Jump to: navigation, search
(HTCC-30449)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
=Appendix: Create SSL Certificate=
+
=Appendix: How-to Create SSL Certificate=
  
 
==Prerequisites==  
 
==Prerequisites==  
Line 14: Line 14:
 
# openssl genrsa -aes256 -out private/<rootCA>.key.pem 4096
 
# openssl genrsa -aes256 -out private/<rootCA>.key.pem 4096
 
</source>
 
</source>
* Enter the password for <tt><rootCA>.key.pem</tt>  
+
* Enter pass phrase for <tt><rootCA>.key.pem</tt>: <Enter password>
<source lang="text">
+
* Verifying - Enter pass phrase for <tt><rootCA>.key.pem</tt>: <Enter password> <source lang="text"> </source>
# chmod 400 private/<rootCA>.key.pem</source>
+
<source lang="text"># chmod 400 private/<rootCA>.key.pem</source>
  
 
==Create Root Certificate==  
 
==Create Root Certificate==  
Line 33: Line 33:
 
Organizational Unit Name []: <Enter company OU>
 
Organizational Unit Name []: <Enter company OU>
 
Common Name []: <Enter some value>
 
Common Name []: <Enter some value>
Email Address []: <Enter admin mail account></source>
+
Email Address []: <Enter admin mail account> </source>
 +
 
 +
<source lang="code"># chmod 444 certs/<rootCA>.cert.pem</source>
 +
 
 +
== Verify Root Certificate==
 +
<source lang="text"># cd /<rootCA>.cert.pem</source>
  
# chmod 444 certs/<rootCA>.cert.pem
 
Verify the root certificate:
 
# cd /<rootCA>.cert.pem
 
 
The output shows:
 
The output shows:
• the Signature Algorithm used
+
* The <tt>Signature Algorithm</tt> used
• the dates of certificate Validity
+
* The dates of certificate <tt>Validity</tt>
• the Public-Key bit length
+
* The <tt>Public-Key</tt> bit length
• the Issuer, which is the entity that signed the certificate
+
* The <tt>Issuer</tt>, which is the entity that signed the certificate
• the Subject, which refers to the certificate itself
+
* The <tt>Subject</tt>, which refers to the certificate itself
The Issuer and Subject are identical as the certificate is self-signed. Note that all root certificates are self-signed.
+
 
Signature Algorithm: sha256WithRSAEncryption
+
The <tt>Issuer</tt> and <tt>Subject</tt> are identical as the certificate is self-signed. Note that all root certificates are self-signed.
 +
<source lang="code">Signature Algorithm: sha256WithRSAEncryption
 
     Issuer: C=GB, ST=England,
 
     Issuer: C=GB, ST=England,
 
             O=Alice Ltd, OU=Alice Ltd Certificate Authority,
 
             O=Alice Ltd, OU=Alice Ltd Certificate Authority,
Line 57: Line 60:
 
     Subject Public Key Info:
 
     Subject Public Key Info:
 
         Public Key Algorithm: rsaEncryption
 
         Public Key Algorithm: rsaEncryption
             Public-Key: (4096 bit)
+
             Public-Key: (4096 bit)</source>
The output also shows the X509v3 extensions. We applied the v3_ca extension, so the options from [ v3_ca ] should be reflected in the output.
+
 
X509v3 extensions:
+
The output also shows the <tt>X509v3 extensions</tt>. We applied the <tt>v3_ca</tt> extension, so the options from <tt>[ v3_ca ]</tt> should be reflected in the output.
 +
<source lang="code">X509v3 extensions:
 
     X509v3 Subject Key Identifier:
 
     X509v3 Subject Key Identifier:
 
         38:58:29:2F:6B:57:79:4F:39:FD:32:35:60:74:92:60:6E:E8:2A:31
 
         38:58:29:2F:6B:57:79:4F:39:FD:32:35:60:74:92:60:6E:E8:2A:31
Line 68: Line 72:
 
         CA:TRUE
 
         CA:TRUE
 
     X509v3 Key Usage: critical
 
     X509v3 Key Usage: critical
         Digital Signature, Certificate Sign, CRL Sign
+
         Digital Signature, Certificate Sign, CRL Sign</source>
 +
 
