JBoss AS7 with SSL and certificates signed by a CA

De Eriberto Wiki
Revisão de 12h17min de 11 de setembro de 2013 por Eriberto (discussão | contribs) (→‎Purpose)
Ir para navegação Ir para pesquisar

Purpose

The objective of this article is show as implement SSL in JBoss AS 7, using certificates signed by a CA (Certificate Authority). Is very common find tutoriais saying about SSL based in self-signed certificates. The problem is that these certificates aren't known by browsers automaticaly. Then, the best option is use an internal CA to sign the certificates.

My wiki is written in Brazilian Portuguese. However, I didn't found a tutorial in Google to make what I need. So, based in some ideas found and in my experience, I had success and decided tell about it to world, using my terrible english. ;-)

This article is based on OpenSSL and will use CA.pl script. Note that I won't teacher how to create a CA nor explain about OpenSSL commands in details. But several commands will be showed and will be possible create the final certificates.

To know as create a CA using CA.pl, see http://darizotas.blogspot.com.br/2013/03/understanding-openssl-capl.html or search for CA.pl create CA. In Brazilian Portuguese you can read the article Autoridade Certificadora (CA) com o OpenSSL in this wiki. Tip: is very convenient that you edit the openssl.cnf file (at /etc/ssl/ or /usr/lib/ssl/ and change the default values of the countryName_default, stateOrProvinceName_default etc to make your work easier.

Certificates and AS 7

AS 7 uses certificates in PKCS12 or JKS (Java KeyStore) format. The preferred format is JKS. So, we must create the default X509 certificate, convert it to PKCS12, both using CA.pl command from OpenSSL and, finally, convert to JKS employing the keytool command (available by OpenJDK and Oracle Java).

How to create the certificates

1. In OpenSSL tools directory, generally /usr/lib/ssl/misc, create a new certificate request for your JBoss server:

# ./CA.pl -newreq
You will be asked about a passphase to your certificate. When asked about Common Name, inform the FQDN of the your server.

2. Sign your certificate using your CA:

# ./CA.pl -sign

3. Copy the newkey.pem to end of the newcert.pem:

# cat newkey.pem >> newcert.pem

4. Create a PKCS12 certificate:

# ./CA.pl -pkcs12 "jbosscert"
"jbosscert" is the friendly name of the PKCS12 certificate. You will be asked about a passphrase to your certificate. Choose a good passphrase. This passphase will be used by JBoss to access the certificate content.

5. Use the keytool command to generate a JKS key based on jbosscert and another based on cacert.pem (root certificate of the CA).

# keytool -importkeystore -destkeystore jbosscert.jks -srckeystore newcert.p12 -srcstoretype PKCS12 -alias "jbosscert"

# keytool -import -keystore cacerts.jks -file demoCA/cacert.pem -alias "jbossCAcert"

How to install the certificates

Brazilian tags: autoridade certificadora, certificado, criptografia, SSL, TLS, GNU/Linux, Linux, Debian.

Certificates and AS 7

AS 7 uses certificates in PKCS12 or JKS (Java KeyStore) format. The preferred format is JKS. So, we must create the default X509 certificate, convert it to PKCS12, both using CA.pl command from OpenSSL and, finally, convert it to JKS, employing the keytool command (available by OpenJDK or Oracle Java).