...
Code Block |
---|
# Create folder mkdir -p ~/ssl cd ~/ssl # Create certificate authority openssl req -x509 \ -sha512 \ -days 3650 \ -nodes \ -newkey rsa:4096 \ -subj "/CN=localhost/C=FI/L=Espoo" \ -keyout cakey.pem -out cacert.pem # Create server private key openssl genrsa -out serverkey.pem 4096 # Generate certificate signging request cat << EOF > servercsr.cnf [ req ] default_bits = 4096 prompt = no default_md = sha512 req_extensions = req_ext distinguished_name = dn [ dn ] C = FI ST = Uusimaa L = Espoo O = Ubisecure Oy OU = Engineering CN = localhost [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = localhost DNS.2 = $(hostname -s) DNS.3 = $(hostname -f) EOF # Generate certificate signing request with previously created private key openssl req \ -new \ -key serverkey.pem \ -out servercsr.pem \ -config servercsr.cnf # Generate external certificate configuration cat << EOF > cert.conf authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost DNS.2 = $(hostname -s) DNS.3 = $(hostname -f) EOF # Generate SSL certificate With self signed CA openssl x509 -req \ -in servercsr.pem \ -CA cacert.pem \ -CAkey cakey.pem \ -CAcreateserial \ -out servercert.pem \ -days 3650 \ -sha512 \ -extfile \ cert.conf # View generated cert openssl x509 -noout -in servercert.pem -text |
Check keystore cacerts before import (make sure you do not have certificate already)
Code Block |
---|
# View all certificates
keytool -list \
-storepass changeit \
-keystore $JAVA_HOME/lib/security/cacerts \
| grep -i openldap |
Result before the import
Code Block |
---|
Warning: use -cacerts option to access cacerts keystore |
Export the newly generated certificate to SSO tomcat
Code Block |
---|
# Export serverkey
keytool -importcert \
-trustcacerts \
-alias openldap-trusted \
-keystore $JAVA_HOME/lib/security/cacerts \
-noprompt \
-storepass changeit \
-file ~/ssl/servercert.pem |
Check keystore cacerts after import (note, make sure that the trusted self-signed certificate is topmost position).
Code Block |
---|
# View all certificates
keytool -list \
-storepass changeit \
-keystore $JAVA_HOME/lib/security/cacerts \
| grep -i openldap |
Result after the import
Code Block |
---|
Warning: use -cacerts option to access cacerts keystore
openldap-trusted, Aug 29, 2023, trustedCertEntry, |
...