Contents

Popular

Versions Compared

Old Version 3

changes.mady.by.user Prathewraj M

Saved on

compared with

New Version 4

changes.mady.by.user Prathewraj M

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

titleContents

...

This section discusses the process to generate a keystore file, use it to create a Certificate Signing Request (CSR) for third party CA authorities, import the signed certificates back into the keystore, and use it in Fiorano to create secure RESTful or Web services.

Anchor
Generating a Keystore
Generating a Keystore
Generating a Keystore

  1. Open command prompt and navigate to %JDK_HOME%/bin directory.

    Noteinfo

    JDK8 is used in this exercise.

  2. Enter the following command, and then press Enter:.

    Code Block
    keytool -keysize 2048 –keystore fiorano.jks –genkey –alias fiorano -keyalg RSA

     

    Tip

    Use any name for keystore and alias, but they should be carefully used in the subsequent commands.

  3. Enter a password for the keystorethekeystore. The password used in this example is'fioranopass'.
  4. Answer all the questions pertaining to the Organization details. When prompted for the First Name and Last Name, enter the fully qualified domain name (FQDN), Host Name or URL to of the certificate needs to be applied. TipWhen organization for which the certificate is applied for.

  5. For requesting a Wildcard certificate, please add an asterisk * on the left side of the Common Name.
    Example:

     

    .mydomain.com or www.mydomain.com. This secures all subdomains of the Common Name.

    Image Removed

    Organization details entered
    Note
    Warning

    All the details provided in this step must be valid. If any of these values are found invalid, CA authorities reject the Certificate Signing Request ( CSR).

...

  1. . In this example, fiorano.com is used as the First and Last name, as this certificate is generated to secure RESTful/webservices in fiorano.com.


    Image Added

Anchor
Generating a CSR
Generating a CSR
Generating a Certificate Signing Request (CSR)

A CSR needs to be generated using the keystore created in the previous section. CSR is used by the CA authorities. Whenever a keystore is changed or updated, a new CSR needs to be generated.

  1. To Generate a CSR, enter the following command, and then press Enter.:

    Code Block
    keytool –keystore fiorano.jks –certreq –alias fiorano –keyalg rsa –file fiorano.csr -sigalg SHA256withRSA
  2. Provide keystore password provided in the section " Generating a Keystore section above (" (fioranopass" is used in our example).

    Image Modified
  3. A file named "fiorano.csr" is created which contains the certificate signing request request (CSR). This CSR has to be passed on to the external/third party - CA (Certificate Authority (CA).

The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.

Generating SSL certificate using CSR

A third-party CA website is needed needs to be approached to request an SSL certificate using the CSR generated in the Generating a Certificate Signing Request (CSR) section. Third party CA websites such as http://www.thawte.com and / and https://www.godaddy.com can be used to generate SSL certificates. In this example, a 21-day trial certificate is generated from of Thawte.com and used. However, a  is generated and used but the trial certificate is not recommended for any usage.


To copy the CSR, open the fiorano

  1. Open the fiorano.csr file generated in

...

  1. the Generating a Certificate Signing Request (CSR) section.
  2. Highlight the area from ----BEGIN CERTIFICATE REQUEST to END CERTIFICATE REQUEST----

...

  1. and press Enter

...

  1. .
  2. Paste it in CA website online application to generate SSL certificates.

Using certificates from a CA authority

CA authorities will sybsequently send a signed certificate, intermediate certificate and root certificate. Import all such these certificates into the fiorano.jks keystore file.

Note
  • The intermediate and root certificate should have different alias names, but
the signed
  • the primary signed certificate should be imported with the same alias that was used while creating a certificate pair in
""
  • section.
  • Download
your
  • certificate files from
your
  • the certificate authority and save them to the same directory as
the keystore that you created
  • the keystore created during the CSR creation process. 

The certificate will only work with the same keystore that you initially created the CSR with. The certificates must be installed to your keystore in the correct order. 

Assuming sslcert.pem, intermediate.pem and root.pem are the certificates received from CA authorities, the following commands are used to import all the certificates into the keystore:.

Code Block
titleCommand 1
keytool -importcert -alias intermediate -file intermediate.pem -keystorefiorano.jks -storepassfioranopass

...

Code Block
titleCommand 3
keytool -importcert -alias fiorano -file sslcert.pem -keystore fioranokeystorefiorano.jks -storepass fioranopassstorepassfioranopass

All the certificates are added to our keystore the keystore and it is ready to use.

When root and intermediate certificates are added to the keystore, a message gets displayed: "Certificate was added to keystore" is displayed. When primary certificate is added to the keystore, the message displayed is : "Certificate reply was installed in keystore".

In case of If there is no errors in this process, move to the next section Using the keystore in Fiorano section.

Listing keystore entries

To list the keystore and check if all the certificates are imported successfully, use the following command:

Code Block
keytool -list -keystore fiorano.jks -storepass fioranopass


If To dispolay the certificate chain length for fiorano alias, specify the -v option is specified in the above command, the certificate chain length for fiorano alias is displayed:.

Code Block
keytool -list -v -keystore fioranokeystorefiorano.jks -storepass fioranopassstorepassfioranopass

Image RemovedImage Added

 

Adaptavist ThemeBuilder EngineAtlassian Confluence