To configure SSL, procure the certificates and wrap them into a keystore. Such certificates and keystores have different formats. Different products support one or the other format. Hence, I have put together all the commonly used formats:
1. PKCS12
2. Java Keystore (JKS)
3. Key Database (KDB)
4. Key & Cert
Let’s look at how to generate keystore for each format.
1. Generate the Key pair:
keytool -genkeypair -alias mwexpert -dname “CN=mwexpert.com, OU=Middleware, L=HighlandsRanch, O=MiddlewareExpert, ST=Colorado, C=US” -keyalg RSA -keystore myKeystore.p12 -keysize 2048 -sigalg SHA256withRSA -storepass password -keypass password -storetype PKCS12
2. Create the CSR:
keytool -certreq -alias mwexpert -keystore myKeystore.p12 -storetype PKCS12 -file cert_req.csr -storepass password
3. Submit the CSR and get it signed by a certificate authority e.g Digicert, Entrust, Godaddy etc.
4. Before importing the signed certificate, import the root and the intermediate as trusted CAs:
keytool -keystore myKeystore.p12 -storetype PKCS12 -import -alias root -file root_cert.crt -storepass password
keytool -keystore myKeystore.p12 -storetype PKCS12 -import -alias intermediate -file intermediate_cert.crt -storepass password
5. Import the signed certificate with the same alias in Step 1, which is “mwexpert” in our case. You should NOT import it as trusted CA.
keytool -keystore myKeystore.p12 -storetype PKCS12 -import -alias mwexpert -file singned_cert.crt -storepass password
The steps are exactly same as the ones for PKCS12 except to use -storetype as JKS. By default, keytool uses JKS format, so that option can be skipped as well.
1. Generate the Key pair:
keytool -genkeypair -alias mwexpert -dname “CN=mwexpert.com, OU=Middleware, L=HighlandsRanch, O=MiddlewareExpert, ST=Colorado, C=US” -keyalg RSA -keystore myKeystore.jks -keysize 2048 -sigalg SHA256withRSA -storepass password -keypass password
2. Create the CSR:
keytool -certreq -alias mwexpert -keystore myKeystore.jks -file cert_req.csr -storepass password
3. Submit the CSR and get it signed by a certificate authority e.g Digicert, Entrust, Godaddy etc.
4. Before importing the signed certificate, make sure to import the root and the intermediate as trusted CAs:
keytool -keystore myKeystore.jks -import -alias root -file root_cert.crt -storepass password
keytool -keystore myKeystore.jks -import -alias intermediate -file intermediate_cert.crt -storepass password
5. Import the signed certificate with the same alias in Step 1 which is “mwexpert” in our case. Note that it cannot be imported as trusted CA.
keytool -keystore myKeystore.jks -import -alias mwexpert -file singned_cert.crt -storepass password
Use the gsk7capicmd(toolkit that comes with any IBM products like IBM HTTP Server or IBM WebSphere)
1. First get the LD_LIBRARY_PATH set:
export LD_LIBRARY_PATH=<IBM_PRODUCT_BASE>/gsk7/lib/
2. Get the kdb and csr generated:
gsk7capicmd -certreq -create -dn “CN=mwexpert.com, OU=Middleware, L=HighlandsRanch, O=MiddlewareExpert, ST=Colorado, C=US” -db key.kdb -pw password -label primaryCert -file mycsr.csr -size 2048
3. Get the root and intermediate CA added to the KDB store:
gsk7capicmd -cert -add -label root-file rootCA.cer -db key.kdb -pw password
gsk7capicmd -cert -add -label intermediate -file intermediateCA.cer -db key.kdb -pw password
4. Get the signed certificate and receive it in the KDB store:
gsk7capicmd -cert -receive -file signedCert.cer -db key.kdb -pw password -default_cert yes
1. Generate the key and CSR :
openssl req -nodes -newkey rsa:2048 -sha256 -nodes -keyout mykey.key -out mycsr.csr -subj “/C=US /ST=California /L=Foster City /O=MiddlewareExpert /OU=Affluent /CN=mwexpert”
2. Upload the CSR to any CA and get the signed cert.
3. Now use the signed cert and the key to configure SSL in products e.g apache.
Find further openssl commands here:
For complete reference, refer to the Digicert official guide.