy5kbU4mYBds9TblZYJ7x2hb4bIF4b3Ch5yO1CMU+XO1IzPzIE9
+RlX/ZSULNjExpiInR5ZZOMHNZqaag5jcuC4QjbpFrqogbuMLvezmY7VAVdT+l7Hx
+jZrAokaOo+2gG+1AsAClKPnaA73BqQIDAQABo4H5MIH2MAkGA1UdEwQCMAAwEQYJ
+YIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRl
+ZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFMUzc2cDt1EI9L3TzU/cz4MR
+U605MBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATBBBgNVHSMEOjA4gBRXC+nL
+I+i/Rz5Qej9FfqEYQ50VJ6EVpBMwETEPMA0GA1UEAwwGZm9vYmFyggkA1+KHT6B5
+4gwwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
+DQEBCwUAA4ICAQBD72cpmgxTl3z8cnNsjUh4TuzjFJ3ZHoNM1vBW6cTY3vVU+6U7
+/1kjdSZ08IaQ0E1BJQOH4GCkmzM9vRx5uNuGHDgJJg2APvkeKBENPWseGnqa+vwY
+In/9RlXCL1ZcXIpF8nR65GzQ4OrsdLcNqPPKGM+kvqDgSjLKFX5dBla3cXzg3Bn6
+vj6UhCC+ljRhC/DR1jFJC7AguPlcSQgTm0XAb1gWgQsM+GY4WIPUsLwUNY3iHdUt
+6gKuQuGIIlqwz+UxscvT6dJeiFW9YqyFqk78GGtl+Z78kycMximq8GRuctzZla44
+rmSexkSKCw8O1Gl+eeBG0HWWKhpgrzAj3NJnDQgqnVgpCR7ICNU6iC0a3EfcXb0N
+XFTxXVptDd68GGct3Rv+iw4DGbAP8llp0HpPoTN09yLv/5DhS46sEwBvAJtVg9KW
+26iByamNxqYhPRTTQ3EoxuptLZG5WL/sGHXEjBBDiGAIwLud+5CAHtWj6ueKFvf0
+18s1kwNV5MxYMR7fbuQbbq06dlbli07Zca8Rkqd64mbM0nPz7Og7Z/BqMRCC6MQe
+rsNUp+JChv5Dda3vg9ccL5GUHFedHEOUsUeybJb9g2kPbOIYm2WOcQgBs3NGqjwu
+BxTNA67cWlHaxUFTzPX8yNtOdieZmuxAaAfWEOH5aGtdUpU9AfSnQBFhCg==
+-----END CERTIFICATE-----
diff --git a/tests/certificate-authority/openssl.cnf
b/tests/certificate-authority/openssl.cnf
index 9c8585edc9a..f7a23b3b33f 100644
--- a/tests/certificate-authority/openssl.cnf
+++ b/tests/certificate-authority/openssl.cnf
@@ -27,7 +27,7 @@ default_ca = CA_default
[ CA_default ]
# Directory and file locations.
-dir = $ENV::CA_HOME
+dir = .
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
@@ -92,12 +92,25 @@ authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
-[ server_cert ]
+[ broker_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
+# The unresolvable address is used for SNI testing
+subjectAltName = DNS:localhost, DNS:unresolvable-broker-address, IP:127.0.0.1
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ proxy_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+subjectAltName = DNS:localhost, IP:127.0.0.1
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
diff --git a/tests/certificate-authority/serial
b/tests/certificate-authority/serial
index fb35a14c027..6cb3869343b 100644
--- a/tests/certificate-authority/serial
+++ b/tests/certificate-authority/serial
@@ -1 +1 @@
-1007
+1009
diff --git a/tests/certificate-authority/server-keys/broker.cert.pem
b/tests/certificate-authority/server-keys/broker.cert.pem
index b5c7a5dc709..4237719f20e 100644
--- a/tests/certificate-authority/server-keys/broker.cert.pem
+++ b/tests/certificate-authority/server-keys/broker.cert.pem
@@ -1,27 +1,111 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4103 (0x1007)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=foobar
+ Validity
+ Not Before: May 10 15:50:18 2023 GMT
+ Not After : Feb 22 15:50:18 2297 GMT
+ Subject: CN=broker-localhost-SAN
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:de:d1:da:bb:91:b3:16:c4:b2:e8:89:30:9e:c1:
+ 5e:0b:cf:db:c4:c3:d9:b1:af:40:a5:0b:38:36:1b:
+ 14:fe:0f:22:9c:e6:59:6a:15:5b:db:f6:f7:f3:a5:
+ 02:29:94:7a:d2:0c:67:ad:aa:63:62:7e:fc:58:11:
+ 29:48:b8:3c:91:b2:73:7e:12:6b:f2:ea:36:77:0f:
+ 15:9b:46:95:ce:73:15:8d:c8:d9:97:57:03:90:33:
+ 2d:7d:f3:ee:e5:01:6d:d8:c6:da:ab:07:b9:dd:1c:
+ e0:4b:ce:6a:de:a8:d2:e3:c1:52:6d:83:3a:0a:f0:
+ ed:cf:f7:56:6a:87:0e:73:e3:12:82:2b:65:ab:d8:
+ a9:44:5b:4a:2f:a5:92:94:32:f1:a1:e4:af:18:0f:
+ 0f:18:60:cd:f7:d0:9d:03:9f:d7:e9:a8:60:54:bb:
+ 3b:9a:05:db:fd:38:04:3c:b4:23:41:16:6c:7c:3b:
+ d9:b6:e0:2f:bd:cb:62:55:1b:e8:d0:8f:43:76:ef:
+ 55:86:cf:25:c3:bc:ae:e3:46:50:89:f7:71:ad:06:
+ 5e:28:e6:f6:f0:76:27:ea:7e:1b:67:53:39:26:20:
+ 19:18:82:b1:11:5f:ea:91:c2:e3:d3:f6:5a:c7:fd:
+ 61:a2:92:de:7d:7c:da:6d:e8:bf:39:52:10:31:60:
+ 4b:e1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Cert Type:
+ SSL Server
+ Netscape Comment:
+ OpenSSL Generated Server Certificate
+ X509v3 Subject Key Identifier:
+ 17:07:3B:AA:85:83:B5:04:83:EC:B2:6C:1E:3A:F0:F5:59:AA:61:28
+ X509v3 Subject Alternative Name:
+ DNS:localhost, DNS:unresolvable-broker-address, IP
Address:127.0.0.1
+ X509v3 Authority Key Identifier:
+
keyid:57:0B:E9:CB:23:E8:BF:47:3E:50:7A:3F:45:7E:A1:18:43:9D:15:27
+ DirName:/CN=foobar
+ serial:D7:E2:87:4F:A0:79:E2:0C
+
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication
+ Signature Algorithm: sha256WithRSAEncryption