 +
== GWS Key and Certificate Generation ==
 +
 
 +
* Make a directory for GWS files:<source lang="code"># cd /root/ca # mkdir gwsCerts</source>
 +
* Create a key: <source lang="code">
 +
# cd /root/ca
 +
# openssl genrsa -aes256 -out gwsCerts/<gwsKey>.key.pem 2048
 +
# chmod 400 gwsCerts/<gwsKey>.key.pem</source>
 +
* Create a certificate (CSR):
 +
*; Requirement: the Common Name must be a fully qualified domain name.
 +
*; Copy <tt>san.cnf</tt> and <tt>v3.ext</tt> to <tt>/root/ca</tt> and modify the following parameters in these files:<source lang="code">
 +
commonName = <Enter FQDN of your GWS host>
 +
DNS.1  = commonName
 +
DNS.2  = *.<part of FQDN>
 +
</source>
 +
 
 +
<source lang="code"># cd /root/ca
 +
# openssl req -out gwsCerts/<gwsCSR>.csr -newkey rsa:2048 -nodes -keyout gwsCerts/<gwsKey>.key.pem -config san.cnf</source>
 +
 
 +
*; Enter pass phrase for <gwsKey>.key.pem: <password for gws Key>
 +
*; You are about to be asked to enter information that will be incorporated into your certificate request.<source lang="code">
 +
Country Name (2 letter code) [XX]: <Enter country code>
 +
State or Province Name []: <Enter state>
 +
Locality Name []: <Enter city>
 +
Organization Name []: <Enter company>
 +
Organizational Unit Name []: <Enter company OU>
 +
Common Name []: <Enter FQDN of your GWS host>
 +
Email Address []: <Enter email address></source>
 +
* Sign the GWS CSR file:
 +
*; Use rootCA authority to sign up GWS csr file.<source lang="code">
 +
# cd /root/ca
 +
# openssl x509 -req -sha256 -days 367 -in gwsCerts/<gwsCSR>.csr -CA <full path to ‘rootCA.cert.pem’> -CAkey <full path to ‘rootCA.key.pem’> -CAcreateserial -out gwsCerts/<gwsSignedCert>.pem -extfile v3.ext -extensions v3_req
 +
# chmod 444 gwsCerts/<gwsSignedCert>.cert.pem</source>
 +
*; '''Example:'''<source lang="code">
 +
openssl x509 -req -sha256 -days 367 -in gwsCerts/gwsCSR.csr -CA /root/ca/certs/rootCA.cert.pem -CAkey /root/ca/private/rootCA.key.pem -CAcreateserial -out gwsCerts/gwsSignedCert.pem -extfile v3.ext -extensions v3_req
 +
# chmod 444 gwsCerts/gwsSignedCert.pem</source>
 +
 
 +
* Verify the certificate:<source lang="code">
 +
# openssl x509 -noout -text -in gwsCerts/<gwsSignedCert>.pem
 +
Check for x509v3 extensions (SAN & v3 extensions).</source>
 +
 
 +
== Converting Procedures ==
 +
 
 +
* Convert the existing cert to a PKCS12 using OpenSSL. {{NoteFormat|A password is required.}}<source lang="text">
 +
# cd /root/ca
 +
# openssl pkcs12 -export -in <gwsSignedCert>.pem -inkey <gwsKey>.key.pem -out <keystore.p12> -name <certAlias> -CAfile <full path to ‘rootCA.cert.pem’> -caname rootCA</source>
 +
*; '''Example:'''<source lang="code">
 +
# openssl pkcs12 -export -in /root/ca/gwsCerts/gwsSignedCert.pem -inkey /root/ca/gwsCerts/gwsKey.key.pem -out keystore.p12 -name firstcert -CAfile /root/ca/certs/rootCA.cert.pem -caname rootCA</source>
 +
 
 +
* Convert the PKCS12 to a Java Keystore File.<source lang="code">
 +
# cd /root/ca
 +
# keytool -importkeystore -deststorepass <new_keystore_pass> -destkeypass <new_key_pass> -destkeystore <gwsKeystore.jks> -srckeystore <keystore.p12> -srcstoretype PKCS12 -srcstorepass <pass_used_in_p12_keystore> -alias <alias_used_in_p12_keystore></source>
 +
*; '''Example:'''<source lang="code">
 +
keytool -importkeystore -deststorepass password -destkeypass password -destkeystore gwsKeystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass password -alias firstcert
 +
* System will automatically tell to change the format:<source lang="text">
 +
keytool -importkeystore -srckeystore gwsKeystore.jks -destkeystore gwsKeystore.jks -deststoretype pkcs12
 +
</source>
 +
 
