Add documentation for how to build a keystore that can be used for client certs and peer verification

[Fitzsimmons]

After some trial and error, I've finally figured out how to build a keystore file that march hare can use for supplying client certs and for verifying the validity of the server's cert (i.e. peer verification, as introduced in 3.1.0). It would be great to add some official documentation of this somewhere, but I'm not sure where to do that, so this is an issue instead of a pull request.

Anyway, first off, to make a keystore that java can read for client certificates, you have to use openssl, since java's keytool does not provide a way of importing private keys. :confused:

openssl pkcs12 -export -out keystore.p12 -in example.crt -inkey example.key -passout pass:abcd1234

If you use this p12 file with march hare, the new peer verification functionality will cause the connection to fail since the server's certificate is probably not the same one as your client certificate. So we need to add in a certificate to the p12 that will successfully validate the server's certificate. Specifically which CA certificate you need is going to depend a lot on your implementation, but the important part is knowing how to add it to the file. We have to use java's keytool to alter the pkcs12 file that was generated by openssl, since any additional certs added by openssl will not be recognized by java.

keytool -importcert -trustcacerts -noprompt -keystore keystore.p12 -storepass abcd1234 -file ca.crt

At this point you should be able to provide keystore.p12 to march hare and have it successfully perform the dual function of providing a client certificate and verifying the server certificate.

[michaelklishin]

Is this meant to be a PR?