Implementing Identity and Access Management requires working with PKI certs to secure communication channels. For development purposes you can create your own self-signed certificates. I use OpenSSL as the RootCA (Signing Authority) and keytool as interface to the Java Key Store (JKS).
The following outlines the steps required to create a RootCA, generate a certificate request, sign the request and then import the signed certificate back into the JKS.
A few notes about my environment:
- These instructions were validated on Oracle Enterprise Linux (for most flavors of Linux these instructions will be the same)
- OpenSSL and Keytool were already installed on the server
- In my example everything was installed on the same server … your OpenSSL instance may be on a different server.
- OpenSSL and Keytool are available on my users $PATH … yours may not be.
So, let’s do this thing …
Configure a CA, using OpenSSL
- Create a working directory:mkdir /opt/rootCA
- Under /opt/rootCA make the following directories: private, certs, newcerts
- Change the permissions of rootCA (and subdirectories):chmod -R 700 /opt/rootCA
- From the /opt/rootCA directory, find (system wide) and make a local copy of the openssl.cnf (/opt/rootCA/openssl.cnf). You do not have to use the default configuration file that is installed with OpenSSL. In my case it was owned by root and I couldn’t change it anyway. So, I made a copy of it and was able to make the changes I needed. Note: I set all of the attributes to optional because I kept getting an error when I tried to sign the certificate that some of the required attributes were missing from the server certificate (maybe a bug??)
- Create the CA certificate:openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
Create a keystore and private key:
keytool -genkey -alias alias -keyalg RSA -keysize 1024 -dname “server dn” -keypass keypass -keystore keystore.jks -storepass storepass -validity 3650
Notes: -validity 3650 (this cert is good for 10 years)
Create a certificate request (CSR) from the application server:
keytool -certreq -v -alias alias -file servername.csr -keypass keypass -storepass storepass -keystore ./keystore.jks
Sign the Certificate Requst:
- Sign the CSRopenssl ca -config openssl.cnf -in ../Middleware/keystores/servername.csr -out newcerts/servername.pem
Import the Trusted Root CA into the servers keystore:
keytool -import -v -noprompt -trustcacerts -alias rootcacert -file rootCA.cer -keystore keystore.jks -storepass storepass
Convert the signed cert (*.cer) into DER format (keytool preference) **
openssl x509 -outform der -in certificate.pem -out certificate.der
Import the signed cert into they server’s keystore:
keytool -import -v -alias alias-file servername.der -keystore keystore.jks -keypass keypass -storepass storepass
**Note: keytool whined that the cert was not in der format so, I used openssl to convert it.
I would love to hear feedback on these instructions and any steps that would make this easier.