+ e4:27:61:e2:0f:b6:a0:ca:9f:ce:e3:53:0b:44:ab:86:a1:e2:
+ 4d:88:e1:7d:2e:b0:aa:32:96:2b:3d:da:60:70:6a:c3:62:c5:
+ 76:f2:8f:0d:16:31:f2:ad:e5:2f:43:f3:cb:e4:fa:95:6c:20:
+ 81:33:1a:c7:5a:55:57:c9:ab:ca:66:45:30:58:00:db:e8:51:
+ c9:2c:a9:72:c1:18:f5:01:87:9f:73:20:85:6c:e5:6c:3f:c9:
+ 67:b4:f0:20:e5:ed:e2:4a:08:0b:af:68:43:e5:a9:c7:e1:39:
+ e8:b5:49:cb:47:4a:6d:e5:16:ae:88:92:13:85:8e:42:1e:0a:
+ eb:59:ed:a7:c1:9b:bc:4b:7b:99:f8:1d:f0:d7:1d:90:c9:cf:
+ 86:6a:d3:10:d0:36:e4:f5:b9:33:79:c7:a2:68:31:f7:bb:8d:
+ 1e:d6:33:79:bd:e7:0e:4f:4d:e9:2e:15:04:4f:6b:4b:2e:93:
+ 28:72:d1:0e:aa:ee:e6:ef:68:be:58:2b:cc:56:01:27:16:f9:
+ 34:8e:66:86:27:0a:b0:fb:32:56:a9:8a:d9:6f:b1:86:bd:ba:
+ fd:50:6c:d5:b2:54:e7:4e:c6:2d:19:88:a9:89:2c:ef:be:08:
+ 0d:2b:49:91:0b:09:42:64:06:a3:9d:d7:94:ed:e8:74:74:48:
+ 43:57:41:6f:e5:06:98:46:1d:c5:60:9c:69:f8:fb:fe:a6:01:
+ 4a:35:be:21:36:c2:a3:44:c8:c4:2c:21:09:f4:28:9a:ad:a0:
+ 97:1e:00:29:cc:0f:26:fa:59:21:25:c0:9e:fa:22:53:67:6d:
+ ab:a6:56:08:fd:37:1d:69:fe:ef:6f:29:89:1a:66:7b:c7:ff:
+ b1:34:f1:d6:be:21:81:e3:bc:4f:13:02:a7:4b:9d:13:05:46:
+ 40:88:4a:aa:db:fb:64:f8:6b:fb:5d:a0:b1:0c:1a:b8:4c:ab:
+ 6f:69:fe:0b:55:4e:b3:38:1f:91:0b:71:77:1e:11:39:54:9a:
+ 62:51:ea:6d:a8:5e:0d:4a:91:fb:d8:be:5d:93:e8:43:f3:4a:
+ 11:fb:31:cf:14:1a:1c:8d:31:1b:99:31:e0:2b:81:01:91:6f:
+ da:ba:cb:1f:51:21:55:29:3f:4c:71:e3:d0:29:41:de:a0:00:
+ da:07:ed:5e:c9:af:32:61:6d:55:f8:f5:2d:46:03:34:33:fb:
+ 2e:1e:aa:7c:fe:d2:30:4d:40:cc:ed:76:ec:f6:bd:ed:35:c8:
+ d8:b3:46:56:aa:2c:53:84:56:45:b0:a3:f6:35:66:93:da:8c:
+ 17:39:c1:29:7c:99:c5:0b:73:c1:f9:16:d0:57:fc:57:59:06:
+ af:39:9f:a9:51:35:0b:c7
-----BEGIN CERTIFICATE-----
-MIIEkDCCAnigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAwwGZm9v
-YmFyMCAXDTE4MDYyMjA4NTUzMloYDzIyOTIwNDA2MDg1NTMyWjAjMSEwHwYDVQQD
-DBhicm9rZXIucHVsc2FyLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDQouKhZah4hMCqmg4aS5RhQG/Y1gA+yP9DGF9mlw35tfhfWs63
-EvNjEK4L/ZWSEV45L/wc6YV14RmM6bJ0V/0vXo4xmISbqptND/2kRIspkLZQ5F0O
-OQXVicqZLOc6igZQhRg8ANDYdTJUTF65DqauX4OJt3YMhF2FSt7jQtlj06IQBa01
-+ARO9OotMJtBY+vIU5bV6JydfgkhQH9rIDI7AMeY5j02gGkJJrelfm+WoOsUez+X
-aqTN3/tF8+MBcFB3G04s1qc2CJPJM3YGxvxEtHqTGI14t9J8p5O7X9JHpcY8X00s
-bxa4FGbKgfDobbkJ+GgblWCkAcLN95sKTqtHAgMBAAGjgd0wgdowCQYDVR0TBAIw
-ADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2Vu
-ZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUaxFvJrkEGqk8azTA
-DyVyTyTbJAIwQQYDVR0jBDowOIAUVwvpyyPov0c+UHo/RX6hGEOdFSehFaQTMBEx
-DzANBgNVBAMMBmZvb2JhcoIJANfih0+geeIMMA4GA1UdDwEB/wQEAwIFoDATBgNV
-HSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA35QDGclHzQtHs3yQ
-ZzNOSKisg5srTiIoQgRzfHrXfkthNFCnBzhKjBxqk3EIasVtvyGuk0ThneC1ai3y
-ZK3BivnMZfm1SfyvieFoqWetsxohWfcpOSVkpvO37P6v/NmmaTIGkBN3gxKCx0QN
-zqApLQyNTM++X3wxetYH/afAGUrRmBGWZuJheQpB9yZ+FB6BRp8YuYIYBzANJyW9
-spvXW03TpqX2AIoRBoGMLzK72vbhAbLWiCIfEYREhbZVRkP+yvD338cWrILlOEur
-x/n8L/FTmbf7mXzHg4xaQ3zg/5+0OCPMDPUBE4xWDBAbZ82hgOcTqfVjwoPgo2V0
-fbbx6redq44J3Vn5d9Xhi59fkpqEjHpX4xebr5iMikZsNTJMeLh0h3uf7DstuO9d
-mfnF5j+yDXCKb9XzCsTSvGCN+spmUh6RfSrbkw8/LrRvBUpKVEM0GfKSnaFpOaSS
-efM4UEi72FRjszzHEkdvpiLhYvihINLJmDXszhc3fCi42be/DGmUhuhTZWynOPmp
-0N0V/8/sGT5gh4fGEtGzS/8xEvZwO9uDlccJiG8Pi+aO0/K9urB9nppd/xKWXv3C
-cib/QrW0Qow4TADWC1fnGYCpFzzaZ2esPL2MvzOYXnW4/AbEqmb6Weatluai64ZK
-3N2cGJWRyvpvvmbP2hKCa4eLgEc=
+MIIExzCCAq+gAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAwwGZm9v
+YmFyMCAXDTIzMDUxMDE1NTAxOFoYDzIyOTcwMjIyMTU1MDE4WjAfMR0wGwYDVQQD
+DBRicm9rZXItbG9jYWxob3N0LVNBTjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAN7R2ruRsxbEsuiJMJ7BXgvP28TD2bGvQKULODYbFP4PIpzmWWoVW9v2
+9/OlAimUetIMZ62qY2J+/FgRKUi4PJGyc34Sa/LqNncPFZtGlc5zFY3I2ZdXA5Az
+LX3z7uUBbdjG2qsHud0c4EvOat6o0uPBUm2DOgrw7c/3VmqHDnPjEoIrZavYqURb
+Si+lkpQy8aHkrxgPDxhgzffQnQOf1+moYFS7O5oF2/04BDy0I0EWbHw72bbgL73L
+YlUb6NCPQ3bvVYbPJcO8ruNGUIn3ca0GXijm9vB2J+p+G2dTOSYgGRiCsRFf6pHC
+49P2Wsf9YaKS3n182m3ovzlSEDFgS+ECAwEAAaOCARcwggETMAkGA1UdEwQCMAAw
+EQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVy
+YXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBcHO6qFg7UEg+yybB46
+8PVZqmEoMDcGA1UdEQQwMC6CCWxvY2FsaG9zdIIbdW5yZXNvbHZhYmxlLWJyb2tl
+ci1hZGRyZXNzhwR/AAABMEEGA1UdIwQ6MDiAFFcL6csj6L9HPlB6P0V+oRhDnRUn
+oRWkEzARMQ8wDQYDVQQDDAZmb29iYXKCCQDX4odPoHniDDAOBgNVHQ8BAf8EBAMC
+BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAOQnYeIP
+tqDKn87jUwtEq4ah4k2I4X0usKoylis92mBwasNixXbyjw0WMfKt5S9D88vk+pVs
+IIEzGsdaVVfJq8pmRTBYANvoUcksqXLBGPUBh59zIIVs5Ww/yWe08CDl7eJKCAuv
