path: root/sonar-scanner-engine/src/test/resources/ssl/README.md

## Let's create TLS certificates

The most common format of certificates are PEM, so let's generate them instead of using Java keytool (that can also generate keys in JKS format).

This README, is a *simplified* version for generating the certificates only for test's purposes.

**DO NOT USE IT FOR PRODUCTION**

### Generation of a TLS server certificate

In this example the configuration of OpenSSL is entirely in openssl.conf (a stripped version of openssl.cnf that may vary from distribution to distribution)

#### First let's create a Certificate Authority

The Certificate Authority is a private key that is used to sign other X.509 certificates in order to validate the ownership of a website (trusted tier).

```bash
$ openssl genrsa -out ca.key 4096
.....++
................................................................................................................................................++
e is 65537 (0x010001)
```

Now we have our key to sign other certificates : `ca.key` in PEM format.

Let's create our X.509 CA certificate :

```bash
$ openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions ca_extensions -out ca.crt -config ./openssl.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2-letter code) [CH]:
State or Province Name (full name) [Geneva]:
Locality (e.g. city name) [Geneva]:
Organization (e.g. company name) [SonarSource SA]:
Common Name (your.domain.com) [localhost]:
```

There is no important values here.

#### Let's create a self-signed certificate our TLS server using our CA

We want to create a X.509 certificate for our https server. This certificate will be a Certificate Signing Request. A certificate that need to be signed by a trusted tier.
The default configuration is set in `openssl.conf` and it has been configuration for `localhost`.
The most important part is the `Common Name` and `DNS.1` (set in `openssl.conf`).

So just keep using enter with this command line :

```bash
$ openssl req -new -keyout server.key -out server.csr -nodes -newkey rsa:4096 -config ./openssl.conf
  Generating a 4096 bit RSA private key
  ........................................................................++
  .........................................................................................++
  writing new private key to 'server.key'
  -----
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2-letter code) [CH]:
  State or Province Name (full name) [Geneva]:
  Locality (e.g. city name) [Geneva]:
  Organization (e.g. company name) [SonarSource SA]:
  Common Name (your.domain.com) [localhost]:
```

