Update certificates to fix SSL test failures

[stephen-crawford]

Description

Updates SSL certificates and sets new expiry time for 10 years from now.

Issues Resolved

Testing

Passes existing SSL tests.

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[stephen-crawford]

In order to update certificates you will need to run these commands:

# Generate root CA key and self-signed certificate

# Create a 2048 bit CA key
openssl genrsa -out root-ca-key.pem 2048

# Create new self-signed X.509 cert for root CA with subject and 10 year expiration
openssl req -x509 -sha256 -new -nodes -key root-ca-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Root CA/CN=Example Com Inc. Root CA" -days 3650 -out root-ca.pem

# Generate signing key and certificate signing request
# Create 2048 bit signing key
openssl genrsa -out signing-key.pem 2048

# Create new certificate signing request using signing-key.pem key and saves it to the signing.csr file
# Used for verifying applicant identity and issue cert if applicant is trustworthy
openssl req -new -sha256 -key signing-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Signing CA/CN=Example Com Inc. Signing CA" -out signing.csr

# Generate signed certificate using the root CA and the input CSR
# CAkey is the private key of the CA
openssl x509 -req -sha256 -in signing.csr -CA root-ca.pem -CAkey root-ca-key.pem -out signing.pem -days 3650

# Verify new certificate
openssl verify -CAfile root-ca.pem signing.pem

# Create a new 2048 bit RSA private key output to node-key-temp.pem file
openssl genrsa -out node-key-temp.pem 2048

# Converts private key in node-key-temp.pem to PKCS8 and writes it to the node.key.pem file
openssl pkcs8 -topk8 -inform PEM -outform PEM -in node-key-temp.pem -nocrypt -out node.key.pem

# Generates a certificate signing request (CSR) for the private key stored in the node.key.pem file with the specified subject name "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" and outputs it to the file node.csr
openssl req -new -sha256 -key node.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" -out node.csr

# Generates a certificate (node.crt.pem) for the node-1.example.com server, signed by the previously generated signing certificate (signing.pem), and adds a subject alternative name (SAN) to the certificate using an extension file.
openssl x509 -req -sha256 -in node.csr -CA signing.pem -CAkey signing-key.pem -CAcreateserial -out node.crt.pem -days 3650 -extfile <(printf "subjectAltName=DNS:node-1.example.com,DNS:localhost,IP:127.0.0.1,RID:1.2.3.4.5.5")

# Verify the signed certificate
openssl verify -CAfile root-ca.pem -untrusted signing.pem node.crt.pem

# Create a new 2048 bit RSA private key output to node-new-key-temp.pem file
openssl genrsa -out node-new-key-temp.pem 2048

# Converts private key in node-new-key-temp.pem to PKCS8 and writes it to the node-new.key.pem file
openssl pkcs8 -topk8 -inform PEM -outform PEM -in node-new-key-temp.pem -nocrypt -out node-new.key.pem

# Generate a certificate signing request (CSR) for the private key stored in the node-new.key.pem file with the specified subject name
# "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" and output it to the file node-new.csr
openssl req -new -key node-new.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" -out node-new.csr

# Generate a certificate (node-new.crt.pem) for the node-1.example.com server, signed by the previously generated signing certificate (signing.pem),
# and add a subject alternative name (SAN) to the certificate using an extension file 
openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=DNS:node-1.example.com,DNS:localhost,IP:127.0.0.1,RID:1.2.3.4.5.5") \
-in node-new.csr -out node-new.crt.pem -CA signing.pem -CAkey signing-key.pem

# Create a new 2048 bit RSA private key output to node-wron-key-temp.pem 
openssl genrsa -out node-wrong-key-temp.pem 2048

# Convert the private key in node-wrong-key-temp.pem into PKCS8 and write to node-wrong.key.pem 
openssl pkcs8 -inform PEM -outform PEM -in node-wrong-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-wrong.key.pem

# Generate a certificate signing request for the private key stored in the node-wrong.key.pem file 
openssl req -new -key node-wrong.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-2.example.com" -out node-wrong.csr

# Generate a certificate (node-wrong.crt.pem) for the node-2.example.com server, signed by the previously generated signing certificate (signing.pem),
# and add a subject alternative name (SAN) to the certificate using an extension file 
openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=DNS:node-2.example.com,DNS:localhost,IP:127.0.0.1,RID:1.2.3.4.5.5") \
-in node-wrong.csr -out node-wrong.crt.pem -CA signing.pem -CAkey signing-key.pem

# Generate a new 2048 bit RSA key and save it as kirk.key.pem 
openssl genrsa -out kirk.key.pem 2048

# Generate a certificate signing request for the private key stored in kirk.key.pem 
openssl req -new -key kirk.key.pem -subj "/C=DE/L=Test/O=client/OU=client/CN=kirk" -out kirk.csr

