Tomcat certificate ipa
From Asenjo
Contents
generate keystore with right data for CA of IPA (REALM)
This will start a wizard where you need to answer the questions correctly or the certificate will not work once installed.
first and last name => fqdn
name of organizational unit: IPA REALM
rest of fields are not crucial
nice to provide more info, though
# keytool -genkey -alias rt.unix.asenjo.nl -keyalg RSA -keystore rt.unix.asenjo.nl.jks Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: rt.unix.asenjo.nl What is the name of your organizational unit? [Unknown]: UNIX.ASENJO.NL What is the name of your organization? [Unknown]: Lekkerthuis What is the name of your City or Locality? [Unknown]: Arnhem What is the name of your State or Province? [Unknown]: GE What is the two-letter country code for this unit? [Unknown]: NL Is CN=rt.unix.asenjo.nl, OU=UNIX.ASENJO.NL, O=Lekkerthuis, L=Arnhem, ST=GE, C=NL correct? [no]: yes Enter key password for <rt.unix.asenjo.nl> (RETURN if same as keystore password):
verify keystore
root@rt:/tmp/csr# keytool -list -keystore rt.unix.asenjo.nl.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry rt.unix.asenjo.nl, Jul 3, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): D1:5E:04:9A:1D:6A:73:B7:4C:3E:5A:24:94:35:C3:01:AA:8F:81:EC
import root ca to keystore (chain certificate)
keytool -import -alias unix.asenjo.nl -keystore rt.unix.asenjo.nl.jks -file ca.crt Enter keystore password: Owner: CN=Certificate Authority, O=UNIX.ASENJO.NL Issuer: CN=Certificate Authority, O=UNIX.ASENJO.NL Serial number: 1 Valid from: Sat Feb 27 20:05:55 CET 2016 until: Wed Feb 27 20:05:55 CET 2036 Certificate fingerprints: MD5: E7:FD:93:8B:E4:9B:F1:59:4A:67:F6:EF:0F:2B:68:C5 SHA1: 8F:78:D8:7F:AC:D5:5B:AD:3E:91:81:86:96:59:C9:66:B3:5B:C0:80 SHA256: 67:EC:0A:72:32:21:1B:BA:3D:D2:F5:41:D0:6D:A7:9D:EB:70:B7:99:AC:26:1D:97:E4:6C:F9:51:DF:C0:08:94 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://kdc1.unix.asenjo.nl:80/ca/ocsp ] ] #2: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: F9 26 16 6F 11 5D AF 35 52 1F 93 F0 EF F3 89 63 .&.o.].5R......c 0010: 3F FC 67 8A ?.g. ] ] #3: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #4: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_CertSign Crl_Sign ] #5: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: F9 26 16 6F 11 5D AF 35 52 1F 93 F0 EF F3 89 63 .&.o.].5R......c 0010: 3F FC 67 8A ?.g. ] ] Trust this certificate? [no]: yes Certificate was added to keystore
generate csr
You need the san extension for chrome now (or you'll get creepy messages):
# keytool -certreq -keyalg RSA -alias rt.unix.asenjo.nl -file rt.unix.asenjo.nl.csr -keystore rt.unix.asenjo.nl.jks -ext san=dns:rt.unix.asenjo.nl Enter keystore password:
check that csr exists
root@rt:/tmp/csr# ls -ltr total 32 -rw-r--r-- 1 root root 1321 Feb 27 2016 ca.crt -rw-r--r-- 1 root root 3235 Jul 3 21:03 rt.unix.asenjo.nl.jks -rw-r--r-- 1 root root 2724 Jul 3 21:06 kk -rw-r--r-- 1 root root 1096 Jul 3 21:07 rt.unix.asenjo.nl.csr
offer csr to CA in web ui, get crt back, copy that to file.crt
- import file.crt to keystore
# keytool -import -alias rt.unix.asenjo.nl -file rt.unix.asenjo.nl.crt -keystore rt.unix.asenjo.nl.jks Enter keystore password: Certificate reply was installed in keystore
check it:
# keytool -list -keystore rt.unix.asenjo.nl.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries unix.asenjo.nl, Jul 3, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 8F:78:D8:7F:AC:D5:5B:AD:3E:91:81:86:96:59:C9:66:B3:5B:C0:80 rt.unix.asenjo.nl, Jul 3, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): A2:BC:82:9B:2A:EA:8F:E8:C5:D5:D3:81:0E:2C:3F:8B:A0:59:4E:51
the host, root ca and key are all there ;-)