3:32 a.m.
On Sun, Oct 02, 2016 at 12:09:20AM -0500, Ricardo Alexander Perez Ricardez wrote:
Hello, I am configuring SSL jboss Wildfly 10 following these steps:
In step 3: (iii) Alfresco CA signs the certificate request, creating a certificate that
is valid for 365 days.
$ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt
-days 365
Signature ok
subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco
Repository
Getting CA Private Key
Enter pass phrase for ca.key:
-CAkey the parameter, use the file ca.key
How I can get this file DogTag Certificate System?
How I can generate, export or import?
Hi Ricardo,
I do not understand what is going on in this documentation. The
server certificate is being signed using `openssl', but if you are
using Dogtag then you should submit the CSR to Dogtag to be signed.
The Dogtag CA's signing key lives in the NSS database at
/etc/pki/<instance-name>/alias and should not be exported. But if
you really do want to export it you can use the `certutil' program.
Thanks,
Fraser
Instructions for Generating Repository SSL Keystores
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<store password> is the keystore password. The file
${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore,
${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL
truststore.
These instructions will create an RSA public/private key pair for the repository with a
certificate that has been signed by the Alfresco Certificate Authority (CA).
It will also create a truststore for the repository containing the CA certificate; this
will be used to authenticate connections to specific repository
URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign
the repository certificate; for security reasons these are not generally available.
You can either generate your own CA key and certificate (see instructions below) or use a
recognised Certificate Authority such as Verisign. For Alfresco employees the key
and certificate are available in svn.
(i) Generate the repository public/private key pair in a keystore:
$ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS
-storepass <store password>
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Alfresco Repository
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]: Alfresco Software Ltd.
What is the name of your City or Locality?
[Unknown]: Maidenhead
What is the name of your State or Province?
[Unknown]: UK
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK,
C=GB correct?
[no]: yes
Enter key password for <ssl.repo>
(RETURN if same as keystore password):
(ii) Generate a certificate request for the repository key
$ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS
-storepass <store password>
(iii) Alfresco CA signs the certificate request, creating a certificate that is valid for
365 days.
$ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt
-days 365
Signature ok
subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco
Repository
Getting CA Private Key
Enter pass phrase for ca.key:
(iv) Import the Alfresco CA key into the repository key store
$ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype
JCEKS -storepass <store password>
Enter keystore password:
Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
Serial number: 805ba6dc8f62f8b8
Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021
Certificate fingerprints:
MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0
SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B@..JP..+8M.p.Q
0010: 4E 38 71 D6 N8q.
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B@..JP..+8M.p.Q
0010: 4E 38 71 D6 N8q.
]
[CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB]
SerialNumber: [ 805ba6dc 8f62f8b8]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
(v) Import the CA-signed repository certificate into the repository keystore
$ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS
-storepass <store password>
Enter keystore password:
Certificate reply was installed in keystore
(vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as
Firefox). Give the pkcs12 key store the key store password 'alfresco'.
keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <keystore password>
-srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12
-deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco
(vi) Create a repository truststore containing the Alfresco CA certificate
keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype
JCEKS -storepass <store password>
keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS
-storepass <store password>
(vii) Copy the keystore and truststore to the repository keystore location defined by the
property 'dir.keystore'.
(viii) Update the SSL properties i.e. properties starting with the prefixes
'alfresco.encryption.ssl.keystore' and
'alfresco.encryption.ssl.truststore'.
Instructions for Generating a Certificate Authority (CA) Key and Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(i) Generate the CA private key
$ openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
(ii) Generate the CA self-signed certificate
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:UK
Locality Name (eg, city) []:Maidenhead
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Alfresco CA
Email Address []:
Instructions for Generating Repository SSL Keystores
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<store password> is the keystore password. The file
${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL
keystore,
${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL
truststore.
These instructions will create an RSA public/private key pair for the repository with a
certificate that has been signed by the Alfresco Certificate Authority (CA).
It will also create a truststore for the repository containing the CA certificate; this
will be used to authenticate connections to specific repository
URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign
the repository certificate; for security reasons these are not generally available.
You can either generate your own CA key and certificate (see instructions below) or use a
recognised Certificate Authority such as Verisign. For Alfresco employees the key
and certificate are available in svn.
(i) Generate the repository public/private key pair in a keystore:
$ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS
-storepass <store password>
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Alfresco Repository
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]: Alfresco Software Ltd.
What is the name of your City or Locality?
[Unknown]: Maidenhead
What is the name of your State or Province?
[Unknown]: UK
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK,
C=GB correct?
[no]: yes
Enter key password for <ssl.repo>
(RETURN if same as keystore password):
(ii) Generate a certificate request for the repository key
$ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS
-storepass <store password>
(iii) Alfresco CA signs the certificate request, creating a certificate that is valid for
365 days.
$ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt
-days 365
Signature ok
subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco
Repository
Getting CA Private Key
Enter pass phrase for ca.key:
(iv) Import the Alfresco CA key into the repository key store
$ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype
JCEKS -storepass <store password>
Enter keystore password:
Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
Serial number: 805ba6dc8f62f8b8
Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021
Certificate fingerprints:
MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0
SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B@..JP..+8M.p.Q
0010: 4E 38 71 D6 N8q.
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B@..JP..+8M.p.Q
0010: 4E 38 71 D6 N8q.
]
[CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB]
SerialNumber: [ 805ba6dc 8f62f8b8]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
(v) Import the CA-signed repository certificate into the repository keystore
$ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS
-storepass <store password>
Enter keystore password:
Certificate reply was installed in keystore
(vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as
Firefox). Give the pkcs12 key store the key store password 'alfresco'.
keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <keystore password>
-srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12
-deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco
(vi) Create a repository truststore containing the Alfresco CA certificate
keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype
JCEKS -storepass <store password>
keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS
-storepass <store password>
(vii) Copy the keystore and truststore to the repository keystore location defined by the
property 'dir.keystore'.
(viii) Update the SSL properties i.e. properties starting with the prefixes
'alfresco.encryption.ssl.keystore' and
'alfresco.encryption.ssl.truststore'.
Instructions for Generating a Certificate Authority (CA) Key and Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(i) Generate the CA private key
$ openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
(ii) Generate the CA self-signed certificate
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:UK
Locality Name (eg, city) []:Maidenhead
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Alfresco CA
Email Address []:
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users