JBoss AS7 with SSL and certificates signed by a CA
Purpose
The objective of this article is show as implement SSL in JBoss AS 7, using certificates signed by a CA (Certificate Authority). Is very common find tutoriais saying about SSL based in self-signed certificates. The problem is that these certificates aren't known by browsers automaticaly. Then, the best option is use an internal CA to sign the certificates.
My wiki is written in Brazilian Portuguese. However, I didn't found a tutorial in Google to make what I need. So, based in some ideas found and in my experience, I had success and decided tell about it to world, using my terrible english. ;-)
This article is based on OpenSSL and will use CA.pl script. Note that I won't teacher how to create a CA nor explain about OpenSSL commands in details. But several commands will be showed and will be possible create the final certificates.
To know as create a CA using CA.pl, see http://darizotas.blogspot.com.br/2013/03/understanding-openssl-capl.html or search for CA.pl create CA. In Brazilian Portuguese you can read the article Autoridade Certificadora (CA) com o OpenSSL in this wiki. Tip: is very convenient that you edit the openssl.cnf file (at /etc/ssl/ or /usr/lib/ssl/ and change the default values of the countryName_default, stateOrProvinceName_default etc to make your work easier. |
Certificates and AS 7
AS 7 uses certificates in PKCS12 or JKS (Java KeyStore) format. The preferred format is JKS. So, we must create the default X509 certificate, convert it to PKCS12, both using CA.pl command from OpenSSL and, finally, convert to JKS employing the keytool command (available by OpenJDK and Oracle Java).
How to create the certificates
1. In OpenSSL tools directory, generally /usr/lib/ssl/misc, create a new certificate request for your JBoss server:
# ./CA.pl -newreq
You will be asked about a passphase to your certificate. When asked about Common Name, inform the FQDN of the your server. |
2. Sign your certificate using your CA:
# ./CA.pl -sign
3. Copy the newkey.pem to end of the newcert.pem:
# cat newkey.pem >> newcert.pem
4. Create a PKCS12 certificate:
# ./CA.pl -pkcs12 "jbosscert"
5. Use the keytool command to generate a JKS key based on jbosscert and another based on cacert.pem (root certificate of the CA).
# keytool -importkeystore -destkeystore jbosscert.jks -srckeystore newcert.p12 -srcstoretype PKCS12 -alias "jbosscert" # keytool -import -keystore cacerts.jks -file demoCA/cacert.pem -alias "jbossCAcert"
How to install the certificates
Brazilian tags: autoridade certificadora, certificado, criptografia, SSL, TLS, GNU/Linux, Linux, Debian.
Certificates and AS 7
AS 7 uses certificates in PKCS12 or JKS (Java KeyStore) format. The preferred format is JKS. So, we must create the default X509 certificate, convert it to PKCS12, both using CA.pl command from OpenSSL and, finally, convert it to JKS, employing the keytool command (available by OpenJDK or Oracle Java).