The following SSL certificates are used in Impala tests. This lists what each certificate is
responsible for and how they were created:

  1) wildcardCA.pem & wildcardCA.key:

    This is a root certificate and its key which was used to sign wildcard-cert.pem and
    wildcard-san-cert.pem. (Added as a part of IMPALA-3159)

    This was created using the following commands:

      openssl genrsa -out wildcardCA.key 2048

      openssl req -x509 -new -nodes -key wildcardCA.key -sha256 -days 10000 \
          -out wildcardCA.pem
        (Fill in all the details according to prompts)

-------------
  2) wildcard-cert.pem & wildcard-cert.key:

    This is a wildcard certificate and its corresponding key which has its commonName as
    "*". This means it should match with any host. (Added as a part of IMPALA-3159)

    This was created using the following commands:

      openssl genrsa -out wildcard-cert.key 2048

      openssl req -new -key wildcard-cert.key -out wildcard-cert.csr
        (Fill in all the details according to prompts)

      openssl x509 -req -in wildcard-cert.csr -CA wildcardCA.pem -CAkey wildcardCA.key \
          -CAcreateserial -out wildcard-cert.pem -days 10000 -sha256

-------------
  3) wildcard-san-cert.pem & wildcard-san-cert.key:

    This is a certificate and its corresponding key which has 2 SANs
    (subjectAlternativeName). One is "localhost" and the other is a wildcard ("*").
    (Added as a part of IMPALA-3159)

    This was created using the following commands:

      openssl genrsa -out wildcard-san-cert.key 2048

      openssl req -new -sha256 -key wildcard-san-cert.key \
          -subj "/C=US/ST=CA/L=SF/O=Cloudera/CN=badCN" -reqexts SAN \
          -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost,DNS:*")) \
          -out wildcard-san-cert.csr

      openssl x509 -req -in wildcard-san-cert.csr -CA wildcardCA.pem \
          -CAkey wildcardCA.key -CAcreateserial \
          -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost,DNS:*")) \
          -extensions SAN -out wildcard-san-cert.pem -days 10000 -sha256

-------------
  4) server-cert.pem & server-cert.key:

    This is a self-signed certificate and its corresponding key which has the commonName
    as "localhost".

      This was created the same as 1) with a different commonName.

-------------
  5) incorrect-commonname-cert.pem & incorrect-commonname-cert.key:

    This is a certificate and its corresponding key that has an incorrect commonName,
    which means that it should not match with any host. (Added as a part of IMPALA-3159)

      This was created the same as 1) with a different commonName.

-------------
To verify the contents of any certificate, do the following:

  openssl x509 -in <certificate_name> -text
