Client certificates are important, yet often hard to debug. There are several changes in the newer JVM:s and Jetty combined with HTTP/2 on how to setup and use client certificates in a good way.
This repo might work as a scaffolding for setting up various configs for testing the regression described here:
We use the step cli to create an anemic but complete PKI. The user experience and precision with step-cli is better than the one with openssl.
We use curl triggered by clojure.java.shell/sh to test the client certificate.
We also assume you have a clojure environment that can be used with deps.edn.
To be able to test the certificate to a correct dns name, please add the following to the end of your /etc/hosts
127.0.0.1 repro.local
Certificates are generated by
generate-pki.sh repro_1
to create a bunch of files in the folder
config/repro_1/
The files created are:
ca.password
repro_1_root_ca.key (password protected)
repro_1_root_ca.crt
intermediate.password
repro_1_intermediate_ca.key (password protected)
repro_1_intermediate_ca.crt
clientcert.crt
clientcert.key (NOT password protected)
clientcert.p12
clientcert.password
repro.local.crt (NOT password protected)
repro.local.key
jetty-keystore.password
jetty-keystore.p12
jetty-trust.password
jetty-trust.p12
To test the client certificate, we use curl. Of course it is possible to do these requests from java as well.
curl -v –cacert root_ca.crt –cert clientcert.crt –key clientcert.key –http1.1 –silent https://repro.local:4443/hello