+aEPlqcfhOei1SctHSm3lFq6IkhOFjkIeCutZ7afBm7xLe5n4HfDXHZDJz4Zq0xDQ
+NuT1uTN5x6JoMfe7jR7WM3m95w5PTekuFQRPa0sukyhy0Q6q7ubvaL5YK8xWAScW
++TSOZoYnCrD7MlapitlvsYa9uv1QbNWyVOdOxi0ZiKmJLO++CA0rSZELCUJkBqOd
+15Tt6HR0SENXQW/lBphGHcVgnGn4+/6mAUo1viE2wqNEyMQsIQn0KJqtoJceACnM
+Dyb6WSElwJ76IlNnbaumVgj9Nx1p/u9vKYkaZnvH/7E08da+IYHjvE8TAqdLnRMF
+RkCISqrb+2T4a/tdoLEMGrhMq29p/gtVTrM4H5ELcXceETlUmmJR6m2oXg1KkfvY
+vl2T6EPzShH7Mc8UGhyNMRuZMeArgQGRb9q6yx9RIVUpP0xx49ApQd6gANoH7V7J
+rzJhbVX49S1GAzQz+y4eqnz+0jBNQMztduz2ve01yNizRlaqLFOEVkWwo/Y1ZpPa
+jBc5wSl8mcULc8H5FtBX/FdZBq85n6lRNQvH
-----END CERTIFICATE-----
diff --git a/tests/certificate-authority/server-keys/broker.csr.pem
b/tests/certificate-authority/server-keys/broker.csr.pem
index d2342595eb2..9d28c52be79 100644
--- a/tests/certificate-authority/server-keys/broker.csr.pem
+++ b/tests/certificate-authority/server-keys/broker.csr.pem
@@ -1,15 +1,15 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIICaDCCAVACAQAwIzEhMB8GA1UEAwwYYnJva2VyLnB1bHNhci5hcGFjaGUub3Jn
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0KLioWWoeITAqpoOGkuU
-YUBv2NYAPsj/QxhfZpcN+bX4X1rOtxLzYxCuC/2VkhFeOS/8HOmFdeEZjOmydFf9
-L16OMZiEm6qbTQ/9pESLKZC2UORdDjkF1YnKmSznOooGUIUYPADQ2HUyVExeuQ6m
-rl+Dibd2DIRdhUre40LZY9OiEAWtNfgETvTqLTCbQWPryFOW1eicnX4JIUB/ayAy
-OwDHmOY9NoBpCSa3pX5vlqDrFHs/l2qkzd/7RfPjAXBQdxtOLNanNgiTyTN2Bsb8
-RLR6kxiNeLfSfKeTu1/SR6XGPF9NLG8WuBRmyoHw6G25CfhoG5VgpAHCzfebCk6r
-RwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAHVVGKnfqBDmu+e5MWK9i0ja/JFv
-dhST705gdKDOPc7MXDVr+zJZKgvnDtzDrWTe7Zk0p7xQf3kc773eYCdlznX+J1Fw
-EfIHXQTBZRZxmHnYqc012i5tshvEOS0o61ZEgxz8hxGLwGlRaIcy+qt927fscpQ5
-7VEnlxzD4YeHwryIXH5hOr/J1OmlL58Fxwh2NJfso7ErRuHW44XK4qdwWCQs/nVN
-EQyV6RCbaiRq9Ks4j3FwtqmfgzMB1+T3L+CiuhPol2/rZwD3o5j7SP8ZGxC15Tzi
-wHG71H0wp1CY+tkAcvm2zmoHR9z1SD84raZLYJVRgUio7myW/DVBqPxCSvU=
+MIICZDCCAUwCAQAwHzEdMBsGA1UEAwwUYnJva2VyLWxvY2FsaG9zdC1TQU4wggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe0dq7kbMWxLLoiTCewV4Lz9vE
+w9mxr0ClCzg2GxT+DyKc5llqFVvb9vfzpQIplHrSDGetqmNifvxYESlIuDyRsnN+
+Emvy6jZ3DxWbRpXOcxWNyNmXVwOQMy198+7lAW3YxtqrB7ndHOBLzmreqNLjwVJt
+gzoK8O3P91Zqhw5z4xKCK2Wr2KlEW0ovpZKUMvGh5K8YDw8YYM330J0Dn9fpqGBU
+uzuaBdv9OAQ8tCNBFmx8O9m24C+9y2JVG+jQj0N271WGzyXDvK7jRlCJ93GtBl4o
+5vbwdifqfhtnUzkmIBkYgrERX+qRwuPT9lrH/WGikt59fNpt6L85UhAxYEvhAgMB
+AAGgADANBgkqhkiG9w0BAQsFAAOCAQEAcLkzWe6zgkVpk4OUlCv1HUqmntiBHdmh
+24v3OKhQjyMs+m/srBe6r+lBdZLnbSH5fq7eToEwRMt/vNirsXCaxGGVOUnThStt
+Z/rR45bpJl1TomXwEG9xHq7yOaHVfxkNZgaHCu6BZ1ZjYgfqWffFf9hcqAJ3xZm0
+XMPfJs9i/TRHCsdUge1BHZrxD/fzriWM7k89XktY+0zSqGfdhOXE0FO30bnC4mJG
+vZXY5reyIuRlFBpnDUtuYBaSfbUYguaSUYIoHOUsQrmMSqPLJUyY1zNm1t5f1jIx
+ZaK8NEIq2AHHqEx7I/7+lVRRWa9IjdqWIT9KD5TraOML9oS74sto2w==
-----END CERTIFICATE REQUEST-----
diff --git a/tests/certificate-authority/server-keys/broker.key-pk8.pem
b/tests/certificate-authority/server-keys/broker.key-pk8.pem
index 2b51d015b8a..dd9fa523e8e 100644
--- a/tests/certificate-authority/server-keys/broker.key-pk8.pem
+++ b/tests/certificate-authority/server-keys/broker.key-pk8.pem
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDQouKhZah4hMCq
-mg4aS5RhQG/Y1gA+yP9DGF9mlw35tfhfWs63EvNjEK4L/ZWSEV45L/wc6YV14RmM
-6bJ0V/0vXo4xmISbqptND/2kRIspkLZQ5F0OOQXVicqZLOc6igZQhRg8ANDYdTJU
-TF65DqauX4OJt3YMhF2FSt7jQtlj06IQBa01+ARO9OotMJtBY+vIU5bV6Jydfgkh
-QH9rIDI7AMeY5j02gGkJJrelfm+WoOsUez+XaqTN3/tF8+MBcFB3G04s1qc2CJPJ
-M3YGxvxEtHqTGI14t9J8p5O7X9JHpcY8X00sbxa4FGbKgfDobbkJ+GgblWCkAcLN
-95sKTqtHAgMBAAECggEBALE1eMtfnk3nbAI74bih84D7C0Ug14p8jJv/qqBnsx4j
-WrgbWDMVrJa7Rym2FQHBMMfgIwKnso0iSeJvaPz683j1lk833YKe0VQOPgD1m0IN
-wV1J6mQ3OOZcKDIcerY1IBHqSmBEzR7dxIbnaxlCAX9gb0hdBK6zCwA5TMG5OQ5Y
-3cGOmevK5i2PiejhpruA8h7E48P1ATaGHUZif9YD724oi6AcilQ8H/DlOjZTvlmK
-r4aJ30f72NwGM8Ecet5CE2wyflAGtY0k+nChYkPRfy54u64Z/T9B53AvneFaj8jv
-yFepZgRTs2cWhEl0KQGuBHQ4+IeOfMt2LebhvjWW8YkCgYEA7BXVsnqPHKRDd8wP
-eNkolY4Fjdq4wu9ad+DaFiZcJuv7ugr+Kplltq6e4aU36zEdBYdPp/6KM/HGE/Xj
-bo0CELNUKs/Ny9H/UJc8DDbVEmoF3XGiIbKKq1T8NTXTETFnwrGkBFD8nl7YTsOF
-M4FZmSok0MhhkpEULAqxBS6YpQsCgYEA4jxM1egTVSWjTreg2UdYo2507jKa7maP
-PRtoPsNJzWNbOpfj26l3/8pd6oYKWck6se6RxIUxUrk3ywhNJIIOvWEC7TaOH1c9
-T4NQNcweqBW9+A1x5gyzT14gDaBfl45gs82vI+kcpVv/w2N3HZOQZX3yAUqWpfw2
-yw1uQDXtgDUCgYEAiYPWbBXTkp1j5z3nrT7g0uxc89n5USLWkYlZvxktCEbg4+dP
-UUT06EoipdD1F3wOKZA9p98uZT9pX2sUxOpBz7SFTEKq3xQ9IZZWFc9CoW08aVat
-V++FsnLYTa5CeXtLsy6CGTmLTDx2xrpAtlWb+QmBVFPD8fmrxFOd9STFKS0CgYAt
-6ztVN3OlFqyc75yQPXD6SxMkvdTAisSMDKIOCylRrNb5f5baIP2gR3zkeyxiqPtm
-3htsHfSy67EtXpP50wQW4Dft2eLi7ZweJXMEWFfomfEjBeeWYAGNHHe5DFIauuVZ