 +
== Import Missing Certs and Create Truststore ==
 +
 
 +
* Import rootCa certificate to <tt>gwsKeystore.jks</tt>:
 +
* Use keytool -importcert to import the rootCa certificate into each node keystore:<source lang="code">
 +
# cd /root/ca
 +
# keytool -importcert -keystore <gwsKeystore>.jks -alias rootCA -file <path to ‘rootCA.cert.pem’> -noprompt -keypass <keystore password> -storepass <password></source>
 +
*; '''Example:'''<source lang="code">
 +
# keytool -importcert -keystore gwsKeystore.jks -alias rootCA -file /root/ca/certs/rootCA.cert.pem -noprompt -keypass password -storepass password</source>
 +
* Create a server truststore:<source lang="code">
 +
# cd /root/ca
 +
# keytool -importcert -keystore <gwsTruststore>.jks -alias rootCA -file <rootCA>.cert.pem -noprompt -keypass <key password> -storepass <password></source>
 +
*; '''Example:'''<source lang="code">
 +
# keytool -importcert -keystore gwsTruststore.jks -alias rootCA -file /root/ca/certs/rootCA.cert.pem -noprompt -keypass password -storepass password</source>
 +
 
 +
== GWS Configuration (application.yaml) ==
 +
* Configuration example ('''jetty''' section): <source lang="code">
 +
enableSsl: true
 +
  ssl:
 +
    port: 8443
 +
    securePort: 443
 +
    idleTimeout: 30000
 +
    soLingerTime: -1
 +
    trustAll: true
 +
    keyStorePath: /root/ca/<gwsKeystore>.jks
 +
    keyStorePassword: <keystore password>
 +
    keyStoreType: JKS
 +
    trustStorePath: /root/ca/<gwsTruststore>.jks
 +
    trustStorePassword: <truststore password></source>
 +
*; '''Example:'''<source lang="code">
 +
  # caCertificate: /root/ca/myKeystore.jks
 +
  # jksPassword: Manila@1234
 +
  port: 8443
 +
  securePort: 443
 +
  idleTimeout: 30000
 +
  soLingerTime: -1
 +
  trustAll: true
 +
  keyStorePath: /root/ca/gwsKeystore.jks
 +
  keyStorePassword: password
 +
  keyStoreType: JKS
 +
  trustStorePath: /root/ca/gwsTruststore.jks
 +
  trustStorePassword: password</source>
 +
 
 +
== On Client Desktop ==
 +
* Add your host (hostname should be specified as FQDN) in <tt><%system_drive%>\Windows\System32\drivers\etc\hosts</tt>.
 +
*; Example in the file:<source lang="code">
 +
192.168.100.26      gws-centos7.genesys.com</source>
 +
* Convert <tt><rootCA>.cert.pem</tt> to PFX format:<source lang="code">
 +
# cd /root/ca
 +
# openssl pkcs12 -inkey <rootCA>.key.pem -in <rootCA>.cert.pem -export -out <rootCA>.pfx</source>
 +
*; '''Example:'''<source lang="code">
 +
openssl pkcs12 -inkey /root/ca/private/rootCA.key.pem -in /root/ca/certs/rootCA.cert.pem -export -out rootCA.pfx</source>
  
+
* Copy <rootCA>.pfx and <keystore>.p12  to Windows host.
 +
* Import the <tt><keystore>.p12</tt> file by double-clicking on it. Use default configuration and specify the password.
 +
* Import the <tt><rootCA>.pfx</tt> file, make sure to select “Place all certificates in the following store”. Browse “Trusted Root Certification Authorities”
 +
* Verify that certificates are present using <tt>certmgr.msc</tt>.
 +
*; '''Example:'''
 +
** For rootCA certificate:
 +
**; [[File:rootCA_certificate.png|rootCA_certificate.png]]
 +
** For GWS certificate:
 +
**; [[File:GWS_certificate.png|GWS_certificate.png]]
  
 
[[Category:V:HTCC:8.5.2DRAFT]]
 
[[Category:V:HTCC:8.5.2DRAFT]]

Latest revision as of 13:09, October 25, 2021

Appendix: How-to Create SSL Certificate

Prerequisites

  • Create the root pair (rootCA key & rootCA cert).
  • Prepare the mkdir /root/ca directory.
  • Create the directory structure:
    # cd /root/ca
# mkdir certs crl newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
  • Copy the root CA configuration (openssl.cnf) to /root/ca/openssl.cnf
  • Create the root key:
    # cd /root/ca
# openssl genrsa -aes256 -out private/<rootCA>.key.pem 4096
  • Enter pass phrase for <rootCA>.key.pem: <Enter password>
  • Verifying - Enter pass phrase for <rootCA>.key.pem: <Enter password> 
# chmod 400 private/<rootCA>.key.pem

