Tuesday, October 27, 2015

Create Own CA


CA Creation

Set up the directory structure and files required by OpenSSL:

mkdir keys
mkdir requests
mkdir certs

Create the file database.txt for all issued certificate entry:

copy con database.txt

Create the file seial.txt for all issued certificate serial entry:

copy con serial.txt

Write the number 00 to the file serial.txt:

00

First, we create a 2048-bit private key to use when creating our CA.:

openssl genrsa -passout pass:changeit -des3 -out keys/ca.key 2048

Next, we create a master certificate based on this key, to use when signing other certificates:

openssl req -config openssl.conf -new -x509 -days 5001 -key keys/ca.key -out keys/ca.cer
*Provide the details like Country Code, Province, City, Organization Unit, Organization, Email(Optional)

Trusted Root Store, so they don’t get warning messages

openssl x509 -in keys/ca.cer -outform DER -out keys/ca.der
openssl pkcs12 -export -out keys/ca.p12 -in keys/ca.cer -inkey keys/ca.key

Copy the certreq.txt file into directory requests & Sign the request

openssl ca -policy policy_anything -config openssl.conf -cert keys/ca.cer -keyfile keys/ca.key -days 1095 -in requests/certreq.txt -out certs/website_certificate.cer

Convert the signed certificate into x509 format for use with IIS:

openssl x509 -in certs/website_certificate.cer -out certs/website_certificate509.cer
Posted by at No comments:

Import root CA certificate into JAVA

JDK/JRE comes with list of CA certificates per-installed from Oracle. In the case when you have created your own CA and wan't to trust it for HTTPS or SSL Socket connection for Rest or J2EE application, you need to import the CA's root certificate to the JDK.
You can check which certificates are already installed in your JDK using following keytool command
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Although the list would be very long.

Get the CA's root certificate (cer, pem, der etc formats). In below it shows that you can download the CA's root of trustwave from below page link
After downloading run the following command.
keytool -import -trustcacerts -alias twroot -file stca.cer -keystore $JAVA_HOME/jre/lib/security/cacerts
In above command, you can replace the  name of the alias whatever you want like AbcRoot , RootXYZ

It shall ask for a password to import the cert, if you haven't changed it by default it is changeit
Make sure you restart your web-server/java program after importing the certificate.
Posted by at No comments:
Subscribe to: Posts (Atom)