-2WexDEGqNpAlIm0s7aSjVPrn1DHbouOkNyenlMqN+QKBgQDVYVhk9widShSnCmUA
-G30moXDgj3eRqCf5T7NEr9GXD1QBD/rQSPh5agnDV7IYLpV7/wkYLI7l9x7mDwu+
-I9mRXkyAmTVEctLTdXQHt0jdJa5SfUaVEDUzQbr0fUjkmythTvqZ809+d3ELPeLI
-5qJ7jxgksHWji4lYfL4r4J6Zaw==
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDe0dq7kbMWxLLo
+iTCewV4Lz9vEw9mxr0ClCzg2GxT+DyKc5llqFVvb9vfzpQIplHrSDGetqmNifvxY
+ESlIuDyRsnN+Emvy6jZ3DxWbRpXOcxWNyNmXVwOQMy198+7lAW3YxtqrB7ndHOBL
+zmreqNLjwVJtgzoK8O3P91Zqhw5z4xKCK2Wr2KlEW0ovpZKUMvGh5K8YDw8YYM33
+0J0Dn9fpqGBUuzuaBdv9OAQ8tCNBFmx8O9m24C+9y2JVG+jQj0N271WGzyXDvK7j
+RlCJ93GtBl4o5vbwdifqfhtnUzkmIBkYgrERX+qRwuPT9lrH/WGikt59fNpt6L85
+UhAxYEvhAgMBAAECggEAbQ4xDFTHXoFvPzjGPy1NJmLZoXhp9/lanmzbWj/vClnG
+Cx0C7lT93K8HtIwyfr9ZTa0coXcfpXmZcFEV762cl4LL3AyQIRhZB/SuEo19jMnu
+5rJDLTs9Vzp1LYxShGsqpErPg54IbhxP+0pQLCJc9XQNL+RmaCx7eKoJ9aGchULY
+BdbCRctYhHaq/AC2qNYZF41Ys9zdNN0/2NnRqfgaaAj9hUzu3LlaJX1TWHbgikLo
+QdmRNmTMMxfLl2kyoweDEC6MdSKCbcdDyM46Va3yY3KTuAdjP6x1ALzAarBDj6zb
+a0Vp7g80OcKjmLYt8rFImjwb7D9EanOy2GkK2CwhAQKBgQD8v4gOTeNYC4Xo6Rti
+psv+QCuH8hiLdee4KFdzqthlELDfhncDKXfwcZI3PME/aBWvvAn+rokl/UfCm5nQ
+fwXW3MYyNpmk0HJjWAQcexsdHCM9I0CgEp8uInn+8EFqlYVh2ltoQLhGuIwOqqPk
+3cQV8ImW+CmqmWYzbSZw97OqqQKBgQDhr7+oOf+sly0MVf5WixHTURJAU6p2VyTt
+aNsNiuLN/W3Vax9Ql9HEm3RPx2SxFEIxllPcwb1Vms/ONmvT1t3xWGp7TIOX/0/m
+uhNIG2/Bcr47NgWjhiV4zE/TfawkcP7/MujUxl2/zm7RHLrU2bmi8rV+PGqlVE0w
+v7iKj4bSeQKBgHkI34a6Fdzb58yZlNuxNI8U+8OmU8q1M7ok13w0nFwJminwop2J
+Bj7GpFZ/aauLlJcLXV3xBwyCNhMjoI0PxyQVpXP2Ya1jhOO+Cnn5GgrepqFoeFIv
+mLrnF7TWKP15jN5HSu6pz5VOWwPLA6Fd8cDv53O8c3eW7jJCWt5OQGPBAoGALwbI
+EO3E8NmvcVqZ3L6twDKscur8IhyWfUHUI0ZFbFbahBYGOGzqMOWTnuwVdzCZemuw
+nddg9G2Fz5pXbZTgOmIKDhcrdIimxZUQX34YE18tdHkVQ7W4KSuplpAhRpalC9g3
+295ZupXxUXGDHMchf2rDlsJQFpMyYm4Qrg6qMUECgYBhBG/iLvE6/Z1oh6eky6WU
+Dx7nL+FDDu3JbNAWs6RMDs9fE+7iDEj8MxZL0PUnVMsQvf43Ew1boyIGwlNtdRZ5
+dLaKFAgJ8YbqIptnFfGQ/8vKhK+x4FWzEd3kuRzQZPVRVV5Op6bRp1Kb8NMPCQXb
+72qifYUaI7uirULNSit9wg==
-----END PRIVATE KEY-----
diff --git a/tests/certificate-authority/server-keys/broker.key.pem
b/tests/certificate-authority/server-keys/broker.key.pem
index dc22667ab47..5c20238c7b9 100644
--- a/tests/certificate-authority/server-keys/broker.key.pem
+++ b/tests/certificate-authority/server-keys/broker.key.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA0KLioWWoeITAqpoOGkuUYUBv2NYAPsj/QxhfZpcN+bX4X1rO
-txLzYxCuC/2VkhFeOS/8HOmFdeEZjOmydFf9L16OMZiEm6qbTQ/9pESLKZC2UORd
-DjkF1YnKmSznOooGUIUYPADQ2HUyVExeuQ6mrl+Dibd2DIRdhUre40LZY9OiEAWt
-NfgETvTqLTCbQWPryFOW1eicnX4JIUB/ayAyOwDHmOY9NoBpCSa3pX5vlqDrFHs/
-l2qkzd/7RfPjAXBQdxtOLNanNgiTyTN2Bsb8RLR6kxiNeLfSfKeTu1/SR6XGPF9N
-LG8WuBRmyoHw6G25CfhoG5VgpAHCzfebCk6rRwIDAQABAoIBAQCxNXjLX55N52wC
-O+G4ofOA+wtFINeKfIyb/6qgZ7MeI1q4G1gzFayWu0cpthUBwTDH4CMCp7KNIkni
-b2j8+vN49ZZPN92CntFUDj4A9ZtCDcFdSepkNzjmXCgyHHq2NSAR6kpgRM0e3cSG
-52sZQgF/YG9IXQSuswsAOUzBuTkOWN3BjpnryuYtj4no4aa7gPIexOPD9QE2hh1G
-Yn/WA+9uKIugHIpUPB/w5To2U75Ziq+Gid9H+9jcBjPBHHreQhNsMn5QBrWNJPpw
-oWJD0X8ueLuuGf0/QedwL53hWo/I78hXqWYEU7NnFoRJdCkBrgR0OPiHjnzLdi3m
-4b41lvGJAoGBAOwV1bJ6jxykQ3fMD3jZKJWOBY3auMLvWnfg2hYmXCbr+7oK/iqZ
-ZbaunuGlN+sxHQWHT6f+ijPxxhP1426NAhCzVCrPzcvR/1CXPAw21RJqBd1xoiGy
-iqtU/DU10xExZ8KxpARQ/J5e2E7DhTOBWZkqJNDIYZKRFCwKsQUumKULAoGBAOI8
-TNXoE1Ulo063oNlHWKNudO4ymu5mjz0baD7DSc1jWzqX49upd//KXeqGClnJOrHu
-kcSFMVK5N8sITSSCDr1hAu02jh9XPU+DUDXMHqgVvfgNceYMs09eIA2gX5eOYLPN
-ryPpHKVb/8Njdx2TkGV98gFKlqX8NssNbkA17YA1AoGBAImD1mwV05KdY+c9560+
-4NLsXPPZ+VEi1pGJWb8ZLQhG4OPnT1FE9OhKIqXQ9Rd8DimQPaffLmU/aV9rFMTq
-Qc+0hUxCqt8UPSGWVhXPQqFtPGlWrVfvhbJy2E2uQnl7S7Mughk5i0w8dsa6QLZV
-m/kJgVRTw/H5q8RTnfUkxSktAoGALes7VTdzpRasnO+ckD1w+ksTJL3UwIrEjAyi
-DgspUazW+X+W2iD9oEd85HssYqj7Zt4bbB30suuxLV6T+dMEFuA37dni4u2cHiVz
-BFhX6JnxIwXnlmABjRx3uQxSGrrlWdlnsQxBqjaQJSJtLO2ko1T659Qx26LjpDcn
-p5TKjfkCgYEA1WFYZPcInUoUpwplABt9JqFw4I93kagn+U+zRK/Rlw9UAQ/60Ej4
-eWoJw1eyGC6Ve/8JGCyO5fce5g8LviPZkV5MgJk1RHLS03V0B7dI3SWuUn1GlRA1
-M0G69H1I5JsrYU76mfNPfndxCz3iyOaie48YJLB1o4uJWHy+K+CemWs=
+MIIEogIBAAKCAQEA3tHau5GzFsSy6IkwnsFeC8/bxMPZsa9ApQs4NhsU/g8inOZZ
+ahVb2/b386UCKZR60gxnrapjYn78WBEpSLg8kbJzfhJr8uo2dw8Vm0aVznMVjcjZ
+l1cDkDMtffPu5QFt2Mbaqwe53RzgS85q3qjS48FSbYM6CvDtz/dWaocOc+MSgitl
+q9ipRFtKL6WSlDLxoeSvGA8PGGDN99CdA5/X6ahgVLs7mgXb/TgEPLQjQRZsfDvZ
+tuAvvctiVRvo0I9Ddu9Vhs8lw7yu40ZQifdxrQZeKOb28HYn6n4bZ1M5JiAZGIKx
+EV/qkcLj0/Zax/1hopLefXzabei/OVIQMWBL4QIDAQABAoIBAG0OMQxUx16Bbz84
+xj8tTSZi2aF4aff5Wp5s21o/7wpZxgsdAu5U/dyvB7SMMn6/WU2tHKF3H6V5mXBR
+Fe+tnJeCy9wMkCEYWQf0rhKNfYzJ7uayQy07PVc6dS2MUoRrKqRKz4OeCG4cT/tK
