jeudi 14 septembre 2017

Generate SSL certificate using keytool

This article describe steps to create a SSL certificate using java keytool. 

1.1    Generate keypair

Keytool binary is a java tool provided by JDK/ JRE ($JAVA_HOME/bin)
-                     To create a keypair using java keytool (only if using well-known CA) :
${JAVA_HOME}/bin/keytool -genkeypair -alias wls.ddy.com -keyalg RSA -keysize 2048 -validity 3650 -keypass password_1 -keystore /u01/app/security/Identity.jks -storepass password_1
What is your first and last name?
  [Unknown]:  wls.ddy.com
What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  DDY
What is the name of your City or Locality?
  [Unknown]:  Paris
What is the name of your State or Province?
  [Unknown]:  IDF
What is the two-letter country code for this unit?
  [Unknown]:  FR
Is CN=wls.ddy.com, OU=IT, O=DSI, L=Paris, ST=IDF, C=FR correct?
  [no]:  yes

-                     To create CSR to send it to PKI (internal or CA) :
${JAVA_HOME}/bin/keytool -certreq -alias wls.ddy.com -file wls-csr.pem -keystore /u01/app/security/Identity.jks
Enter keystore password:

-                      Send .pem file to your CA to ask your certificate.

1.2    To create a self-signed certificate

To create a self-singed certificate, use the following command :
${JAVA_HOME}/bin/keytool -genkey -noprompt -trustcacerts -alias wlssvr -dname "CN=wls.ddy.com,OU=IT,O=DDY,L=Paris,ST=IDF,C=FR" -keypass ovsroot -keystore /u01/app/security/mykeystore.jks -storepass ovsroot -keyalg RSA

1.3    Export certificate

To be able to import your CA in truststore, you need to export it first :
${JAVA_HOME}/bin/keytool -export -alias wlssvr -keypass ovsroot -keystore /u01/app/security/mykeystore.jks -storepass ovsroot –file mycert.cer

1.4    Add your CA to custom java TrustStore

Add your CA to a custom or existing truststore is a mandatory step to authorize Weblogic Server to use this certificate and to avoid Handshake errors
-    To add certificate CA to a truststore :
#  ${JAVA_HOME}/bin/keytool -import -v -trustcacerts -alias mywlsserver -file mywlsserver.cer -keystore /u01/app/security/myTrust.jks -keypass changeme -storepass changeit
Certificate was added to keystore
[Storing SoaTrust.jks]

${JAVA_HOME}/bin/keytool -import -v -trustcacerts -alias mywlsca -file mywlsca.cer -keystore /u01/app/security/myTrust.jks -keypass changeme -storepass changeit
Certificate was added to keystore
[Storing SoaTrust.jks]

${JAVA_HOME}/bin/keytool -import -v -trustcacerts -alias myca -file myca.cer -keystore /u01/app/security/myTrust.jks -keypass changeme -storepass changeit
Certificate was added to keystore
[Storing SoaTrust.jks]

When adding a CA to a trustsotre, it is mandatory to add ROOT CA and any intermediate CA. .

The provided exemple shows how to add a certificate isssued by mywlsca depending of root CA myCA. 

Publié par à

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)