No we have `server.csr` file valid for 10 years.
Let's see what's in this certificate :
```bash
$ openssl req -verify -in server.csr -text -noout
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CH, ST = Geneva, L = Geneva, O = SonarSource SA, CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:c8:2d:dc:64:1a:b6:d9:a9:3e:bd:3f:d3:ae:27:
                    ab:00:a8:09:f7:9e:ae:b5:70:c0:11:ab:2d:45:48:
                    6c:b9:b3:b1:4b:42:b7:4e:48:d3:2e:38:cb:e5:7d:
                    14:30:d3:b8:1d:2f:e2:09:04:cc:aa:80:09:51:bc:
                    59:9d:a7:7a:76:34:cc:7a:2b:ae:d3:ef:98:38:ef:
                    b2:8a:0e:e9:2f:79:4e:d4:a9:10:63:2b:5b:05:05:
                    ef:6b:98:41:e3:c0:3e:6c:5f:8a:66:10:ca:98:e5:
                    37:c6:ea:13:48:c9:92:22:53:44:1a:61:27:f4:60:
                    16:a7:a9:87:a9:d3:cf:88:5e:d4:47:44:24:4f:6d:
                    5e:c0:4a:ff:ad:e4:82:63:da:82:eb:9e:b3:76:6f:
                    5d:b4:2d:fc:96:4a:98:e4:f5:20:97:48:38:11:29:
                    33:7d:5a:96:fa:28:49:9f:cb:24:f8:02:f6:bb:ed:
                    f3:91:90:51:10:c2:93:28:56:6e:4d:51:51:10:27:
                    8f:c3:f0:cd:ee:51:2d:dc:e5:a7:21:55:20:44:ac:
                    8b:66:1d:b7:eb:e0:ed:69:f0:d4:32:82:ee:53:91:
                    3b:ee:58:83:ba:3b:9d:3f:f7:23:0e:36:46:20:6b:
                    6a:80:9b:11:46:28:39:60:25:69:9e:e5:d0:34:ba:
                    2b:c3:33:f2:44:3d:fb:8f:2d:47:a6:ae:64:9a:b3:
                    5a:f0:ed:cb:3e:86:33:80:23:32:d0:e7:51:91:a8:
                    c6:97:d1:7c:e4:02:52:5d:7c:a9:97:83:00:c5:10:
                    fb:13:f9:29:1f:79:c4:a5:8c:7b:64:e0:cd:b6:a1:
                    34:36:aa:f4:63:63:77:12:d3:fa:fe:1d:54:2e:64:
                    43:38:a2:71:28:72:7a:bf:33:cb:8c:27:a7:66:51:
                    8f:6f:e8:d2:90:19:2f:d4:8e:ac:b4:7b:e0:53:a8:
                    0f:11:d1:7d:08:71:de:0a:a4:63:10:79:c8:e8:bf:
                    7e:be:8b:06:7d:43:9b:4b:a1:0a:49:a6:c8:c6:43:
                    c4:24:23:13:2a:b2:f9:f2:b8:e7:8e:ab:3e:2a:b5:
                    50:26:23:d6:b2:d3:ee:23:ec:d1:36:92:70:2e:df:
                    82:6a:d2:07:bb:f0:97:51:42:e4:d8:49:69:35:bb:
                    38:90:1f:8e:aa:1d:27:78:26:26:d4:36:75:ee:83:
                    17:69:cb:7f:53:45:8f:b4:63:13:d5:fd:42:10:8a:
                    d3:75:38:4a:bd:13:cf:68:5e:41:6d:f0:57:b5:75:
                    e3:dc:10:82:ab:29:ed:a1:27:9c:50:74:f2:4c:4a:
                    a3:78:2a:53:ca:90:a6:89:20:24:85:b5:ec:c9:c7:
                    be:96:b5
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:localhost
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         bf:9d:6e:2f:cc:40:9b:92:29:c2:f1:0a:85:6c:35:eb:8e:fa:
         13:0c:53:58:33:5f:7b:09:58:5f:dd:94:7e:2c:65:ed:73:91:
         2a:6b:cc:2d:ec:26:1c:8e:95:57:d9:35:19:82:4f:42:59:81:
         d9:b7:bb:08:70:28:70:35:50:f6:6a:46:e0:2a:ab:90:50:5a:
         dc:b0:c3:b8:52:d7:5c:90:8f:4c:61:09:2c:ba:4a:31:37:6f:
         e0:b9:6b:98:dd:aa:dd:52:66:7e:06:f1:8a:4b:bc:23:0d:62:
         d3:b9:86:8f:3e:cc:05:2b:4d:c4:ad:cf:ae:be:33:22:f6:95:
         00:f0:36:96:26:5e:42:84:d0:2a:79:41:1e:18:10:1c:96:3e:
         9a:8b:cc:a5:f9:59:5b:78:d0:a1:a5:2e:4d:55:30:10:0b:cd:
         13:bc:75:9a:49:e0:de:a4:4d:ed:9b:e8:42:2f:74:2b:dc:6f:
         2d:d3:38:a9:e8:f8:98:2c:56:aa:3e:dd:0d:48:78:16:4c:50:
         fd:0a:b3:3c:28:ac:64:7e:e9:bb:10:0e:3b:29:68:40:a9:19:
         5a:2c:5c:d6:7e:32:39:96:49:a7:4c:6a:a6:09:8e:d4:b8:1e:
         3e:2c:93:c3:2c:da:f2:09:20:ef:f4:a9:d2:ff:de:cd:7b:20:
         66:46:ff:c2:36:c3:7d:32:d6:55:d1:fe:0f:00:9a:23:56:97:
         52:a1:0a:52:64:29:50:c7:5d:b4:1e:e4:67:9a:07:3f:fb:85:
         03:00:22:d8:f5:e6:bc:95:bf:bc:08:ab:4d:32:4c:d6:52:e0:
         72:3e:8a:a5:85:72:43:d6:d4:51:6e:99:9a:1f:d8:0e:fd:4d:
         59:81:7e:c1:81:6d:3b:69:76:ce:53:a4:c0:69:46:72:b2:fe:
         40:b3:a5:5c:b0:ce:d2:61:83:be:0f:c3:85:a0:21:a7:e8:fd:
         2f:2c:1c:68:24:1d:9b:a3:43:cb:5e:30:21:af:e8:2e:4e:ec:
         ea:a7:d2:68:f1:bd:3f:3c:41:48:ac:91:f9:9d:e8:f2:3d:cb:
         d0:82:d2:00:ed:7b:fa:d8:98:e3:a8:74:f2:ce:70:95:0a:9d:
         c2:b2:cc:08:d1:fd:de:26:d3:3e:c0:62:28:9b:b4:2d:f4:b5:
         6d:48:c9:d3:05:f5:1e:68:17:6b:fb:02:2e:20:98:1a:de:d4:
         ae:6b:e0:68:97:98:e0:4f:47:ec:14:fd:dc:57:d2:e2:5c:59:
         36:a5:0b:94:b7:4e:b8:ae:ee:c9:ac:02:ae:43:bf:9f:07:da:
         0c:44:b0:47:69:1d:64:ea:bd:68:af:4f:a7:9a:1f:b1:b9:1d:
         71:0e:86:4e:0c:ff:a3:1d
```