+UCwiXPV0DS/kZmgse3iqCfWhnIVC2AXWwkXLWIR2qvwAtqjWGReNWLPc3TTdP9jZ
+0an4GmgI/YVM7ty5WiV9U1h24IpC6EHZkTZkzDMXy5dpMqMHgxAujHUigm3HQ8jO
+OlWt8mNyk7gHYz+sdQC8wGqwQ4+s22tFae4PNDnCo5i2LfKxSJo8G+w/RGpzsthp
+CtgsIQECgYEA/L+IDk3jWAuF6OkbYqbL/kArh/IYi3XnuChXc6rYZRCw34Z3Ayl3
+8HGSNzzBP2gVr7wJ/q6JJf1HwpuZ0H8F1tzGMjaZpNByY1gEHHsbHRwjPSNAoBKf
+LiJ5/vBBapWFYdpbaEC4RriMDqqj5N3EFfCJlvgpqplmM20mcPezqqkCgYEA4a+/
+qDn/rJctDFX+VosR01ESQFOqdlck7WjbDYrizf1t1WsfUJfRxJt0T8dksRRCMZZT
+3MG9VZrPzjZr09bd8Vhqe0yDl/9P5roTSBtvwXK+OzYFo4YleMxP032sJHD+/zLo
+1MZdv85u0Ry61Nm5ovK1fjxqpVRNML+4io+G0nkCgYB5CN+GuhXc2+fMmZTbsTSP
+FPvDplPKtTO6JNd8NJxcCZop8KKdiQY+xqRWf2mri5SXC11d8QcMgjYTI6CND8ck
+FaVz9mGtY4Tjvgp5+RoK3qahaHhSL5i65xe01ij9eYzeR0ruqc+VTlsDywOhXfHA
+7+dzvHN3lu4yQlreTkBjwQKBgC8GyBDtxPDZr3Famdy+rcAyrHLq/CIcln1B1CNG
+RWxW2oQWBjhs6jDlk57sFXcwmXprsJ3XYPRthc+aV22U4DpiCg4XK3SIpsWVEF9+
+GBNfLXR5FUO1uCkrqZaQIUaWpQvYN9veWbqV8VFxgxzHIX9qw5bCUBaTMmJuEK4O
+qjFBAoGAYQRv4i7xOv2daIenpMullA8e5y/hQw7tyWzQFrOkTA7PXxPu4gxI/DMW
+S9D1J1TLEL3+NxMNW6MiBsJTbXUWeXS2ihQICfGG6iKbZxXxkP/LyoSvseBVsxHd
+5Lkc0GT1UVVeTqem0adSm/DTDwkF2+9qon2FGiO7oq1CzUorfcI=
-----END RSA PRIVATE KEY-----
diff --git a/tests/certificate-authority/server-keys/proxy.cert.pem
b/tests/certificate-authority/server-keys/proxy.cert.pem
index 02caee58263..85687bdfd30 100644
--- a/tests/certificate-authority/server-keys/proxy.cert.pem
+++ b/tests/certificate-authority/server-keys/proxy.cert.pem
@@ -1,27 +1,110 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4104 (0x1008)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=foobar
+ Validity
+ Not Before: May 10 15:50:19 2023 GMT
+ Not After : Feb 22 15:50:19 2297 GMT
+ Subject: CN=proxy-localhost-SAN
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:cc:15:c9:85:06:43:47:bd:46:9f:4f:03:1a:e0:
+ 6e:94:13:4e:b0:30:ea:88:ca:3a:e4:39:92:12:c1:
+ 77:51:8c:0d:3c:b9:26:5c:2f:dc:fc:b1:5a:bf:0e:
+ 47:ff:09:60:30:79:8e:55:26:fe:d0:a1:ed:9f:6d:
+ 8a:6a:06:85:f0:d0:dc:94:a6:54:a1:a6:c9:3e:57:
+ d5:69:7d:e9:25:c1:ef:6b:77:e1:62:76:d8:e4:54:
+ 91:40:bc:0b:11:74:b8:30:bb:d4:02:77:d6:bd:d2:
+ d0:e7:ad:df:7d:98:96:74:42:ad:53:b3:88:c8:dc:
+ 1d:db:51:63:84:ee:7e:85:73:14:5e:d4:c8:f0:01:
+ 5f:67:52:ed:94:87:f7:d6:aa:28:8b:2c:84:98:8c:
+ b9:91:b5:38:99:80:5d:b3:d4:db:95:96:09:ef:1d:
+ a1:6f:86:c8:17:86:f7:0a:1e:72:3b:50:8c:53:e5:
+ ce:d4:8c:cf:cc:81:3d:46:55:ff:65:25:0b:36:31:
+ 31:a6:22:27:47:96:59:38:c1:cd:66:a6:9a:83:98:
+ dc:b8:2e:10:8d:ba:45:ae:aa:20:6e:e3:0b:bd:ec:
+ e6:63:b5:40:55:d4:fe:97:b1:f1:8d:9a:c0:a2:46:
+ 8e:a3:ed:a0:1b:ed:40:b0:00:a5:28:f9:da:03:bd:
+ c1:a9
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Cert Type:
+ SSL Server
+ Netscape Comment:
+ OpenSSL Generated Server Certificate
+ X509v3 Subject Key Identifier:
+ C5:33:73:67:03:B7:51:08:F4:BD:D3:CD:4F:DC:CF:83:11:53:AD:39
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
+ X509v3 Authority Key Identifier:
+
keyid:57:0B:E9:CB:23:E8:BF:47:3E:50:7A:3F:45:7E:A1:18:43:9D:15:27
+ DirName:/CN=foobar
+ serial:D7:E2:87:4F:A0:79:E2:0C
+
+ X509v3 Key Usage: critical
+ Digital Signature, Key Encipherment
+ X509v3 Extended Key Usage:
+ TLS Web Server Authentication
+ Signature Algorithm: sha256WithRSAEncryption
+ 43:ef:67:29:9a:0c:53:97:7c:fc:72:73:6c:8d:48:78:4e:ec:
+ e3:14:9d:d9:1e:83:4c:d6:f0:56:e9:c4:d8:de:f5:54:fb:a5:
+ 3b:ff:59:23:75:26:74:f0:86:90:d0:4d:41:25:03:87:e0:60:
+ a4:9b:33:3d:bd:1c:79:b8:db:86:1c:38:09:26:0d:80:3e:f9:
+ 1e:28:11:0d:3d:6b:1e:1a:7a:9a:fa:fc:18:22:7f:fd:46:55:
+ c2:2f:56:5c:5c:8a:45:f2:74:7a:e4:6c:d0:e0:ea:ec:74:b7:
+ 0d:a8:f3:ca:18:cf:a4:be:a0:e0:4a:32:ca:15:7e:5d:06:56:
+ b7:71:7c:e0:dc:19:fa:be:3e:94:84:20:be:96:34:61:0b:f0:
+ d1:d6:31:49:0b:b0:20:b8:f9:5c:49:08:13:9b:45:c0:6f:58:
+ 16:81:0b:0c:f8:66:38:58:83:d4:b0:bc:14:35:8d:e2:1d:d5:
+ 2d:ea:02:ae:42:e1:88:22:5a:b0:cf:e5:31:b1:cb:d3:e9:d2:
+ 5e:88:55:bd:62:ac:85:aa:4e:fc:18:6b:65:f9:9e:fc:93:27:
+ 0c:c6:29:aa:f0:64:6e:72:dc:d9:95:ae:38:ae:64:9e:c6:44:
+ 8a:0b:0f:0e:d4:69:7e:79:e0:46:d0:75:96:2a:1a:60:af:30:
+ 23:dc:d2:67:0d:08:2a:9d:58:29:09:1e:c8:08:d5:3a:88:2d:
+ 1a:dc:47:dc:5d:bd:0d:5c:54:f1:5d:5a:6d:0d:de:bc:18:67:
+ 2d:dd:1b:fe:8b:0e:03:19:b0:0f:f2:59:69:d0:7a:4f:a1:33:
+ 74:f7:22:ef:ff:90:e1:4b:8e:ac:13:00:6f:00:9b:55:83:d2:
+ 96:db:a8:81:c9:a9:8d:c6:a6:21:3d:14:d3:43:71:28:c6:ea:
+ 6d:2d:91:b9:58:bf:ec:18:75:c4:8c:10:43:88:60:08:c0:bb:
+ 9d:fb:90:80:1e:d5:a3:ea:e7:8a:16:f7:f4:d7:cb:35:93:03:
+ 55:e4:cc:58:31:1e:df:6e:e4:1b:6e:ad:3a:76:56:e5:8b:4e:
+ d9:71:af:11:92:a7:7a:e2:66:cc:d2:73:f3:ec:e8:3b:67:f0:
+ 6a:31:10:82:e8:c4:1e:ae:c3:54:a7:e2:42:86:fe:43:75:ad:
+ ef:83:d7:1c:2f:91:94:1c:57:9d:1c:43:94:b1:47:b2:6c:96:
+ fd:83:69:0f:6c:e2:18:9b:65:8e:71:08:01:b3:73:46:aa:3c:
+ 2e:07:14:cd:03:ae:dc:5a:51:da:c5:41:53:cc:f5:fc:c8:db:
+ 4e:76:27:99:9a:ec:40:68:07:d6:10:e1:f9:68:6b:5d:52:95:
+ 3d:01:f4:a7:40:11:61:0a
-----BEGIN CERTIFICATE-----
-MIIEjzCCAnegAwIBAgICEAYwDQYJKoZIhvcNAQENBQAwETEPMA0GA1UEAwwGZm9v
-YmFyMCAXDTIyMTAxODEwMTQwMVoYDzIyOTYwODAyMTAxNDAxWjAiMSAwHgYDVQQD
-DBdwcm94eS5wdWxzYXIuYXBhY2hlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAPPnBnkHqKvXuv7BKOoQ8nAa7gEVAjzRANhOx2Yk3/JpN1/Ash48
-UltPjHtop1kXLrnjM3DahQuolz1A/N5sN2RGoe+/Y/aI/FRDF25yGzEoM/kwZDjm
-ejQj2Hb6YsupI+YYtPr5ZDSeIBvvlVurXfXJkZf5CXYeEjqr1pEpLpNCZoWoOiiC
-73/0KBoOToR5+akw+Db2Qr5FSz7AuTQ9KUZ1HZNl4xZBuEha6avESdRykH2XQzDs
-qMBVruByHbzO1pg/op4iOhqQ6DFu67veKjWzMLxKR7x/A8UOd9f9D3+pabBoU72b
-NqgwbKCnERoo3Y0ge1B1x7GORR7GHrWSKlUCAwEAAaOB3TCB2jAJBgNVHRMEAjAA
-MBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5l
-cmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBQqVR7lwaEgKHsI8+D8
-nNxPmgWZ7TBBBgNVHSMEOjA4gBRXC+nLI+i/Rz5Qej9FfqEYQ50VJ6EVpBMwETEP
-MA0GA1UEAwwGZm9vYmFyggkA1+KHT6B54gwwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud
-JQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBDQUAA4ICAQBtoQTZ5u6NpDIKHo6V
-yZqkRrMcg9J61zRm0tbf4D/iIsfWNiJrAWSudK4OgkUrXj4LFWKvzzcZtPltuUr5
-yODXZgz8lnyLbw6GyrKFU4Gpbr8Be30Y1yF7dfTV0yp5ZoIXNILfKhU3not1yL41
-0owaO7N0PyDAzQ7erPbbB9UG7xhYM5qFfAnevwX1rde12JHJULfeE9Ushuv+DcK5
-JmNvkRE+nB/dljsST9pW+zjBDuhwTiDZMPtUPyM0tPn6+x5zwF0pWFKhCkO8lVhr
-TxCG/bMF3j/0MxjQvDvcijJFHaZqLHsw/FqgEM5SNgAsTuuY7wBohSNRddfvahV1
-xPdXUrALuDH/NmIzaYZW6hh6mOhl+R7lP2XXZbFTpTGVdoosdBTGkjbPGKMrT/L8
-hwLvFezXaHZzqj4hLnmqFbhu+dDH55EE1HT5RP7kxGCq1AMuwlsjOVxURS0FZi87
-Oaq19NKsyWfdf8igONsk0GBt5HeG+93fJkW/SxssTJdz1xc91KgGDlP3nAW3xBAz
-TRvgiKIeMzOh+SWkTyz/cJugyxD+wXaAEL7VYsgOwilV+rbWKTDPvnNORqrLO/md
-MHZqYWkFlld2kw8i4LYc6zXOsOWlOv0ZM7VcEs7ufBADQEiZPkDNvWlzM97oDabE
-n/htdqxnoZ3NHJ1HJnz03jKSfg==
+MIIEpzCCAo+gAwIBAgICEAgwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAwwGZm9v
+YmFyMCAXDTIzMDUxMDE1NTAxOVoYDzIyOTcwMjIyMTU1MDE5WjAeMRwwGgYDVQQD
+DBNwcm94eS1sb2NhbGhvc3QtU0FOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAzBXJhQZDR71Gn08DGuBulBNOsDDqiMo65DmSEsF3UYwNPLkmXC/c/LFa
+vw5H/wlgMHmOVSb+0KHtn22KagaF8NDclKZUoabJPlfVaX3pJcHva3fhYnbY5FSR
+QLwLEXS4MLvUAnfWvdLQ563ffZiWdEKtU7OIyNwd21FjhO5+hXMUXtTI8AFfZ1Lt
+lIf31qooiyyEmIy5kbU4mYBds9TblZYJ7x2hb4bIF4b3Ch5yO1CMU+XO1IzPzIE9
+RlX/ZSULNjExpiInR5ZZOMHNZqaag5jcuC4QjbpFrqogbuMLvezmY7VAVdT+l7Hx
+jZrAokaOo+2gG+1AsAClKPnaA73BqQIDAQABo4H5MIH2MAkGA1UdEwQCMAAwEQYJ
+YIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRl
+ZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFMUzc2cDt1EI9L3TzU/cz4MR
+U605MBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATBBBgNVHSMEOjA4gBRXC+nL
+I+i/Rz5Qej9FfqEYQ50VJ6EVpBMwETEPMA0GA1UEAwwGZm9vYmFyggkA1+KHT6B5
+4gwwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
+DQEBCwUAA4ICAQBD72cpmgxTl3z8cnNsjUh4TuzjFJ3ZHoNM1vBW6cTY3vVU+6U7
+/1kjdSZ08IaQ0E1BJQOH4GCkmzM9vRx5uNuGHDgJJg2APvkeKBENPWseGnqa+vwY
+In/9RlXCL1ZcXIpF8nR65GzQ4OrsdLcNqPPKGM+kvqDgSjLKFX5dBla3cXzg3Bn6
+vj6UhCC+ljRhC/DR1jFJC7AguPlcSQgTm0XAb1gWgQsM+GY4WIPUsLwUNY3iHdUt
+6gKuQuGIIlqwz+UxscvT6dJeiFW9YqyFqk78GGtl+Z78kycMximq8GRuctzZla44
+rmSexkSKCw8O1Gl+eeBG0HWWKhpgrzAj3NJnDQgqnVgpCR7ICNU6iC0a3EfcXb0N
+XFTxXVptDd68GGct3Rv+iw4DGbAP8llp0HpPoTN09yLv/5DhS46sEwBvAJtVg9KW
+26iByamNxqYhPRTTQ3EoxuptLZG5WL/sGHXEjBBDiGAIwLud+5CAHtWj6ueKFvf0
+18s1kwNV5MxYMR7fbuQbbq06dlbli07Zca8Rkqd64mbM0nPz7Og7Z/BqMRCC6MQe
+rsNUp+JChv5Dda3vg9ccL5GUHFedHEOUsUeybJb9g2kPbOIYm2WOcQgBs3NGqjwu
+BxTNA67cWlHaxUFTzPX8yNtOdieZmuxAaAfWEOH5aGtdUpU9AfSnQBFhCg==
-----END CERTIFICATE-----
diff --git a/tests/certificate-authority/server-keys/proxy.csr.pem
b/tests/certificate-authority/server-keys/proxy.csr.pem
index 8dbf74bb819..6cebd3548a1 100644
--- a/tests/certificate-authority/server-keys/proxy.csr.pem
+++ b/tests/certificate-authority/server-keys/proxy.csr.pem
@@ -1,15 +1,15 @@
-----BEGIN CERTIFICATE REQUEST-----
-MIICZzCCAU8CAQAwIjEgMB4GA1UEAwwXcHJveHkucHVsc2FyLmFwYWNoZS5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDz5wZ5B6ir17r+wSjqEPJw
-Gu4BFQI80QDYTsdmJN/yaTdfwLIePFJbT4x7aKdZFy654zNw2oULqJc9QPzebDdk
-RqHvv2P2iPxUQxduchsxKDP5MGQ45no0I9h2+mLLqSPmGLT6+WQ0niAb75Vbq131
-yZGX+Ql2HhI6q9aRKS6TQmaFqDoogu9/9CgaDk6EefmpMPg29kK+RUs+wLk0PSlG
-dR2TZeMWQbhIWumrxEnUcpB9l0Mw7KjAVa7gch28ztaYP6KeIjoakOgxbuu73io1
-szC8Ske8fwPFDnfX/Q9/qWmwaFO9mzaoMGygpxEaKN2NIHtQdcexjkUexh61kipV
-AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAMBYwlvpcPsZQQMwUbts7GsX35Hcn
-FAl8iWcKr9uw/9sSrZkstI9Aa8As+KYPeY3Z2p5TYY1TXokZa936NB00CWnY+gxY
-lfKXy31yPqEHSwir1pQDU+WTILwZfbptFpAFEBy0SCDWrBZJUbM1ngqcVDg9jlQi
-iZMDYbsnZ828Hn4e97P83bOubSBWIf1Rp6LcbIzJtwGCGVp+XPJYPMFXmpzAtwrT
-tSgzCnHXseYKwIbjr+ReW58jE8Z59UqBm3/VeidLg94VfITuN5et42yypWd9Z7DU
-C/qE8gjrqlvl49Xi6ye/RxKTMN+8TiQigU5ngEnYvNKbpKhU4veXHKjfrg==
+MIICYzCCAUsCAQAwHjEcMBoGA1UEAwwTcHJveHktbG9jYWxob3N0LVNBTjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwVyYUGQ0e9Rp9PAxrgbpQTTrAw
+6ojKOuQ5khLBd1GMDTy5Jlwv3PyxWr8OR/8JYDB5jlUm/tCh7Z9timoGhfDQ3JSm
+VKGmyT5X1Wl96SXB72t34WJ22ORUkUC8CxF0uDC71AJ31r3S0Oet332YlnRCrVOz
+iMjcHdtRY4TufoVzFF7UyPABX2dS7ZSH99aqKIsshJiMuZG1OJmAXbPU25WWCe8d
+oW+GyBeG9woecjtQjFPlztSMz8yBPUZV/2UlCzYxMaYiJ0eWWTjBzWammoOY3Lgu
+EI26Ra6qIG7jC73s5mO1QFXU/pex8Y2awKJGjqPtoBvtQLAApSj52gO9wakCAwEA
+AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCqq+WUWY5w8RHsMi/zeR0JjXhbgdYSlsfP
+J0fUTB88Jr/litM2u96/HFPC4K8MDlei7cKccyrRsLd+iEbG3ydNRB66WBCjq93o
+/5LSMYGCejMDAdeE8qWBDf53Xlg+hGhMlFbbmL4JGTKX0OjAKnF5xT5i7n9rh/dM
+FwoIU6ac+5btszD62IRGhyOmOHXSqL+KYArKhXKzGICFKvrOwfGrSC7Rt9zwV+lL
+UB6NRWR5viSgIkwYw/W4R9M1iQPQLjGm/ibjW/FXWzr98LNgs8kjqMoAIDs7z8YU
+FCT6YDb8zJlqiOBKnU7ReetKsHwPM2mAyWMS6z8R3LOSNdgrP70Y
-----END CERTIFICATE REQUEST-----
diff --git a/tests/certificate-authority/server-keys/proxy.key-pk8.pem
b/tests/certificate-authority/server-keys/proxy.key-pk8.pem
index 114fe2fb04d..0dc72cde403 100644
--- a/tests/certificate-authority/server-keys/proxy.key-pk8.pem
+++ b/tests/certificate-authority/server-keys/proxy.key-pk8.pem
@@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
-MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDz5wZ5B6ir17r+
-wSjqEPJwGu4BFQI80QDYTsdmJN/yaTdfwLIePFJbT4x7aKdZFy654zNw2oULqJc9
-QPzebDdkRqHvv2P2iPxUQxduchsxKDP5MGQ45no0I9h2+mLLqSPmGLT6+WQ0niAb
-75Vbq131yZGX+Ql2HhI6q9aRKS6TQmaFqDoogu9/9CgaDk6EefmpMPg29kK+RUs+
-wLk0PSlGdR2TZeMWQbhIWumrxEnUcpB9l0Mw7KjAVa7gch28ztaYP6KeIjoakOgx
-buu73io1szC8Ske8fwPFDnfX/Q9/qWmwaFO9mzaoMGygpxEaKN2NIHtQdcexjkUe
-xh61kipVAgMBAAECggEBAJ/DuDC1fJ477OiNPLC+MyCN81NQIKwXt/b4+5KEGxHe
-LACT59j4aHYZkIsSDXTFQ71N/1cwPLBbWd4s4LcNqecMgWzbMK7AIpFLdWDKa9dy
-X0EemrfO+UOIK3YcI3UGsVY63un7TNFOtve1o19tzFmBFNa4saLmpcg64Y0qrbCV
-KcHslT1T07szp5s+weiMxgsD17foNSBEXLxP7+1F9NPlWuiHh+Rl2/t+K2tjrXeI
-EN9dtv29q4v9jCRU4yhIunAjLEvrMYCSGhXEGa+MRkgXkTPhhVN5nWX6M0uDyKgK
-aJJBv+/H6QVj4XetubYdLjII0L2q/vckoD5JsaYfz40CgYEA/7ID5OWbp/OOCjK1
-wbMByKwLUL5tHapZIoYdNg/w6zjjYl1TM9e18p1llOb+oPTEk+p8LigkkkDvPrEZ
-zAhAU3Z3nRWGkVOLNYycuSed283Up0Kml08vsRNGDa78bma4GaWnJpOuPx5fB1HN
-njjq9XhYzIEAHO4dT2dAQB003JMCgYEA9DFp0FnfsZsuAMLwBJJ08yHn4CjoYpMq
-TAg3JScEjnm1ELJBvqLYRHzqHVeSKUHTtVDwaAqMe43qEnQ3IuFS+dhJGfOX41Cf
-Yw7WDZvIeuPZER7WXUY27wmjGbjx6SdIuDYnYYA0P3RSGm3VcGZqaLoW7MvfDB0y
-pYpVSV6pFncCgYEAz5/dSaCoJFjAncdPj1mruSb6iTYXpF8OwdnlHmETX+1xtg3R
-4ebm93qXYbGwUUJv3SwqadBu4dOYcW+dYu/QS/WGaydvfdI41+K14CMrK7CXXLni
-TDsgnsjnuXS9xWfjVfANKmYAt4AR6f+i1zegknKGqIiXbuZrJm7Q3T7aDcECgYEA
-7tXBm6G7kzemt+Hx5VblgcOgyfLYz0kG7pR+cx0FbOCHAsyGVxFpGxtd09MJxsZ2
-bXm7mNbwbgvwa5o1Ly1Y/brYTMSewxrguX8SRv8eB2wAq6kQmuwI4KT5XDgyiwr8
-Kgf1XnyJHaMEhor0XlodK08PCw2fm3aXSafSIM+v66MCgYEAiGDfCy25tcI4UpAb
-v8WjI2Y7EXE2vJQ/mqMhKzmfME8HMzBvuzhwAERJgPHh1lNOIwH1LnF4lZS7jr75
-A78lgfTj6ZKNHpr5s5+5zdllvFwQ51SczCUnZv0flb/S5Qeciqh0a//pe9FQvL3+
-3cqpvX158ljL8FYfcPQOBuIUdjw=
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMFcmFBkNHvUaf
+TwMa4G6UE06wMOqIyjrkOZISwXdRjA08uSZcL9z8sVq/Dkf/CWAweY5VJv7Qoe2f
+bYpqBoXw0NyUplShpsk+V9Vpfeklwe9rd+FidtjkVJFAvAsRdLgwu9QCd9a90tDn
+rd99mJZ0Qq1Ts4jI3B3bUWOE7n6FcxRe1MjwAV9nUu2Uh/fWqiiLLISYjLmRtTiZ
+gF2z1NuVlgnvHaFvhsgXhvcKHnI7UIxT5c7UjM/MgT1GVf9lJQs2MTGmIidHllk4
+wc1mppqDmNy4LhCNukWuqiBu4wu97OZjtUBV1P6XsfGNmsCiRo6j7aAb7UCwAKUo
++doDvcGpAgMBAAECggEAPTAXEFQVXe/ouaDV3HwHi0vSns67srF3QK/mFMt+e6uS
+2G7mimMrTXPbMkcU3OkxtrbrLqqXYXP7K36LLkiwZcgpKkRIQYMg+RkaehtvCIwB
+vWXe5Eefta2JMzBt3RjylGHsKaVGc/k9+whNZnmWOls3Xk4Ip7gfF39qaBOdSWLy
+gVJJ9qbM6nHejl3vdSew5nRGlqGu0qonB+OhbM2GGSLEjH4BBbDlvI1Gl/mdKMLK
+XMJf6WvO/d43+y+/EWmln2NF5lXHRwD+Gk84316mf+ANFy8V3yvp7BC9kDWqLeDH
+A6wK9fmwPzwEWZKgzurN/Euz8gv1hEVcxH54HUBgVQKBgQD/iprN8phLUeA1VwJg
+zm/AX6jM4GIEig0rXkYOOz1KI7wx6DunfnFINxSpDXf93cK7k6wtmLkxu0ONO9LE
+1q4bmaBPkObfGOzBFixSOEE9ecyH9+EiFQi4O1zBqZLPObIY7tJ5xVsAmvQmwrf9
