Accelerate Your Identity

3... 2... 1...

Creating self-signed certs for a development environment. #Oracle #IDM #PKI

Implementing Identity and Access Management requires working with PKI certs to secure communication channels. For development purposes you can create your own self-signed certificates. I use OpenSSL as the RootCA (Signing Authority) and keytool as interface to the Java Key Store (JKS).

The following outlines the steps required to create a RootCA, generate a certificate request, sign the request and then import the signed certificate back into the JKS.

A few notes about my environment:

  • These instructions were validated on Oracle Enterprise Linux (for most flavors of Linux these instructions will be the same)
  • OpenSSL and Keytool were already installed on the server
  • In my example everything was installed on the same server … your OpenSSL instance may be on a different server.
  • OpenSSL and Keytool are available on my users $PATH … yours may not be.

So, let’s do this thing …

Configure a CA, using OpenSSL

  1. Create a working directory:mkdir /opt/rootCA
  2. Under /opt/rootCA make the following directories: private, certs, newcerts
  3. Change the permissions of rootCA (and subdirectories):chmod -R 700 /opt/rootCA
  4. From the /opt/rootCA directory, find (system wide) and make a local copy of the openssl.cnf (/opt/rootCA/openssl.cnf). You do not have to use the default configuration file that is installed with OpenSSL. In my case it was owned by root and I couldn’t change it anyway. So, I made a copy of it and was able to make the changes I needed. Note: I set all of the attributes to optional because I kept getting an error when I tried to sign the certificate that some of the required attributes were missing from the server certificate (maybe a bug??)
  5. Create the CA certificate:openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf

Create a keystore and private key:

keytool -genkey -alias alias -keyalg RSA -keysize 1024 -dname “server dn” -keypass keypass -keystore keystore.jks -storepass storepass -validity 3650

Notes: -validity 3650 (this cert is good for 10 years)

Create a certificate request (CSR) from the application server:

keytool -certreq -v -alias alias -file servername.csr -keypass keypass -storepass storepass -keystore ./keystore.jks

Sign the Certificate Requst:

  1. Sign the CSRopenssl ca -config openssl.cnf -in ../Middleware/keystores/servername.csr -out newcerts/servername.pem

Import the Trusted Root CA into the servers keystore:
keytool -import -v -noprompt -trustcacerts -alias rootcacert -file rootCA.cer -keystore keystore.jks -storepass storepass

Convert the signed cert (*.cer) into DER format (keytool preference) **

openssl x509 -outform der -in certificate.pem -out certificate.der

Import the signed cert into they server’s keystore:
keytool -import -v -alias alias-file servername.der -keystore keystore.jks -keypass keypass -storepass storepass

**Note: keytool whined that the cert was not in der format so, I used openssl to convert it.

I would love to hear feedback on these instructions and any steps that would make this easier.

Leave a Reply