I had so much fun with SSL and netty that I will relay my solutions here.
This servers two purposes: firstly, anyone trying to do this can refer to my notes, and hopefully avoid the hours of frustration I endured, but mostly, this will serve as a reminder when I have to do this again. Which, given my luck will be tomorrow.
Paths
You will need to setup your paths so that openssl and keytool can be executed directly.
openssl
This post assumes that you have openssl. I use windows so I got mine from
You can get openssl for different platforms form
Credit Where Credit is Due
This post borrows heavily for the Oracle docs for creating and using a certificate authority. You can find theses posts at:
A Note on Passwords
For this example I am using the string "whatever" as my password to all the key stores. You can use something else but the examples all assume "whatever" is the password.
What I am Trying to Achieve
I am trying to have Miranda nodes communicate with SSL. So all the Miranda nodes need certificates. Rather than getting CERTs for all the nodes, I am going to create a new certificate authority, sign all the keys and then use that CA when I use SSL.
Instructions
- Create a New CA
- Create a tust store
- Create keys for each node
- Create certificate signing requests for each key
- Sign each request keys with the CA
- Import the CA to each node's keystore
- Import each CERT to the node's keystore
Create a New CA
I used the instructions on
this link to create a new CA. Briefly, here they are:
openssl req -new -x509 -keyout ca-key.pem.txt -out ca-certificate.pem.txt -days 365
I used "whatever" as the password and took the defaults for the key.
Alternate Procedure for Creating the CA
openssl genrsa -out ca-key 2048
openssl req -x509 -new -key ca-key -out ca-certificate -days 365
Create a Trust Store
After a bit of trial-and-error, I came up with this command:
keytool -import -keystore truststore -file ca-certificate.pem.txt -alias ca -keyalg rsa -storepass whatever
I entered "yes" to accept the key.
Create Keys for the Sever
keytool –keystore serverkeystore –genkey –alias server -keyalg rsa -storepass whatever
I took the defaults.
Create a Certificate Singing Request for Each Key
keytool –keystore serverkeystore -storepass whatever –certreq –alias server –keyalg rsa –file server.csr
Sign the Server Request with the CA
openssl x509 -req -CA ca-certificate.pem.txt -CAkey ca-key.pem.txt -in server.csr -out server.cer -days 365 -CAcreateserial
Import the CA to the Server's Keystore
keytool -import -keystore serverkeystore -storepass whatever -file ca-certificate.pem.txt -alias ca -keyalg rsa
It asked me whether I trusted the key ("yes").
Import the CERT to the Server's Keystore
keytool -import -keystore serverkeystore -storepass whatever -file server.cer -alias server -keyalg rsa
At this point, you should have a key store called "severkeystore" that contains the server keys and the CA. You should also have a key store called "truststore" that contains just the CA. You are now ready to test it out (in my next post).