+Agy6fKNGM1SFBWyHgmTUvtLrlwKBgQDMc4slLWyTZYZn7bpbuXslRBWSp3KROP8M
+R5wCGe0xmOz2A/UEfGMruAS3/2+GJQlMpW25ACi3GX+Wq0OAlVxHZfArw9vaJSXm
+Nj1rC0bkICKYHojS0kFckTHBGUEKOAaSdP1Ehm+eUaH0kVapfw9bSQ0+Yd5Z0XHS
+65QqcY9kvwKBgFD8emc+tSlZv3boJmbLxfrv1i1oB2hs4BOYgxdLivcOMDyY3x8M
+IZbDbhbNn/Oi7m5INM8WkcrDEHuYNAoSB4fTvky5HZIi8hWXk2BTV8nF6h5FXuJQ
+TD0nAxSVS2PFYz4noijZdSfR9AK8v1a96Y7IpW5AIk8uEuE3YAFUoL/tAoGAMGXh
+uIlKPJI6APw7s17zEd1OJgtRiaMubR++hJjSl30WCx7gr5EqgLztEQl8wwqdavF2
+SecJvF5i363nKtcwow40joes0bUdhaOtYlunCnW4+r2vsghnxJvyZT2vMdYVaDId
+ik0wuw+kARsuoq0bW4athejxE94Kzd1Kk8mSIk0CgYEAiBYxMU8c821HwRzHGUi4
+MEqrOV7D0WrQIeeunT9yBZvP1/OpH9VcHXM53JOQLX/1bF3gGzLevOxvzhSid9Kg
+7avc497uam9LfmIueIsc90yH6Qf83O2pwLc6x/Jx9cyVX4elMC9b+CpXPzC4RDla
+NGH4KgEBAySS0x7x6a31/yg=
-----END PRIVATE KEY-----
diff --git a/tests/certificate-authority/server-keys/proxy.key.pem
b/tests/certificate-authority/server-keys/proxy.key.pem
index ec79e9ddf23..17c431ba9f5 100644
--- a/tests/certificate-authority/server-keys/proxy.key.pem
+++ b/tests/certificate-authority/server-keys/proxy.key.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpgIBAAKCAQEA8+cGeQeoq9e6/sEo6hDycBruARUCPNEA2E7HZiTf8mk3X8Cy
-HjxSW0+Me2inWRcuueMzcNqFC6iXPUD83mw3ZEah779j9oj8VEMXbnIbMSgz+TBk
-OOZ6NCPYdvpiy6kj5hi0+vlkNJ4gG++VW6td9cmRl/kJdh4SOqvWkSkuk0Jmhag6
-KILvf/QoGg5OhHn5qTD4NvZCvkVLPsC5ND0pRnUdk2XjFkG4SFrpq8RJ1HKQfZdD
-MOyowFWu4HIdvM7WmD+iniI6GpDoMW7ru94qNbMwvEpHvH8DxQ531/0Pf6lpsGhT
-vZs2qDBsoKcRGijdjSB7UHXHsY5FHsYetZIqVQIDAQABAoIBAQCfw7gwtXyeO+zo
-jTywvjMgjfNTUCCsF7f2+PuShBsR3iwAk+fY+Gh2GZCLEg10xUO9Tf9XMDywW1ne
-LOC3DannDIFs2zCuwCKRS3VgymvXcl9BHpq3zvlDiCt2HCN1BrFWOt7p+0zRTrb3
-taNfbcxZgRTWuLGi5qXIOuGNKq2wlSnB7JU9U9O7M6ebPsHojMYLA9e36DUgRFy8
-T+/tRfTT5Vroh4fkZdv7fitrY613iBDfXbb9vauL/YwkVOMoSLpwIyxL6zGAkhoV
-xBmvjEZIF5Ez4YVTeZ1l+jNLg8ioCmiSQb/vx+kFY+F3rbm2HS4yCNC9qv73JKA+
-SbGmH8+NAoGBAP+yA+Tlm6fzjgoytcGzAcisC1C+bR2qWSKGHTYP8Os442JdUzPX
-tfKdZZTm/qD0xJPqfC4oJJJA7z6xGcwIQFN2d50VhpFTizWMnLknndvN1KdCppdP
-L7ETRg2u/G5muBmlpyaTrj8eXwdRzZ446vV4WMyBABzuHU9nQEAdNNyTAoGBAPQx
-adBZ37GbLgDC8ASSdPMh5+Ao6GKTKkwINyUnBI55tRCyQb6i2ER86h1XkilB07VQ
-8GgKjHuN6hJ0NyLhUvnYSRnzl+NQn2MO1g2byHrj2REe1l1GNu8Joxm48eknSLg2
-J2GAND90Uhpt1XBmami6FuzL3wwdMqWKVUleqRZ3AoGBAM+f3UmgqCRYwJ3HT49Z
-q7km+ok2F6RfDsHZ5R5hE1/tcbYN0eHm5vd6l2GxsFFCb90sKmnQbuHTmHFvnWLv
-0Ev1hmsnb33SONfiteAjKyuwl1y54kw7IJ7I57l0vcVn41XwDSpmALeAEen/otc3
-oJJyhqiIl27mayZu0N0+2g3BAoGBAO7VwZuhu5M3prfh8eVW5YHDoMny2M9JBu6U
-fnMdBWzghwLMhlcRaRsbXdPTCcbGdm15u5jW8G4L8GuaNS8tWP262EzEnsMa4Ll/
-Ekb/HgdsAKupEJrsCOCk+Vw4MosK/CoH9V58iR2jBIaK9F5aHStPDwsNn5t2l0mn
-0iDPr+ujAoGBAIhg3wstubXCOFKQG7/FoyNmOxFxNryUP5qjISs5nzBPBzMwb7s4
-cABESYDx4dZTTiMB9S5xeJWUu46++QO/JYH04+mSjR6a+bOfuc3ZZbxcEOdUnMwl
-J2b9H5W/0uUHnIqodGv/6XvRULy9/t3Kqb19efJYy/BWH3D0DgbiFHY8
+MIIEowIBAAKCAQEAzBXJhQZDR71Gn08DGuBulBNOsDDqiMo65DmSEsF3UYwNPLkm
+XC/c/LFavw5H/wlgMHmOVSb+0KHtn22KagaF8NDclKZUoabJPlfVaX3pJcHva3fh
+YnbY5FSRQLwLEXS4MLvUAnfWvdLQ563ffZiWdEKtU7OIyNwd21FjhO5+hXMUXtTI
+8AFfZ1LtlIf31qooiyyEmIy5kbU4mYBds9TblZYJ7x2hb4bIF4b3Ch5yO1CMU+XO
+1IzPzIE9RlX/ZSULNjExpiInR5ZZOMHNZqaag5jcuC4QjbpFrqogbuMLvezmY7VA
+VdT+l7HxjZrAokaOo+2gG+1AsAClKPnaA73BqQIDAQABAoIBAD0wFxBUFV3v6Lmg
+1dx8B4tL0p7Ou7Kxd0Cv5hTLfnurkthu5opjK01z2zJHFNzpMba26y6ql2Fz+yt+
+iy5IsGXIKSpESEGDIPkZGnobbwiMAb1l3uRHn7WtiTMwbd0Y8pRh7CmlRnP5PfsI
+TWZ5ljpbN15OCKe4Hxd/amgTnUli8oFSSfamzOpx3o5d73UnsOZ0RpahrtKqJwfj
+oWzNhhkixIx+AQWw5byNRpf5nSjCylzCX+lrzv3eN/svvxFppZ9jReZVx0cA/hpP
+ON9epn/gDRcvFd8r6ewQvZA1qi3gxwOsCvX5sD88BFmSoM7qzfxLs/IL9YRFXMR+
+eB1AYFUCgYEA/4qazfKYS1HgNVcCYM5vwF+ozOBiBIoNK15GDjs9SiO8Meg7p35x
+SDcUqQ13/d3Cu5OsLZi5MbtDjTvSxNauG5mgT5Dm3xjswRYsUjhBPXnMh/fhIhUI
+uDtcwamSzzmyGO7SecVbAJr0JsK3/QIMunyjRjNUhQVsh4Jk1L7S65cCgYEAzHOL
+JS1sk2WGZ+26W7l7JUQVkqdykTj/DEecAhntMZjs9gP1BHxjK7gEt/9vhiUJTKVt
+uQAotxl/lqtDgJVcR2XwK8Pb2iUl5jY9awtG5CAimB6I0tJBXJExwRlBCjgGknT9
+RIZvnlGh9JFWqX8PW0kNPmHeWdFx0uuUKnGPZL8CgYBQ/HpnPrUpWb926CZmy8X6
+79YtaAdobOATmIMXS4r3DjA8mN8fDCGWw24WzZ/zou5uSDTPFpHKwxB7mDQKEgeH
+075MuR2SIvIVl5NgU1fJxeoeRV7iUEw9JwMUlUtjxWM+J6Io2XUn0fQCvL9WvemO
+yKVuQCJPLhLhN2ABVKC/7QKBgDBl4biJSjySOgD8O7Ne8xHdTiYLUYmjLm0fvoSY
+0pd9Fgse4K+RKoC87REJfMMKnWrxdknnCbxeYt+t5yrXMKMONI6HrNG1HYWjrWJb
+pwp1uPq9r7IIZ8Sb8mU9rzHWFWgyHYpNMLsPpAEbLqKtG1uGrYXo8RPeCs3dSpPJ
+kiJNAoGBAIgWMTFPHPNtR8EcxxlIuDBKqzlew9Fq0CHnrp0/cgWbz9fzqR/VXB1z
+OdyTkC1/9Wxd4Bsy3rzsb84UonfSoO2r3OPe7mpvS35iLniLHPdMh+kH/NztqcC3
+OsfycfXMlV+HpTAvW/gqVz8wuEQ5WjRh+CoBAQMkktMe8emt9f8o
-----END RSA PRIVATE KEY-----
