This page covers the instruction to
- Create self-signed root CA
- generate wildcard server certificate
- sign the wildcard server certificate with own CA
// 1. My Own RootCA generation
$ uname -a
Darwin <hostname> 12.2.1 Darwin Kernel Version 12.2.1:
$ cd /path/to/myrootca
$ mkdir keys certs servers
// generage rooca PK
$ openssl genrsa -out keys/my_own_rootca.key 2048
// generate self-signed root ca certificate
$ openssl genrsa -out keys/my_own_rootca.key 2048
// generate self-signed root ca certificate
$ openssl req -new -x509 -days 3650 -key keys/my_own_rootca.key -out certs/my_own_rootca.crt
** enter info as:
Country Name (2 letter code) [AU]:<country>
State or Province Name (full name) [Some-State]:<state>
Locality Name (eg, city) []:<city>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<company name>
Organizational Unit Name (eg, section) []:<department name>
Common Name (eg, YOUR name) []:My Own Root CA
Email Address []:prod_pd@my.com
** 2. generate wildcard server certificate
// generate company dev servers PK
// generate company dev servers PK
$ openssl genrsa -out servers/company-dev-server.key 2048
// generate for wildcard certificate CSR for root ca to sign
// generate for wildcard certificate CSR for root ca to sign
$ openssl req -new -key servers/company-dev-server.key -out servers/company-dev-server.csr
-----
Country Name (2 letter code) [AU]:<country>
State or Province Name (full name) [Some-State]:<state>
Locality Name (eg, city) []:<city>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<company name>
Organizational Unit Name (eg, section) []:<department name>
Common Name (eg, YOUR name) []:*.dev.pd.my.com
Email Address []:prod_pd@my.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<none>
An optional company name []: <none>
// 3. rooca sign wildcard certificate
$ openssl x509 -req -days 3650 -CA certs/my_own_rootca.crt -CAkey keys/my_own_rootca.key -set_serial 01 -in servers/company-dev-server.csr -out servers/company-dev-server.crt
// generate P12 keystore (rooca signed wildcard certificate, dev server PK, root ca certificate)
$ openssl pkcs12 -export -in servers/company-dev-server.crt -inkey servers/company-dev-server.key -out servers/company-dev-server.p12 -name prod_name -CAfile certs/my_own_rootca.crt -caname my_own_root_ca
$ openssl pkcs12 -export -in servers/company-dev-server.crt -inkey servers/company-dev-server.key -out servers/company-dev-server.p12 -name prod_name -CAfile certs/my_own_rootca.crt -caname my_own_root_ca
** export password: 1234
// use the keytool functionality to merge one keystore with another one
// convert P12 keystore to JKS keystore
// convert P12 keystore to JKS keystore
$ keytool -importkeystore -deststorepass pwd -destkeypass pwd -destkeystore servers/company-dev-server.jks -srckeystore servers/company-dev-server.p12 -srcstoretype PKCS12 -srcstorepass 1234 -alias prod_name
// import root ca certificate to JKS
$ keytool -import -file certs/my_own_rootca.crt -alias MyOwnRootCA -keystore servers/company-dev-server.jks -storepass pwd
$ keytool -v -list -keystore servers/company-dev-server.jks -storepass pwd
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: prod_name
...
Alias name: MyOwnRootCA
...
// for App Server use
// install/config wildcard server keystore to WLS identity keystore
copy servers/company-dev-server.jks to WLS config dir
// @admin console, change keystore, config SSL
// for web client use
// host certs/my_own_rootca.crt from apache
$ cp certs/my_own_rootca.crt <apache-webroot>/my_own_rootca.crt
******* DONE *********
No comments:
Post a Comment