#### Let's sign this certificate with our own CA

The CSR will be signed with our previously created ca.key
We'll sign it to be valid for 10years (3650)

```bash
$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.pem -sha256 -extfile v3.ext
Signature ok
subject=C = CH, ST = Geneva, L = Geneva, O = SonarSource SA, CN = localhost
Getting CA Private Key
```

Let's verify what are in this certificate :

```bash
$ openssl x509 -in server.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d5:c5:2a:c2:c8:f6:43:c7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CH, ST = Geneva, L = Geneva, O = SonarSource SA, CN = SonarSource SA
        Validity
            Not Before: Mar 17 14:12:29 2020 GMT
            Not After : Mar 15 14:12:29 2030 GMT
        Subject: C = CH, ST = Geneva, L = Geneva, O = SonarSource SA, CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:a2:43:1e:8b:60:b5:e0:61:3e:99:a4:54:93:c8:
                    16:14:c2:fa:fd:e5:7c:05:02:71:09:46:d9:2a:52:
                    57:12:d7:74:46:6a:bd:d4:de:4a:06:b2:51:83:2c:
                    98:07:8c:b0:f7:e1:8a:aa:fc:0c:30:c6:d7:ec:57:
                    0b:a7:12:45:e3:13:1a:26:e8:22:d8:fd:2a:9e:ae:
                    7b:20:b8:41:99:50:0e:b7:1c:bb:78:18:60:25:67:
                    78:5b:af:d8:7f:d1:01:12:81:0a:1f:dd:f0:54:bc:
                    57:16:05:22:7c:65:a2:7e:03:ed:e8:7f:50:b1:cd:
                    7c:e8:7b:58:cb:df:6d:e3:04:03:78:a4:83:e7:20:
                    c4:37:bc:00:ba:7c:12:d9:ac:52:88:88:72:df:fc:
                    35:8f:94:f0:1b:33:f8:94:b8:bc:ab:0e:89:68:5f:
                    92:1b:af:c9:da:c2:c2:e2:a1:c3:8e:c8:16:1a:9e:
                    89:7a:b4:24:2c:24:df:c5:26:59:ab:d8:f9:06:39:
                    02:c0:0d:88:5a:0c:14:e7:bc:c5:b8:4c:e5:e0:85:
                    b2:0b:88:36:b3:d5:35:10:e9:b8:5a:48:69:1a:b3:
                    2a:4a:d6:f3:f5:6a:91:41:f8:1e:da:d0:0e:21:c3:
                    a2:f8:5c:08:42:a2:2b:13:be:63:e5:67:d5:19:2f:
                    2c:96:6d:17:1c:7f:34:19:68:cf:91:b6:14:d9:9a:
                    1b:1c:f9:08:d7:f9:2d:c3:48:14:3d:02:d4:90:f7:
                    f2:74:65:f8:22:2d:46:b2:76:cd:46:c1:8e:ab:a1:
                    11:d7:12:14:77:e3:1c:c3:1c:fa:32:79:0e:0e:59:
                    55:e4:9d:60:d7:18:0b:25:82:97:28:30:df:de:89:
                    5b:56:37:a2:33:86:26:12:83:75:f0:02:ae:88:b5:
                    d6:5e:a2:b7:e7:57:9d:de:72:ad:d6:55:2a:e1:a8:
                    4c:15:18:a9:e3:22:52:f1:74:e1:b0:d2:e7:9b:ec:
                    f9:6d:5f:86:c2:9c:e2:22:f2:f4:11:a2:d1:71:b8:
                    77:e4:8c:4c:ed:84:e8:f9:82:a2:f1:73:95:19:08:
                    92:d5:b3:50:be:bc:c2:ec:0e:d7:da:53:d2:22:36:
                    c8:d8:48:d1:22:0d:42:a7:68:6d:e5:b6:5f:00:7d:
                    70:e4:5f:fe:df:db:3a:96:30:c8:76:89:e9:d1:98:
                    1e:63:e2:d0:29:46:b0:3d:f6:38:d7:07:40:47:0e:
                    a3:a5:70:1c:8b:80:c1:81:d1:35:cd:3d:93:20:c6:
                    7c:10:a4:09:ed:41:12:2e:c3:66:e5:47:96:58:de:
                    53:1b:d5:67:2c:1d:55:3b:c1:03:28:cf:5e:aa:33:
                    2b:8c:e1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:26:4F:F6:F9:E6:8B:B6:F7:59:CE:30:23:5C:90:2E:AE:7A:20:C4:DB

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         b0:df:99:da:44:e1:22:c6:51:da:e1:b5:a9:fd:fe:82:d6:74:
         07:ad:d4:b4:f8:29:3e:57:7a:1b:98:36:4e:0a:23:68:f5:27:
         c7:52:59:90:cd:94:23:08:83:6f:a4:af:14:a3:e3:ed:f2:13:
         e4:17:f7:7c:27:45:bc:8c:9a:1d:f3:90:c6:b4:3e:e8:7a:c1:
         18:e4:8e:8c:28:ac:02:c7:d1:4c:e3:67:7a:13:69:ff:a4:74:
         c4:82:d7:54:d3:cb:7b:4e:f9:25:36:90:33:43:f0:b8:a5:e6:
         7c:ea:3d:41:fe:51:3c:bc:d2:c6:4e:9c:dc:04:69:23:08:70:
         bf:69:2a:bd:28:8c:3f:a1:f0:b0:88:87:a2:af:63:85:86:e3:
         07:2a:74:89:d0:69:b3:8c:7d:a5:db:ec:f2:5c:56:33:89:04:
         c6:75:a9:a2:b8:c0:1b:b5:dd:0f:96:50:71:ad:39:36:39:13:
         d0:80:f3:c8:50:db:d2:65:4d:56:75:9c:70:c2:d6:0c:6b:4a:
         6e:f7:f1:76:1b:82:16:13:eb:37:4f:05:fd:8f:06:89:15:d7:
         6d:a7:4e:43:bb:ee:b1:a8:c0:f4:cd:d7:1f:17:c3:3f:1a:79:
         8f:6e:46:a4:e5:1f:82:8d:60:6f:6c:a2:f4:9b:6e:59:85:48:
         73:ae:78:dd:c1:fa:81:1f:38:56:84:fc:31:98:af:a8:e4:bf:
         62:45:16:38:4a:5d:0e:6a:c4:bf:e1:9b:2b:c4:eb:dc:d4:85:
         82:0f:6c:31:54:1c:46:62:51:22:c3:0d:e4:ca:2e:c9:5f:f5:
         8c:7a:8c:c2:1d:f2:a8:f9:65:e6:ca:4e:6d:21:4e:55:07:6c:
         58:0d:fd:59:76:9c:65:7f:26:8f:8b:7b:01:70:5f:59:25:66:
         a8:9b:0a:70:a1:d8:fd:61:26:7e:4d:5f:3c:28:74:2b:94:fb:
         2a:8e:35:51:77:5a:96:a9:9b:4e:18:b6:6d:0b:55:4e:2e:15:
         ca:e7:cb:15:29:0e:b9:fd:23:56:a7:ad:dc:a1:b9:1b:1b:19:
         24:10:e3:a5:cb:69:2b:40:74:3c:3e:31:ac:a9:0d:17:6b:51:
         61:d4:5e:d1:98:b6:81:29:55:92:1f:00:8d:4c:72:d4:3a:0e:
         fd:1f:30:73:04:b8:99:6f:27:57:9a:6c:2b:e1:fa:c2:d3:bf:
         d3:d2:24:f3:5c:30:a3:25:d6:f5:18:91:13:d4:55:1e:33:89:
         b7:99:27:a9:14:e4:d9:32:50:ba:56:2f:53:b7:a1:d7:d3:14:
         2f:e2:73:5a:d4:b2:94:73:14:ef:ac:6f:a1:c1:84:31:17:fd:
         fa:f8:62:d3:eb:a5:8a:34
```

#### Let's create a PKCS12 file to be used for starting a TLS server

```bash
$ openssl pkcs12 -export -in server.pem -inkey server.key -name localhost -out server.p12
Enter Export Password: pwdServerP12
Verifying - Enter Export Password: pwdServerP12
```

The password of the PKCS12 file is `pwdServerP12`

The `server.p12` file can now be used to start a TLS server.

#### Now we'll generate the `client-truststore.p12` file that will have the server CA certificate. 
Since we don't need to add the key of the certificate (only required to sign, not to verify), we can import it directly with keytool.

```bash
$ keytool -import -trustcacerts -alias server-ca -keystore client-truststore.p12 -file ca.crt
Enter keystore password: pwdClientWithServerCA 
Re-enter new password: pwdClientWithServerCA
Owner: CN=SonarSource, O=SonarSource SA, L=Geneva, ST=Geneva, C=CH
Issuer: CN=SonarSource, O=SonarSource SA, L=Geneva, ST=Geneva, C=CH
Serial number: ed8bcadd4888ffac
Valid from: Sat Sep 15 08:10:22 CEST 2018 until: Tue Sep 12 08:10:22 CEST 2028
Certificate fingerprints:
	 MD5:  25:38:06:14:D0:B3:36:81:65:FC:44:CA:E3:BA:57:12
	 SHA1: 77:56:EF:C7:2F:5A:29:D1:A0:54:5F:F8:B4:19:60:91:7B:71:E4:2C
	 SHA256: 1D:2D:E5:52:21:60:75:08:F3:0A:B3:93:CF:38:F6:30:88:56:28:73:20:BA:76:9A:C0:A1:D7:8C:4D:D3:84:AA
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 B9 C1 23 E2 F1 A3 68   BD D6 44 99 0E AD FC FC  ...#...h..D.....
0010: A5 31 90 D4                                        .1..
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Data_Encipherment
  Key_CertSign
  Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 B9 C1 23 E2 F1 A3 68   BD D6 44 99 0E AD FC FC  ...#...h..D.....
0010: A5 31 90 D4                                        .1..
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
```

