This folder contains a keystore and several certificate files that are used in KeyStoresTestCase.java for testing key-store manipulation operations.

test.keystore - The keystore password is 'Elytron'. The key password used for the ssmith and ca entries is 'secret'.

Keystore entries
================
The ca entry was generated using the following command:
keytool -genkeypair -alias ca -keystore test.keystore -dname "O=Root Certificate Authority, EMAILADDRESS=elytron@wildfly.org, C=UK, ST=Elytron, CN=Elytron CA" -ext bc=ca:true

The ssmith entry was generated using the following command:
keytool -genkeypair -alias ssmith -keyalg RSA -keysize 1024 -validity 365 -keystore test.keystore -dname "CN=sally smith, OU=jboss, O=red hat, L=raleigh, ST=north carolina, C=us" -keypass secret -sigalg SHA256withRSA -ext EKU=clientAuth -ext KU:critical=digitalSignature -ext SAN=email:sallysmith@example.com,DNS:sallysmith.example.com


test-single-cert-reply.cert
===========================
This single certificate reply from a root CA was generated using the following commands:

# CSR creation
keytool -certreq -keystore test.keystore -alias ssmith -sigalg SHA512withRSA -dname "CN=ssmith, OU=jboss, O=red hat, L=raleigh, ST=north carolina, C=us" -keypass secret -ext EKU=clientAuth -ext KU:critical=digitalSignature -file ssmith.csr

# Reply from root CA
keytool -gencert -keystore test.keystore -alias ca -infile ssmith.csr -outfile test-single-cert-reply.cert

test-cert-chain-reply.cert
==========================
This certificate chain reply from a root CA was generated by creating a file containing both the certificate
generated from the commands above and the certificate from the ca entry in the keystore.

test-exported.cert
==========================
This certificate was generated using the following command:

keytool -exportcert -alias ssmith -keystore test.keystore -file test-exported.cert

test-trusted.cert
==========================
This trusted certificate was generated using the following commands with a copy of test.keystore (it's trusted because it's issued using the ca entry from test.keystore):

keytool -genkeypair -alias intermediateCA -keystore test.keystore -dname "O=Intermediate Certificate Authority, EMAILADDRESS=intermediateca@wildfly.org, C=UK, ST=Elytron, CN=Intermediate Elytron CA" -ext bc=ca:true -validity 3650
keytool -certreq -keystore test.keystore -alias intermediateCA -dname "O=Intermediate Certificate Authority, EMAILADDRESS=intermediateca@wildfly.org, C=UK, ST=Elytron, CN=Intermediate Elytron CA" -ext EKU=clientAuth -ext KU:critical=digitalSignature -file intermediate.csr
keytool -gencert -keystore test.keystore -alias ca -infile intermediate.csr -outfile test-trusted.cert

test-untrusted.cert
==========================
This untrusted certificate was generated using the following commands (it's untrusted because the issuer certificate is not present in test.keystore or in the JDK cacerts file):

keytool -genkeypair -alias anotherCA -keystore example.keystore -dname "O=Another Root Certificate Authority, EMAILADDRESS=anotherca@wildfly.org, C=UK, ST=Elytron, CN=Another Elytron CA" -ext bc=ca:true
keytool -exportcert -alias anotherCA -keystore example.keystore -file test-untrusted.cert

test-untrusted-cert-chain-reply.cert
====================================
This untrusted certificate chain reply was generated using the following commands (it's untrusted because the issuer certificate is not present in test.keystore or in the JDK cacerts file):

keytool -genkeypair -alias anotherCA -keystore example.keystore -dname "O=Another Root Certificate Authority, EMAILADDRESS=anotherca@wildfly.org, C=UK, ST=Elytron, CN=Another Elytron CA" -ext bc=ca:true
keytool -certreq -keystore test.keystore -alias ssmith -sigalg SHA512withRSA -dname "CN=ssmith, OU=jboss, O=red hat, L=raleigh, ST=north carolina, C=us" -keypass secret -ext EKU=clientAuth -ext KU:critical=digitalSignature -file ssmith.csr
keytool -gencert -keystore example.keystore -alias anotherCA -infile ssmith.csr -outfile ssmith.cert

The test-untrusted-cert-chain-reply.cert file can then be created by creating a file that contains both the ssmith.cert
certificate and the certificate for the anotherCA entry in the example.keystore.


############################################ IMPORTANT ########################################################
# Do not modify the following key pairs in account.keystore. They have been used as account keys with Boulder
# (Let's Encrypt's testing server) to record messages sent from Boulder to our ACME client. These recorded
# messages are used in AcmeClientSpiTest.java to avoid having to integrate the complex Boulder setup into the
# Elytron testsuite. Key / certificate validity is not important for these tests.
###############################################################################################################

account.keystore was generated using the following commands:

keytool -genkeypair -alias account1v2 -keystore account.keystore -dname CN=account1v2.key -keyalg RSA -keysize 2048 -validity 3650 -keypass elytron -storepass elytron

keytool -genkeypair -alias account2v2 -keystore account.keystore -dname CN=account2v2.key -keyalg RSA -keysize 2048 -validity 3650 -keypass elytron -storepass elytron

keytool -genkeypair -alias account3v2 -keystore account.keystore -dname CN=account3v2.key -keyalg RSA -keysize 2048 -validity 3650 -keypass elytron -storepass elytron

keytool -genkeypair -alias account4v2 -keystore account.keystore -dname CN=account4v2.key -keyalg EC -keysize 256 -validity 3650 -keypass elytron -storepass elytron

keytool -genkeypair -alias account5v2 -keystore account.keystore -dname CN=account5v2.key -keyalg RSA -keysize 2048 -validity 3650 -keypass elytron -storepass elytron

keytool -genkeypair -alias account6v2 -keystore account.keystore -dname CN=account6v2.key -keyalg RSA -keysize 2048 -validity 3650 -keypass elytron -storepass elytron

keytool -genkeypair -alias account7v2 -keystore account.keystore -dname CN=account7v2.key -keyalg RSA -keysize 2048 -validity 3650 -keypass elytron -storepass elytron

keytool -genkeypair -alias account8v2 -keystore account.keystore -dname CN=account8v2.key -keyalg RSA -keysize 2048 -validity 3650 -keypass elytron -storepass elytron

keytool -genkeypair -alias account9v2 -keystore account.keystore -dname CN=account9v2.key -keyalg RSA -keysize 2048 -validity 3650 -keypass elytron -storepass elytron

keytool -genkeypair -alias newKeyv2 -keystore account.keystore -dname CN=account8v2.key -keyalg RSA -keysize 2048 -validity 3650 -keypass elytron -storepass elytron

keytool -genkeypair -alias newECKeyv2 -keystore account.keystore -dname CN=account8v2.key -keyalg EC -keysize 256 -validity 3650 -keypass elytron -storepass elytron

 keytool -genkeypair -alias invalid -keystore account.keystore -dname CN=invalid.key -keyalg RSA -keysize 2048 -validity 3650 -keypass elytron -storepass elytron

The "revokeAliasV2" and "revokeWithReasonAlias" private key entries were generated by obtaining certificate chains and private keys for "account1v2" from Boulder.

The keystore password is "elytron".