Create Root Certificate

  • Use the <rootCA>.key.pem root key to create the <rootCA>.cert.pem root certificate.
    # cd /root/ca
# openssl req -config openssl.cnf -key private/<rootCA>.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/<rootCA>.cert.pem
  • Enter the pass phrase for <rootCA>.key.pem: <password for “rootCA.key.pem”> 
    You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]: <Enter country code>
State or Province Name []: <Enter state or province>
Locality Name []: <Enter city>
Organization Name []: <Enter company name>
Organizational Unit Name []: <Enter company OU>
Common Name []: <Enter some value>
Email Address []: <Enter admin mail account>
# chmod 444 certs/<rootCA>.cert.pem

Verify Root Certificate

# cd /<rootCA>.cert.pem

The output shows:

  • The Signature Algorithm used
  • The dates of certificate Validity
  • The Public-Key bit length
  • The Issuer, which is the entity that signed the certificate
  • The Subject, which refers to the certificate itself

The Issuer and Subject are identical as the certificate is self-signed. Note that all root certificates are self-signed. 

Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=GB, ST=England,
            O=Alice Ltd, OU=Alice Ltd Certificate Authority,
            CN=Alice Ltd Root CA
    Validity
        Not Before: Apr 11 12:22:58 2015 GMT
        Not After : Apr  6 12:22:58 2035 GMT
    Subject: C=GB, ST=England,
             O=Alice Ltd, OU=Alice Ltd Certificate Authority,
             CN=Alice Ltd Root CA
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)

The output also shows the X509v3 extensions. We applied the v3_ca extension, so the options from [ v3_ca ] should be reflected in the output. 

X509v3 extensions:
    X509v3 Subject Key Identifier:
        38:58:29:2F:6B:57:79:4F:39:FD:32:35:60:74:92:60:6E:E8:2A:31
    X509v3 Authority Key Identifier:
        keyid:38:58:29:2F:6B:57:79:4F:39:FD:32:35:60:74:92:60:6E:E8:2A:31

    X509v3 Basic Constraints: critical
        CA:TRUE
    X509v3 Key Usage: critical
        Digital Signature, Certificate Sign, CRL Sign

GWS Key and Certificate Generation

  • Make a directory for GWS files:
    # cd /root/ca # mkdir gwsCerts
  • Create a key: 
    # cd /root/ca
# openssl genrsa -aes256 -out gwsCerts/<gwsKey>.key.pem 2048
# chmod 400 gwsCerts/<gwsKey>.key.pem
  • Create a certificate (CSR):
    Requirement
    the Common Name must be a fully qualified domain name.
    Copy san.cnf and v3.ext to /root/ca and modify the following parameters in these files
    commonName = <Enter FQDN of your GWS host>
DNS.1   = commonName
DNS.2   = *.<part of FQDN>
# cd /root/ca
# openssl req -out gwsCerts/<gwsCSR>.csr -newkey rsa:2048 -nodes -keyout gwsCerts/<gwsKey>.key.pem -config san.cnf
  • Enter pass phrase for <gwsKey>.key.pem
    <password for gws Key>
    You are about to be asked to enter information that will be incorporated into your certificate request.
    Country Name (2 letter code) [XX]: <Enter country code>
State or Province Name []: <Enter state>
Locality Name []: <Enter city>
Organization Name []: <Enter company>
Organizational Unit Name []: <Enter company OU>
Common Name []: <Enter FQDN of your GWS host>
Email Address []: <Enter email address>
  • Sign the GWS CSR file:
    Use rootCA authority to sign up GWS csr file.
    # cd /root/ca
# openssl x509 -req -sha256 -days 367 -in gwsCerts/<gwsCSR>.csr -CA <full path to ‘rootCA.cert.pem’> -CAkey <full path to ‘rootCA.key.pem’> -CAcreateserial -out gwsCerts/<gwsSignedCert>.pem -extfile v3.ext -extensions v3_req
# chmod 444 gwsCerts/<gwsSignedCert>.cert.pem
    Example:
    openssl x509 -req -sha256 -days 367 -in gwsCerts/gwsCSR.csr -CA /root/ca/certs/rootCA.cert.pem -CAkey /root/ca/private/rootCA.key.pem -CAcreateserial -out gwsCerts/gwsSignedCert.pem -extfile v3.ext -extensions v3_req
# chmod 444 gwsCerts/gwsSignedCert.pem
  • Verify the certificate:
    # openssl x509 -noout -text -in gwsCerts/<gwsSignedCert>.pem
Check for x509v3 extensions (SAN & v3 extensions).

