Friday, December 26, 2014

Generate SSL Certification for both Nodejs & JBoss (java)

Nodejs supports pkcs12 keystore while jboss supports jks.  Installer/installation script should generate one single certificate and create two keystores for all servers.  Also, wildcard certificate can be use when multiple machines are involved.  

Generating Keystores:

  1. Generate private key
    openssl genrsa -des3 -out host.key 2048
    (enter password)
    * note, des3 is considered to be out-dated and not secured.
  2. Convert private key to unencrypted format
    openssl rsa -in host.key -out host.key.rsa
    (reenter password)
  3. Create certificate signing request
    openssl req -new -key host.key.rsa -out host.csr
  4. Sign the certificate (or send the CSR to CA, like HPIT)
    openssl x509 -req -days 365 -in host.csr -signkey host.key.rsa -out host.cert
  5. Generate PKCS12 keystore for nodejs servers
    openssl pkcs12 -export -in host.cert -inkey host.key.rsa -out host.pfx
  6. Generate JKS for JBoss server
    keytool -importkeystore -srckeystore host.pfx -srcstoretype PKCS12 -destkeystore .keystore -srcalias 1 -destalias ??? * you'll need to specify the destination alias in jboss' standalone xml.

Wildcard/Intermediate Certificate:

To generate a certificate for the host and use the intermediate certificate to sign the host certificate.  
  1. follow step 1 & 2 above to generate private key.  change host.key to domain.key.
  2. follow step 3 above to generate CSR (enter *  change host.csr to domain.csr.
  3. follow step 4 to sign the certificate. change host.cert to domain.cert.
  4. follow step 1 to 3 again to generate private key and CSR for the host.  (enter full domain name as CN, e.g.
  5. Generate host certificate with domain certificate
    openssl x509 -req -days 365 -in host.csr -CA domain.cert -CAkey domain.key.rsa -set_serial 01 -out host.cert
  6. Create PKCS12 keystore for nodejs
    openssl pkcs12 -export -in host.cert -inkey host.key.rsa -certfile domain.cert -out host.pfx
  7. follow step 6 above to convert PKCS12 keystore to JKS


  1. it appears the use of wildcard certificate should be replaced by SAN.
  2. Common OpenSSL command
  3. Common Keytool command
  4. Setting JBoss SSL
  5. Creating your own CA chain.

No comments:

Post a Comment