Navigation Links Back to top

Managing PKI Keys



This app uses Transport Layer Security, hereafter referred to as SSL, for maintaining confidential communication between the client and server processes. A prerequisite of SSL communication is that PKI keys be generated and enabled for use in participating processes. The server's public key common name must match its hostname. The keys generated here are needed in later sections of tutorial.

Pick one of the following options for obtaining PKI keys and certificate:

  1. Use the self-signed certificate and keys contained within the Directory Fortress Core git repo [directory-fortress-core.git] / src / test / resources / certs /. This option requires the target host name for machines hosting server software, i.e. directory, db and web, set to fortressdemo2.com.
    For this option you may skip to Section III - Set Hostname Entry.

  2. Use OpenSSL to generate a new private key to (self) sign a new certificate. It is assumed this option will be followed to create a certificate bound for a hostname other than fortressdemo2.com. For this option, follow the instructions below.

  3. Use keys and certificate signed by a well-known Certificate authority. Often times the correct choice for apps in production but beyond the scope of this introductory tutorial.

Create new SSL Keys

  1. Create a folder to work in: 
                
    
# mkdir certs
# cd certs
~certs$
  2. Create a new certificate:

    1. Generate new RSA private key: 
                          
      
# openssl genrsa 4096 > ca-key.pem
Generating RSA private key, 4096 bit long modulus
.....+++
...............................................................................................................................................................+++
e is 65537 (0x10001)
    2. Generate certificate. When testing, these prompts may be be answered arbitrarily except for common name which must match the hostname on machine hosting the OpenLDAP and MySQL daemons: 
                          
      
# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
      1. Set country: 
                                    
        
Country Name (2 letter code) [AU]:US
      2. Set state: 
                                    
        
State or Province Name (full name) [Some-State]:California
      3. Set city: 
                                    
        
Locality Name (eg, city) []:Joshua Tree
      4. Set Organization name: 
                                    
        
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompanyname
      5. Set Organiational Unit Name (this may be left blank): 
                                    
        
Organizational Unit Name (eg, section) []:mygroupname
      6. Set Common Name, i.e. hostname of target machine. Note this is the most important setting and name you specify here must match the value entered in Set Hostname Entry. 
                                    
        
Common Name (e.g. server FQDN or YOUR name) []:fortressdemo2.com
      7. Set Email Address (this may be left blank): 
                                    
        
Email Address []:
  3. Sign the server certificate:

    1. Create new server keys: 
                          
      
# openssl req -newkey rsa:4096 -days 1825 -nodes -keyout server-key.pem -out server-req.pem
Generating a 4096 bit RSA private key
................................................................................................................................................+++
........................+++
writing new private key to 'server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
    2. Step through the prompts: 
                          
      
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Joshua Tree
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompanyname
Organizational Unit Name (eg, section) []:mygroupname
Common Name (e.g. server FQDN or YOUR name) []:fortressdemo2.com    <- name you specify here must match the value entered in Set Hostname Entry
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:
    3. Remove the pass phrase on an RSA private key: 
                          
      
# openssl rsa -in server-key.pem -out server-key.pem
writing RSA key
    4. Sign the public certificate: 
                          
      
# openssl x509 -req -in server-req.pem -days 1825 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Signature ok
subject=/C=US/ST=California/L=Joshua Tree/O=mycompanyname/OU=mygroupname/CN=Shawn McKinney
    5. The following files will be used later: 
                          
      
# ls
ca-cert.pem  server-cert.pem  server-key.pem
  4. Create PKCS12 Keystore. This will be converted into a Java Keystore on next step. 
                
    
# openssl pkcs12 -export -name fortressDemo2ServerCACert -in server-cert.pem -inkey server-key.pem -out mykeystore.p12
Enter Export Password:
Verifying - Enter Export Password:
    The export password must be entered as 'source keystore password' on next step.

  5. Import PKCS12 into Java Keystore (JKS). This will be used for Tomcat HTTPS connectivity. 
                
    
# keytool -importkeystore -destkeystore mykeystore -srckeystore mykeystore.p12 -srcstoretype pkcs12 -alias fortressDemo2ServerCACert -deststoretype pkcs12

Enter destination keystore password:
Enter source keystore password:
    The value for the keystore's destination password must be placed inside tomcat server.xml later in this tutorial.

  6. Create Java truststore for JSSE. This will be used for client-side SSL connectivity securing LDAPv3 and JDBC protocols.

    1. Import public key into the Java truststore. 
                              
      
# keytool -import -alias fortressDemo2ServerCACert -file ca-cert.pem -keystore mytruststore -deststoretype pkcs12
      Step through the prompts... 
                              
      
Enter keystore password:
Re-enter new password:
Owner: CN=fortressdemo2.com, OU=mygroupname, O=mycompanyname, L=Joshua Tree, ST=California, C=US
Issuer: CN=fortressdemo2.com, OU=mygroupname, O=mycompanyname, L=Joshua Tree, ST=California, C=US
Serial number: fae6c81e389bbeef
Valid from: Tue Aug 05 08:47:43 PDT 2014 until: Thu Jun 13 08:47:43 PDT 2024
Certificate fingerprints:
MD5:  8E:DF:5F:4E:CB:ED:33:E7:72:1E:76:D8:15:60:48:A5
SHA1: 18:35:4E:32:10:4D:D2:D4:52:A0:70:31:CE:1D:99:AB:14:23:EC:8C
SHA256: C6:37:4F:E5:59:C7:4B:DF:E2:FE:BA:7D:93:7C:03:FA:29:12:8F:F1:53:EF:E6:B5:5F:09:A4:53:6A:5F:C4:04
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AE C6 DD DE 82 84 4D 0E   48 FB CF 79 40 16 D1 3A  ......M.H..y@..:
0010: 00 D3 16 4B                                        ...K
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AE C6 DD DE 82 84 4D 0E   48 FB CF 79 40 16 D1 3A  ......M.H..y@..:
0010: 00 D3 16 4B                                        ...K
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
      Remember the value for the truststore's password. It maps to the fortress property named, 'trust.store.password', later in this tutorial.

  7. View listing of crypto artifacts: 
                            
    
# ls
ca-cert.pem  ca-key.pem  mykeystore  mykeystore.p12  mytruststore  server-cert.pem  server-key.pem  server-req.pem
  8. Crypto artifacts used as follows:

    1. ca-cert.pem, server-cert.pem, server-key.pem
      -Server-side: used by OpenLDAP and MySQL to encrypt data over LDAPv3 and JDBC protocols with the Fortress demo web app.

    2. mykeystore
      -Server-side: used by Tomcat to encrypt data for HTTPS traffic between Fortress demo and its end users.

    3. mytruststore
      -Client-side: used to generate encrypted JDBC and LDAP connections between the Fortress demo web app and its servers.

This is free and unencumbered software released into the public domain.