[Pki-users] Where is the CA Key?
Fraser Tweedale
ftweedal at redhat.com
Tue Oct 4 08:32:45 UTC 2016
On Sun, Oct 02, 2016 at 12:09:20AM -0500, Ricardo Alexander Perez Ricardez wrote:
> Hello, I am configuring SSL jboss Wildfly 10 following these steps:
>
> In step 3: (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days.
>
> $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365
> Signature ok
> subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository
> Getting CA Private Key
> Enter pass phrase for ca.key:
>
>
> -CAkey the parameter, use the file ca.key
>
> How I can get this file DogTag Certificate System?
> How I can generate, export or import?
>
Hi Ricardo,
I do not understand what is going on in this documentation. The
server certificate is being signed using `openssl', but if you are
using Dogtag then you should submit the CSR to Dogtag to be signed.
The Dogtag CA's signing key lives in the NSS database at
/etc/pki/<instance-name>/alias and should not be exported. But if
you really do want to export it you can use the `certutil' program.
Thanks,
Fraser
>
> Instructions for Generating Repository SSL Keystores
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> <store password> is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore,
> ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore.
>
> These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA).
> It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository
> URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available.
> You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key
> and certificate are available in svn.
>
> (i) Generate the repository public/private key pair in a keystore:
>
> $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:
> Re-enter new password:
> What is your first and last name?
> [Unknown]: Alfresco Repository
> What is the name of your organizational unit?
> [Unknown]:
> What is the name of your organization?
> [Unknown]: Alfresco Software Ltd.
> What is the name of your City or Locality?
> [Unknown]: Maidenhead
> What is the name of your State or Province?
> [Unknown]: UK
> What is the two-letter country code for this unit?
> [Unknown]: GB
> Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct?
> [no]: yes
>
> Enter key password for <ssl.repo>
> (RETURN if same as keystore password):
>
> (ii) Generate a certificate request for the repository key
>
> $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass <store password>
>
> (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days.
>
> $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365
> Signature ok
> subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository
> Getting CA Private Key
> Enter pass phrase for ca.key:
>
> (iv) Import the Alfresco CA key into the repository key store
>
> $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:
> Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
> Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
> Serial number: 805ba6dc8f62f8b8
> Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021
> Certificate fingerprints:
> MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0
> SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3
> Signature algorithm name: SHA1withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q
> 0010: 4E 38 71 D6 N8q.
> ]
> ]
>
> #2: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
> CA:true
> PathLen:2147483647
> ]
>
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q
> 0010: 4E 38 71 D6 N8q.
> ]
>
> [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB]
> SerialNumber: [ 805ba6dc 8f62f8b8]
> ]
>
> Trust this certificate? [no]: yes
> Certificate was added to keystore
>
> (v) Import the CA-signed repository certificate into the repository keystore
>
> $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:
> Certificate reply was installed in keystore
>
> (vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'.
>
> keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <keystore password> -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco
>
> (vi) Create a repository truststore containing the Alfresco CA certificate
>
> keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass <store password>
>
> (vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'.
> (viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'.
>
> Instructions for Generating a Certificate Authority (CA) Key and Certificate
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> (i) Generate the CA private key
>
> $ openssl genrsa -des3 -out ca.key 1024
> Generating RSA private key, 1024 bit long modulus
> ..........++++++
> ..++++++
> e is 65537 (0x10001)
> Enter pass phrase for ca.key:
> Verifying - Enter pass phrase for ca.key:
>
> (ii) Generate the CA self-signed certificate
>
> $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
> Enter pass phrase for ca.key:
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:GB
> State or Province Name (full name) [Some-State]:UK
> Locality Name (eg, city) []:Maidenhead
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd.
> Organizational Unit Name (eg, section) []:
> Common Name (eg, YOUR name) []:Alfresco CA
> Email Address []:
>
> Instructions for Generating Repository SSL Keystores
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> <store password> is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore,
> ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore.
>
> These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA).
> It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository
> URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available.
> You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key
> and certificate are available in svn.
>
> (i) Generate the repository public/private key pair in a keystore:
>
> $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:
> Re-enter new password:
> What is your first and last name?
> [Unknown]: Alfresco Repository
> What is the name of your organizational unit?
> [Unknown]:
> What is the name of your organization?
> [Unknown]: Alfresco Software Ltd.
> What is the name of your City or Locality?
> [Unknown]: Maidenhead
> What is the name of your State or Province?
> [Unknown]: UK
> What is the two-letter country code for this unit?
> [Unknown]: GB
> Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct?
> [no]: yes
>
> Enter key password for <ssl.repo>
> (RETURN if same as keystore password):
>
> (ii) Generate a certificate request for the repository key
>
> $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass <store password>
>
> (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days.
>
> $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365
> Signature ok
> subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository
> Getting CA Private Key
> Enter pass phrase for ca.key:
>
> (iv) Import the Alfresco CA key into the repository key store
>
> $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:
> Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
> Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
> Serial number: 805ba6dc8f62f8b8
> Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021
> Certificate fingerprints:
> MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0
> SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3
> Signature algorithm name: SHA1withRSA
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q
> 0010: 4E 38 71 D6 N8q.
> ]
> ]
>
> #2: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
> CA:true
> PathLen:2147483647
> ]
>
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 .B at ..JP..+8M.p.Q
> 0010: 4E 38 71 D6 N8q.
> ]
>
> [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB]
> SerialNumber: [ 805ba6dc 8f62f8b8]
> ]
>
> Trust this certificate? [no]: yes
> Certificate was added to keystore
>
> (v) Import the CA-signed repository certificate into the repository keystore
>
> $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:
> Certificate reply was installed in keystore
>
> (vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'.
>
> keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <keystore password> -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco
>
> (vi) Create a repository truststore containing the Alfresco CA certificate
>
> keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass <store password>
>
> (vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'.
> (viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'.
>
> Instructions for Generating a Certificate Authority (CA) Key and Certificate
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> (i) Generate the CA private key
>
> $ openssl genrsa -des3 -out ca.key 1024
> Generating RSA private key, 1024 bit long modulus
> ..........++++++
> ..++++++
> e is 65537 (0x10001)
> Enter pass phrase for ca.key:
> Verifying - Enter pass phrase for ca.key:
>
> (ii) Generate the CA self-signed certificate
>
> $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
> Enter pass phrase for ca.key:
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:GB
> State or Province Name (full name) [Some-State]:UK
> Locality Name (eg, city) []:Maidenhead
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd.
> Organizational Unit Name (eg, section) []:
> Common Name (eg, YOUR name) []:Alfresco CA
> Email Address []:
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list