Http: use FIPS complaiant keystore and truststore

[JiriOndrusek]

fixes #5966

[JiriOndrusek]

I add *.pkcs12 and *.ext into ignored files for license check.

[ppalaga]

I'd personally vote for not having those certs checked in in git but rather executing the script as a part of Maven build as we do in QCXF

https://github.com/quarkiverse/quarkus-cxf/blob/e7cb0f50eceb03af8adea31c5403dd8b5554e2b7/integration-tests/mtls/pom.xml#L78-L96

In that way, we can stay sure that the script works and it will also keep working 10001 days from now.

[jamesnetherton]

executing the script as a part of Maven build

How would that work on Windows?

[ppalaga]

executing the script as a part of Maven build

How would that work on Windows?

It works flawlessly on GH Actions Windows hosts, when shell is set to bash and openssl is installed (no idea how to install it, it's there OOtB on GHA Windows runners). The same works locally for sure. Is that a satisfactory answer?

[jamesnetherton]

Is that a satisfactory answer?

Yes it probably uses WSL, which anyone can install.

[JiriOndrusek]

I'd personally vote for not having those certs checked in in git but rather executing the script as a part of Maven build as we do in QCXF

Yes., I agree, there is a small hickup, that several modules extend the common module, therefire the code for generation hasa to be present several times. I'd like to think about a nicer solution to do not duplicate code. <therefore I created an issue to improve this thing - #5967 and I forgot to linkl those issues together. @ppalaga @jamesnetherton should I apply the generation (with duplicated code), or is it ok to wait for the improve fix (in near future, but in different PR)?

[JiriOndrusek]

TBH I even thought aboyt placing the generation script in one place in QC repository and use it via several modules. (In theory that should work and would be nicer in my POV) - to not have copies of the generation scripts in several modules

[jamesnetherton]

@ppalaga @jamesnetherton should I apply the generation (with duplicated code), or is it ok to wait the the improve?

I have no strong opinion about it. But at some point we should probably discuss our strategy for certificate generation. IMO we should try to make it uniform across the entire project and have it so we can override things like the CN, validity period etc.

[zhfeng]

Can we open a new issue for the certification generation?

[JiriOndrusek]

Can we open a new issue for the certification generation?

I already created the issue (a few days ago) - #5967
So I think that we can merge this PR and I'll continue using the new ticket)