[Pki-users] Update documentation

Fraser Tweedale ftweedal at redhat.com
Tue Oct 4 08:37:05 UTC 2016 

Hi Ricardo,

Dogtag is all about signing and managing certificates.  Our
documentation covers how to submit a CSR to Dogtag, how to sign the
cert and retrieve the certificate.  It is not really in scope for
our documentation to explain how to configure TLS/SSL for a
particular server program.

Cheers,
Fraser

On Sun, Oct 02, 2016 at 12:16:37AM -0500, Ricardo Alexander Perez Ricardez wrote:
> This is a request or suggestion:
> 
> It would be possible to include in the documentation website DogTag Certificate System, How to Installing and configuring a certificate wildfly jboss server.
> 
> We provided the following information:
> 
> http://reallifejava.com/configuring-ssl-in-wildfly-8/
> 
> Instructions for Generating Repository SSL Keystores
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> <store password> is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore,
> ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore.
> 
> These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA).
> It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository
> URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available.
> You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key
> and certificate are available in svn.
> 
> (i) Generate the repository public/private key pair in a keystore:
> 
> $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:  
> Re-enter new password: 
> What is your first and last name?
>   [Unknown]:  Alfresco Repository
> What is the name of your organizational unit?
>   [Unknown]:  
> What is the name of your organization?
>   [Unknown]:  Alfresco Software Ltd.
> What is the name of your City or Locality?
>   [Unknown]:  Maidenhead 
> What is the name of your State or Province?
>   [Unknown]:  UK
> What is the two-letter country code for this unit?
>   [Unknown]:  GB
> Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct?
>   [no]:  yes
> 
> Enter key password for <ssl.repo>
> 	(RETURN if same as keystore password):  
> 	
> (ii) Generate a certificate request for the repository key
> 
> $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass <store password>
> 
> (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days.
> 
> $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365
> Signature ok
> subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository
> Getting CA Private Key
> Enter pass phrase for ca.key:
> 
> (iv) Import the Alfresco CA key into the repository key store
> 
> $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:  
> Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
> Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
> Serial number: 805ba6dc8f62f8b8
> Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021
> Certificate fingerprints:
> 	 MD5:  4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0
> 	 SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3
> 	 Signature algorithm name: SHA1withRSA
> 	 Version: 3
> 
> Extensions: 
> 
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 08 42 40 DC FE 4A 50 87   05 2B 38 4D 92 70 8E 51  .B at ..JP..+8M.p.Q
> 0010: 4E 38 71 D6                                        N8q.
> ]
> ]
> 
> #2: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
>   CA:true
>   PathLen:2147483647
> ]
> 
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: 08 42 40 DC FE 4A 50 87   05 2B 38 4D 92 70 8E 51  .B at ..JP..+8M.p.Q
> 0010: 4E 38 71 D6                                        N8q.
> ]
> 
> [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB]
> SerialNumber: [    805ba6dc 8f62f8b8]
> ]
> 
> Trust this certificate? [no]:  yes
> Certificate was added to keystore
> 
> (v) Import the CA-signed repository certificate into the repository keystore
> 
> $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:  
> Certificate reply was installed in keystore
> 
> (vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'.
> 
> keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <keystore password> -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco
> 
> (vi) Create a repository truststore containing the Alfresco CA certificate
> 
> keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass <store password>
> 
> (vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'.
> (viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'.
> 
> Instructions for Generating a Certificate Authority (CA) Key and Certificate
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> (i) Generate the CA private key
> 
> $ openssl genrsa -des3 -out ca.key 1024
> Generating RSA private key, 1024 bit long modulus
> ..........++++++
> ..++++++
> e is 65537 (0x10001)
> Enter pass phrase for ca.key:
> Verifying - Enter pass phrase for ca.key:
> 
> (ii) Generate the CA self-signed certificate
> 
> $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
> Enter pass phrase for ca.key:
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:GB
> State or Province Name (full name) [Some-State]:UK
> Locality Name (eg, city) []:Maidenhead
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd.
> Organizational Unit Name (eg, section) []:
> Common Name (eg, YOUR name) []:Alfresco CA
> Email Address []:
> 

