Friday, December 26, 2014

Generate SSL Certification for both Nodejs & JBoss (java)

Nodejs supports pkcs12 keystore while jboss supports jks.  Installer/installation script should generate one single certificate and create two keystores for all servers.  Also, wildcard certificate can be use when multiple machines are involved.  

Generating Keystores:

  1. Generate private key
    openssl genrsa -des3 -out host.key 2048
    (enter password)
    * note, des3 is considered to be out-dated and not secured.
  2. Convert private key to unencrypted format
    openssl rsa -in host.key -out host.key.rsa
    (reenter password)
  3. Create certificate signing request
    openssl req -new -key host.key.rsa -out host.csr
  4. Sign the certificate (or send the CSR to CA, like HPIT)
    openssl x509 -req -days 365 -in host.csr -signkey host.key.rsa -out host.cert
  5. Generate PKCS12 keystore for nodejs servers
    openssl pkcs12 -export -in host.cert -inkey host.key.rsa -out host.pfx
  6. Generate JKS for JBoss server
    keytool -importkeystore -srckeystore host.pfx -srcstoretype PKCS12 -destkeystore .keystore -srcalias 1 -destalias ??? * you'll need to specify the destination alias in jboss' standalone xml.

Wildcard/Intermediate Certificate:

To generate a certificate for the host and use the intermediate certificate to sign the host certificate.  
  1. follow step 1 & 2 above to generate private key.  change host.key to domain.key.
  2. follow step 3 above to generate CSR (enter *.domain.com).  change host.csr to domain.csr.
  3. follow step 4 to sign the certificate. change host.cert to domain.cert.
  4. follow step 1 to 3 again to generate private key and CSR for the host.  (enter full domain name as CN, e.g. arthur.domain.com)
  5. Generate host certificate with domain certificate
    openssl x509 -req -days 365 -in host.csr -CA domain.cert -CAkey domain.key.rsa -set_serial 01 -out host.cert
  6. Create PKCS12 keystore for nodejs
    openssl pkcs12 -export -in host.cert -inkey host.key.rsa -certfile domain.cert -out host.pfx
  7. follow step 6 above to convert PKCS12 keystore to JKS

Note:

  1. it appears the use of wildcard certificate should be replaced by SAN.  http://techbrahmana.blogspot.com/2013/10/creating-wildcard-self-signed.html
  2. Common OpenSSL command http://www.sslshopper.com/article-most-common-openssl-commands.html
  3. Common Keytool command http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
  4. Setting JBoss SSL http://anas2swad.wordpress.com/2013/11/24/jboss-7-1-1-certificate-mutual-authentication-authorization/
  5. Creating your own CA chain.  http://superuser.com/questions/126121/how-to-create-my-own-certificate-chain