### Create a certificate that will be used to authenticate a user

The principle is the same we'll have a CA authority signing certificates that will be sent by the user to the server.
In this case the server will have to host the CA authority in its TrustedKeyStore while the client will host his certificate in is KeyStore.
In this use case, the extensions are not the same, so we'll use openssl-client-auth.conf

#### Generation of CA

One line to generate both the key `ca-lient-auth.key` and the CA certificate `ca-client-auth.crt`

```bash
openssl req -newkey rsa:4096 -nodes -keyout ca-client-auth.key -new -x509 -days 3650 -sha256 -extensions ca_extensions -out ca-client-auth.crt -subj '/C=CH/ST=Geneva/L=Geneva/O=SonarSource SA/CN=SonarSource/' -config ./openssl-client-auth.conf
Generating a 4096 bit RSA private key
...................................++
............................................................................................................................................................................................................................................................++
writing new private key to 'ca-client-auth.key'
-----

```

For the certificate, the Common Name is used to identify the user
```bash
$ openssl req -new -keyout client.key -out client.csr -nodes -newkey rsa:4096 -subj '/C=CH/ST=Geneva/L=Geneva/O=SonarSource SA/CN=Julien Henry/' -config ./openssl-client-auth.conf
Generating a 4096 bit RSA private key
..............................................++
................++
writing new private key to 'client.key'
-----
```

Let's sign this certificate
```bash
$ openssl x509 -req -days 3650 -in client.csr -CA ca-client-auth.crt -CAkey ca-client-auth.key -CAcreateserial -out client.pem -sha256
Signature ok
subject=C = CH, ST = Geneva, L = Geneva, O = SonarSource SA, CN = Julien Henry
Getting CA Private Key
```

Let's create the pkcs12 store containing the client certificate

```bash
$ openssl pkcs12 -export -in client.pem -inkey client.key -name julienhenry -out client.p12
Enter Export Password: pwdClientCertP12
Verifying - Enter Export Password: pwdClientCertP12
```

This will go to client keyStore.
Now we'll generate the `server-with-client-ca.p12` file that will have the CA certificate. Since we don't need to add the key of the certificate (only required to sign, not to verify), we can import it directly with keytool.

```bash
$ keytool -import -trustcacerts -alias client-ca -keystore server-with-client-ca.p12 -file ca-client-auth.crt
Enter keystore password: pwdServerWithClientCA 
Re-enter new password: pwdServerWithClientCA
Owner: CN=SonarSource, O=SonarSource SA, L=Geneva, ST=Geneva, C=CH
Issuer: CN=SonarSource, O=SonarSource SA, L=Geneva, ST=Geneva, C=CH
Serial number: ed8bcadd4888ffac
Valid from: Sat Sep 15 08:10:22 CEST 2018 until: Tue Sep 12 08:10:22 CEST 2028
Certificate fingerprints:
	 MD5:  25:38:06:14:D0:B3:36:81:65:FC:44:CA:E3:BA:57:12
	 SHA1: 77:56:EF:C7:2F:5A:29:D1:A0:54:5F:F8:B4:19:60:91:7B:71:E4:2C
	 SHA256: 1D:2D:E5:52:21:60:75:08:F3:0A:B3:93:CF:38:F6:30:88:56:28:73:20:BA:76:9A:C0:A1:D7:8C:4D:D3:84:AA
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 87 B9 C1 23 E2 F1 A3 68   BD D6 44 99 0E AD FC FC  ...#...h..D.....
0010: A5 31 90 D4                                        .1..
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Data_Encipherment
  Key_CertSign
  Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 B9 C1 23 E2 F1 A3 68   BD D6 44 99 0E AD FC FC  ...#...h..D.....
0010: A5 31 90 D4                                        .1..
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

```