# Generate a certificate (kirk.crt.pem) for the node-1.example.com server, signed by the previously generated signing certificate (signing.pem) 
openssl x509 -req -days 3650 -in kirk.csr -out kirk.crt.pem -CA signing.pem -CAkey signing-key.pem

# Move the kirk certificate, signing-key, and certificate authority certificate into a bundle 
cat kirk.crt.pem signing.pem root-ca.pem > kirk.crt.bundle.pem

# Convert the bundle into a pkcs12 file 
openssl pkcs12 -export -in kirk.crt.bundle.pem -inkey kirk.key.pem -name kirk -out kirk.p12

 # Generate a new private key for spock 
openssl genrsa -out spock-key-temp.pem 2048
 
# Convert the generated key into a PKCS8 format and save as spock.key.pem 
openssl pkcs8 -inform PEM -outform PEM -in spock-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out spock.key.pem
 
# Generate a certificate signing request for the private key stored in spock.key.pem
openssl req -new -key spock.key.pem -subj "/C=DE/L=Test/O=client/OU=client/CN=spock" -out spock.csr
 
# Generate a certificate signed by the signing certificate 
openssl x509 -req -days 3650 -in spock.csr -out spock.crt.pem -CA signing.pem -CAkey signing-key.pem

# Move the spock certificate, private signing key, and root-ca certificate into a bundle 
cat spock.crt.pem signing.pem root-ca.pem > spock.crt.bundle.pem
 
# Convert the bundle into PKCS12 and save as spock.p12
openssl pkcs12 -export -in spock.crt.bundle.pem -inkey spock.key.pem -name spock > spock.p12

# Moves contents of spock.p12 into spock-keystore.jks
# password is: changeit
keytool -importkeystore -srckeystore spock.p12 -destkeystore spock-keystore.jks -srcstoretype pkcs12 -alias spock

# Moves contents of kirk.p12 into kirk-keystore.jks 
# password is: changeit
keytool -importkeystore -srckeystore kirk.p12 -destkeystore kirk-keystore.jks -srcstoretype pkcs12 -alias kirk
 
# Create a truststore.jsk file which holds the trusted rooted certificate
# password is: changeit
keytool -import -trustcacerts -file root-ca.pem -alias root-ca -keystore truststore.jks

NOTE: To verify the certificates you will need to add the root and signing certificate to the top of all newly generated certificates.
      You will have to do this after you generate the .p12 files otherwise you will not be able to create the correct .bundle files. 

[stephen-crawford]

[Update 4/13]: Running into issues running the tests locally. Every time I try to run the tests the cluster won't start. I am getting the error:

Starting JUnit-test: SecuritySSLReloadCertsActionTests testReloadTransportSSLCertsPass ----------------
tcpClusterManagerPorts: [7486]/tcpAllPorts: [7486, 8272, 8587]/httpPorts: [8963, 9264, 10410] for (6024-11023) fork 1
[2023-04-13T17:13:52,093][WARN ][org.opensearch.node.Node] version [3.0.0-SNAPSHOT] is a pre-release version of OpenSearch and is not suitable for production
>>>> SecuritySSLReloadCertsActionTests testReloadTransportSSLCertsPass FAILED due to org.junit.runners.model.MultipleFailureException: There were 2 errors:
  java.lang.IllegalStateException(failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin])
  java.lang.NullPointerException(Cannot read field "httpHost" because "this.clusterInfo" is null)

failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:791)
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:142)
	at org.opensearch.node.Node.<init>(Node.java:448)
	at org.opensearch.node.PluginAwareNode.<init>(PluginAwareNode.java:41)
	at org.opensearch.security.test.helper.cluster.ClusterHelper.startCluster(ClusterHelper.java:185)
	at org.opensearch.security.test.helper.cluster.ClusterHelper.startCluster(ClusterHelper.java:119)
	at org.opensearch.security.test.SingleClusterTest.setup(SingleClusterTest.java:100)
	at org.opensearch.security.ssl.SecuritySSLReloadCertsActionTests.initTestCluster(SecuritySSLReloadCertsActionTests.java:289)
	at org.opensearch.security.ssl.SecuritySSLReloadCertsActionTests.initClusterWithTestCerts(SecuritySSLReloadCertsActionTests.java:253)
	at org.opensearch.security.ssl.SecuritySSLReloadCertsActionTests.testReloadTransportSSLCertsPass(SecuritySSLReloadCertsActionTests.java:99)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1750)
...

The error appears to be because these are self-signed certificates but I do not know how else I would set up the new certs. I will return to working on this tomorrow. Reached out to @cwperks for help since he was able to resolve a similar issue in the past.

[stephen-crawford]

Closing in favor of #2679