Novell Home

Using Keytool to Create an SSL Cert via eDirectory

Novell Cool Solutions: Feature
By Rich Roberts

Digg This - Slashdot This

Posted: 28 Dec 2005
 

Problem

I need to use keytool to create an SSL Cert via eDirectory for use with JBoss.

Why would I want to do this?

I am going to put iChain in front of the JBoss portal, and I need HTTPS between iChain and the Portal. For iChain to be able to establish the SSL Connection, the cert on the JBoss server must be signed by an authority that iChain can validate. It can't be self-signed. Rather than buy a cert for this back-end connection, I would like to use eDirectory to create the cert.

Prerequisites

  • Java JDK installed and in the path so that keytool will run
  • eDirectory with PKI functioning
  • ConsoleOne with PKI / Certificate Server Snapins (you could probably use iManager, but I'm legacy...)

Environment

  • Suse Linux 10 and RedHat® WS 3.6 and Windows XP (for deployment, I did not validate these creation steps on XP)
  • JDK 1.5
  • JBoss 4.0.3 *

Solution

Create the Keystore File

riroberts@n25565:~> keytool -genkey -alias newcert -keyalg RSA -keystore csr.keystore -validity 3650
Enter keystore password:  ldapNovell1
What is your first and last name?
  [Unknown]:  Rich Roberts
What is the name of your organizational unit?
  [Unknown]:  Company
What is the name of your organization?
  [Unknown]:  Company
What is the name of your City or Locality?
  [Unknown]:  Chicago
What is the name of your State or Province?
  [Unknown]:  IL
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Rich Roberts, OU=Company, O=Company, L=Chicago, ST=IL, C=US correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):  ldapNovell1

Generate the CSR

riroberts@n25565:~> keytool -v -certreq -alias newcert -keystore csr.keystore -file myreq.csr  -keypass ldapNovell1
Enter keystore password:  ldapNovell1
Certification request stored in file 
Submit this to your CA

riroberts@n25565:~> ls my*
myreq.csr

Note: Because I didn't have the CA from my tree in the keystore, this step failed.

riroberts@n25565:~> keytool -import -alias newcert -file Cert.der -keystore csr.keystore
Enter keystore password:  ldapNovell1
keytool error: java.lang.Exception: Failed to establish chain from reply

Issue the Certificate from eDirectory - ConsoleOne

1. Go to the Tools menu in ConsoleOne.

2. Select Issue Certificate.

3. Import the CSR and then create the cert. Sign by Organizational CA, use type SSL or TLS, and don't check "Set key usage to critical".

Issue Certificate:

Issue Certificate Import CSR:

Issue Certificate Sign with Organizational CA:

Issue Certificate Select Type:

Issue Certificate Select Options:

Issue Certificate Save As:

Issue Certificate Summary:

Export the Organizational Root CA from eDirectory - ConsoleOne

1. Select the Organizational CA:

2. Select the Self Signed Certificate tab:

3. Select the Export Format and Filename:

Import the Organization CA from your tree into the Keystore

1. Export the trusted cert of the Organizational CA from eDirectory.

riroberts@n25565:~> keytool -import -alias myca -file SelfSignedCert.der -keystore csr.keystore
Enter keystore password:  ldapNovell1
Owner: O=CENDTREE, OU=Organizational CA
Issuer: O=CENDTREE, OU=Organizational CA
Serial number: 21c11fc527e741d5bf97e1d3cc4ca86db07b627b9e9c1eff3c61e7c4b3102020419
Valid from: Sat Oct 08 14:01:51 CDT 2005 until: Thu Oct 08 14:01:51 CDT 2015
Certificate fingerprints:
         MD5:  32:E8:25:A3:45:3C:A4:AC:52:0F:6F:A1:BF:BD:75:17
         SHA1: A4:58:C0:FD:57:8F:A5:19:59:C4:90:7F:0D:29:FD:5D:38:5E:58:D4
Trust this certificate? [no]:  yes
Certificate was added to keystore

Import the Cert into the Keystore

riroberts@n25565:~> keytool -import -alias newcert -file Cert.der -keystore csr.keystore
Enter keystore password:  ldapNovell1
Certificate reply was installed in keystore

Copy the Keystore to where JBoss Can Get to It

riroberts@n25565:~> cp csr.keystore jboss-4.0.3SP1/server/default/conf/certs/

Modify JBoss (Linux 4.0.3) to Use this Cert

jboss-4.0.3SP1/server/default/deploy/jbossweb-tomcat55.sar/server.xml 
     <!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
      <Connector port="8443" address="${jboss.bind.address}"
           maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
           emptySessionPath="true"
           scheme="https" secure="true" clientAuth="false"
           keystoreFile="${jboss.server.home.dir}/conf/certs/csr.keystore"
           keystorePass="ldapNovell1" sslProtocol = "TLS" />


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell