Tomcat certificate ipa

From Asenjo
Jump to: navigation, search


generate keystore with right data for CA of IPA (REALM)

This will start a wizard where you need to answer the questions correctly or the certificate will not work once installed.

first and last name => fqdn

name of organizational unit: IPA REALM

rest of fields are not crucial

nice to provide more info, though

# keytool -genkey -alias rt.unix.asenjo.nl -keyalg RSA -keystore rt.unix.asenjo.nl.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  rt.unix.asenjo.nl
What is the name of your organizational unit?
  [Unknown]:  UNIX.ASENJO.NL
What is the name of your organization?
  [Unknown]:  Lekkerthuis
What is the name of your City or Locality?
  [Unknown]:  Arnhem
What is the name of your State or Province?
  [Unknown]:  GE
What is the two-letter country code for this unit?
  [Unknown]:  NL
Is CN=rt.unix.asenjo.nl, OU=UNIX.ASENJO.NL, O=Lekkerthuis, L=Arnhem, ST=GE, C=NL correct?
  [no]:  yes

Enter key password for <rt.unix.asenjo.nl>
        (RETURN if same as keystore password):

verify keystore

root@rt:/tmp/csr# keytool -list -keystore rt.unix.asenjo.nl.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

rt.unix.asenjo.nl, Jul 3, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): D1:5E:04:9A:1D:6A:73:B7:4C:3E:5A:24:94:35:C3:01:AA:8F:81:EC

import root ca to keystore (chain certificate)

keytool -import -alias unix.asenjo.nl -keystore rt.unix.asenjo.nl.jks -file ca.crt
Enter keystore password:
Owner: CN=Certificate Authority, O=UNIX.ASENJO.NL
Issuer: CN=Certificate Authority, O=UNIX.ASENJO.NL
Serial number: 1
Valid from: Sat Feb 27 20:05:55 CET 2016 until: Wed Feb 27 20:05:55 CET 2036
Certificate fingerprints:
         MD5:  E7:FD:93:8B:E4:9B:F1:59:4A:67:F6:EF:0F:2B:68:C5
         SHA1: 8F:78:D8:7F:AC:D5:5B:AD:3E:91:81:86:96:59:C9:66:B3:5B:C0:80
         SHA256: 67:EC:0A:72:32:21:1B:BA:3D:D2:F5:41:D0:6D:A7:9D:EB:70:B7:99:AC:26:1D:97:E4:6C:F9:51:DF:C0:08:94
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://kdc1.unix.asenjo.nl:80/ca/ocsp
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F9 26 16 6F 11 5D AF 35   52 1F 93 F0 EF F3 89 63  .&.o.].5R......c
0010: 3F FC 67 8A                                        ?.g.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_CertSign
  Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F9 26 16 6F 11 5D AF 35   52 1F 93 F0 EF F3 89 63  .&.o.].5R......c
0010: 3F FC 67 8A                                        ?.g.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

generate csr

You need the san extension for chrome now (or you'll get creepy messages):

# keytool -certreq -keyalg RSA -alias rt.unix.asenjo.nl -file rt.unix.asenjo.nl.csr -keystore rt.unix.asenjo.nl.jks -ext san=dns:rt.unix.asenjo.nl
Enter keystore password:

check that csr exists

root@rt:/tmp/csr# ls -ltr
total 32
-rw-r--r--   1 root     root        1321 Feb 27  2016 ca.crt
-rw-r--r--   1 root     root        3235 Jul  3 21:03 rt.unix.asenjo.nl.jks
-rw-r--r--   1 root     root        2724 Jul  3 21:06 kk
-rw-r--r--   1 root     root        1096 Jul  3 21:07 rt.unix.asenjo.nl.csr

offer csr to CA in web ui, get crt back, copy that to file.crt

  1. import file.crt to keystore
# keytool -import -alias rt.unix.asenjo.nl -file rt.unix.asenjo.nl.crt -keystore rt.unix.asenjo.nl.jks
Enter keystore password:
Certificate reply was installed in keystore

check it:

# keytool -list -keystore rt.unix.asenjo.nl.jks 
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

unix.asenjo.nl, Jul 3, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 8F:78:D8:7F:AC:D5:5B:AD:3E:91:81:86:96:59:C9:66:B3:5B:C0:80
rt.unix.asenjo.nl, Jul 3, 2017, PrivateKeyEntry, 
Certificate fingerprint (SHA1): A2:BC:82:9B:2A:EA:8F:E8:C5:D5:D3:81:0E:2C:3F:8B:A0:59:4E:51

the host, root ca and key are all there ;-)