Converting Procedures

  • Convert the existing cert to a PKCS12 using OpenSSL.
    Important
    A password is required.
    # cd /root/ca
# openssl pkcs12 -export -in <gwsSignedCert>.pem -inkey <gwsKey>.key.pem -out <keystore.p12> -name <certAlias> -CAfile <full path to ‘rootCA.cert.pem’> -caname rootCA
    Example:
    # openssl pkcs12 -export -in /root/ca/gwsCerts/gwsSignedCert.pem -inkey /root/ca/gwsCerts/gwsKey.key.pem -out keystore.p12 -name firstcert -CAfile /root/ca/certs/rootCA.cert.pem -caname rootCA
  • Convert the PKCS12 to a Java Keystore File.
    # cd /root/ca
# keytool -importkeystore -deststorepass <new_keystore_pass> -destkeypass <new_key_pass> -destkeystore <gwsKeystore.jks> -srckeystore <keystore.p12> -srcstoretype PKCS12 -srcstorepass <pass_used_in_p12_keystore> -alias <alias_used_in_p12_keystore>
    Example:
    keytool -importkeystore -deststorepass password -destkeypass password -destkeystore gwsKeystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass password -alias firstcert
* System will automatically tell to change the format:<source lang="text">
keytool -importkeystore -srckeystore gwsKeystore.jks -destkeystore gwsKeystore.jks -deststoretype pkcs12

Import Missing Certs and Create Truststore

  • Import rootCa certificate to gwsKeystore.jks:
  • Use keytool -importcert to import the rootCa certificate into each node keystore:
    # cd /root/ca
# keytool -importcert -keystore <gwsKeystore>.jks -alias rootCA -file <path to ‘rootCA.cert.pem’> -noprompt -keypass <keystore password> -storepass <password>
    Example:
    # keytool -importcert -keystore gwsKeystore.jks -alias rootCA -file /root/ca/certs/rootCA.cert.pem -noprompt -keypass password -storepass password
  • Create a server truststore:
    # cd /root/ca
# keytool -importcert -keystore <gwsTruststore>.jks -alias rootCA -file <rootCA>.cert.pem -noprompt -keypass <key password> -storepass <password>
    Example:
    # keytool -importcert -keystore gwsTruststore.jks -alias rootCA -file /root/ca/certs/rootCA.cert.pem -noprompt -keypass password -storepass password

GWS Configuration (application.yaml)

  • Configuration example (jetty section): 
     enableSsl: true
  ssl:
    port: 8443
    securePort: 443
    idleTimeout: 30000
    soLingerTime: -1
    trustAll: true
    keyStorePath: /root/ca/<gwsKeystore>.jks
    keyStorePassword: <keystore password>
    keyStoreType: JKS
    trustStorePath: /root/ca/<gwsTruststore>.jks
    trustStorePassword: <truststore password>
    Example:
       # caCertificate: /root/ca/myKeystore.jks
   # jksPassword: Manila@1234
   port: 8443
   securePort: 443
   idleTimeout: 30000
   soLingerTime: -1
   trustAll: true
   keyStorePath: /root/ca/gwsKeystore.jks
   keyStorePassword: password
   keyStoreType: JKS
   trustStorePath: /root/ca/gwsTruststore.jks
   trustStorePassword: password

On Client Desktop

  • Add your host (hostname should be specified as FQDN) in <%system_drive%>\Windows\System32\drivers\etc\hosts.
    Example in the file
    192.168.100.26      gws-centos7.genesys.com
  • Convert <rootCA>.cert.pem to PFX format:
    # cd /root/ca
# openssl pkcs12 -inkey <rootCA>.key.pem -in <rootCA>.cert.pem -export -out <rootCA>.pfx
    Example:
    openssl pkcs12 -inkey /root/ca/private/rootCA.key.pem -in /root/ca/certs/rootCA.cert.pem -export -out rootCA.pfx
  • Copy <rootCA>.pfx and <keystore>.p12 to Windows host.
  • Import the <keystore>.p12 file by double-clicking on it. Use default configuration and specify the password.
  • Import the <rootCA>.pfx file, make sure to select “Place all certificates in the following store”. Browse “Trusted Root Certification Authorities”
  • Verify that certificates are present using certmgr.msc.
    Example:
    • For rootCA certificate:
      rootCA_certificate.png
    • For GWS certificate:
      GWS_certificate.png
This page was last edited on October 25, 2021, at 13:09.
Comments or questions about this documentation? Contact us for support!