> Instructions for Generating Repository SSL Keystores
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> <store password> is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore,
> ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore.
> 
> These instructions will create an RSA public/private key pair for the repository with a certificate that has been signed by the Alfresco Certificate Authority (CA).
> It will also create a truststore for the repository containing the CA certificate; this will be used to authenticate connections to specific repository
> URLs from Solr. It assumes the existence of the Alfresco CA key and certificate to sign the repository certificate; for security reasons these are not generally available.
> You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco employees the key
> and certificate are available in svn.
> 
> (i) Generate the repository public/private key pair in a keystore:
> 
> $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:  
> Re-enter new password: 
> What is your first and last name?
>   [Unknown]:  Alfresco Repository
> What is the name of your organizational unit?
>   [Unknown]:  
> What is the name of your organization?
>   [Unknown]:  Alfresco Software Ltd.
> What is the name of your City or Locality?
>   [Unknown]:  Maidenhead 
> What is the name of your State or Province?
>   [Unknown]:  UK
> What is the two-letter country code for this unit?
>   [Unknown]:  GB
> Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct?
>   [no]:  yes
> 
> Enter key password for <ssl.repo>
> 	(RETURN if same as keystore password):  
> 	
> (ii) Generate a certificate request for the repository key
> 
> $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr -storetype JCEKS -storepass <store password>
> 
> (iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days.
> 
> $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days 365
> Signature ok
> subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository
> Getting CA Private Key
> Enter pass phrase for ca.key:
> 
> (iv) Import the Alfresco CA key into the repository key store
> 
> $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:  
> Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
> Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
> Serial number: 805ba6dc8f62f8b8
> Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021
> Certificate fingerprints:
> 	 MD5:  4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0
> 	 SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3
> 	 Signature algorithm name: SHA1withRSA
> 	 Version: 3
> 
> Extensions: 
> 
> #1: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 08 42 40 DC FE 4A 50 87   05 2B 38 4D 92 70 8E 51  .B at ..JP..+8M.p.Q
> 0010: 4E 38 71 D6                                        N8q.
> ]
> ]
> 
> #2: ObjectId: 2.5.29.19 Criticality=false
> BasicConstraints:[
>   CA:true
>   PathLen:2147483647
> ]
> 
> #3: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: 08 42 40 DC FE 4A 50 87   05 2B 38 4D 92 70 8E 51  .B at ..JP..+8M.p.Q
> 0010: 4E 38 71 D6                                        N8q.
> ]
> 
> [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB]
> SerialNumber: [    805ba6dc 8f62f8b8]
> ]
> 
> Trust this certificate? [no]:  yes
> Certificate was added to keystore
> 
> (v) Import the CA-signed repository certificate into the repository keystore
> 
> $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> Enter keystore password:  
> Certificate reply was installed in keystore
> 
> (vi) Convert the repository keystore to a pkcs12 keystore (for use in browsers such as Firefox). Give the pkcs12 key store the key store password 'alfresco'.
> 
> keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <keystore password> -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco -destalias ssl.repo -destkeypass alfresco
> 
> (vi) Create a repository truststore containing the Alfresco CA certificate
> 
> keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass <store password>
> keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass <store password>
> 
> (vii) Copy the keystore and truststore to the repository keystore location defined by the property 'dir.keystore'.
> (viii) Update the SSL properties i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'.
> 
> Instructions for Generating a Certificate Authority (CA) Key and Certificate
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> (i) Generate the CA private key
> 
> $ openssl genrsa -des3 -out ca.key 1024
> Generating RSA private key, 1024 bit long modulus
> ..........++++++
> ..++++++
> e is 65537 (0x10001)
> Enter pass phrase for ca.key:
> Verifying - Enter pass phrase for ca.key:
> 
> (ii) Generate the CA self-signed certificate
> 
> $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
> Enter pass phrase for ca.key:
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:GB
> State or Province Name (full name) [Some-State]:UK
> Locality Name (eg, city) []:Maidenhead
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd.
> Organizational Unit Name (eg, section) []:
> Common Name (eg, YOUR name) []:Alfresco CA
> Email Address []:
> 

> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list