Nodejs supports pkcs12 keystore while jboss supports jks. Installer/installation script should generate one single certificate and create two keystores for all servers. Also, wildcard certificate can be use when multiple machines are involved.
Generating Keystores:
- Generate private key
openssl genrsa -des3 -out host.key 2048
(enter password)
* note, des3 is considered to be out-dated and not secured. - Convert private key to unencrypted format
openssl rsa -in host.key -out host.key.rsa
(reenter password) - Create certificate signing request
openssl req -new -key host.key.rsa -out host.csr - Sign the certificate (or send the CSR to CA, like HPIT)
openssl x509 -req -days 365 -in host.csr -signkey host.key.rsa -out host.cert - Generate PKCS12 keystore for nodejs serversopenssl pkcs12 -export -in host.cert -inkey host.key.rsa -out host.pfx
- Generate JKS for JBoss server
keytool -importkeystore -srckeystore host.pfx -srcstoretype PKCS12 -destkeystore .keystore -srcalias 1 -destalias ??? * you'll need to specify the destination alias in jboss' standalone xml.
Wildcard/Intermediate Certificate:
To generate a certificate for the host and use the intermediate certificate to sign the host certificate.
- follow step 1 & 2 above to generate private key. change host.key to domain.key.
- follow step 3 above to generate CSR (enter *.domain.com). change host.csr to domain.csr.
- follow step 4 to sign the certificate. change host.cert to domain.cert.
- follow step 1 to 3 again to generate private key and CSR for the host. (enter full domain name as CN, e.g. arthur.domain.com)
- Generate host certificate with domain certificate
openssl x509 -req -days 365 -in host.csr -CA domain.cert -CAkey domain.key.rsa -set_serial 01 -out host.cert - Create PKCS12 keystore for nodejs
openssl pkcs12 -export -in host.cert -inkey host.key.rsa -certfile domain.cert -out host.pfx - follow step 6 above to convert PKCS12 keystore to JKS
Note:
- it appears the use of wildcard certificate should be replaced by SAN. http://techbrahmana.blogspot.com/2013/10/creating-wildcard-self-signed.html
- Common OpenSSL command http://www.sslshopper.com/article-most-common-openssl-commands.html
- Common Keytool command http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
- Setting JBoss SSL http://anas2swad.wordpress.com/2013/11/24/jboss-7-1-1-certificate-mutual-authentication-authorization/
- Creating your own CA chain. http://superuser.com/questions/126121/how-to-create-my-own-certificate-chain
No comments:
Post a Comment