How to generate/use OpenSSL SSL certificates for Web servers and use them in a Java Key Store or IKeyman Database

Step by step guide on creating certificates using OpenSSL, having the certificate signed, and then importing that certificate and it’s keys into a Java Key Store (JKS) file for use in JBoss (and others), and then importing the certificate and keys into both a PKCS12 export and a CMS database generated by IKeyman for importing into WebSphere.

This post comes about as a result of needing to create/use an SSL certificate in two different application servers (JBoss and WebSphere) on my current project for development/testing purposes.

N.B. This is a combination of knowledge & researched information, links are provided as required within the posting

It is very easy to generate self signed certificates, or certificate requests that work in only one of these scenarios, the fun comes when you want one certificate to work across all of them …

OpenSSL is a very good starting point for certificate handling, it offers a great deal of flexibility, and is able to transform certificates and keys into different formats with relative ease.

Generating the Private Key and Certificate

Lets get started by actually creating the private key, certificate request, and then “receiving” the certificate:

(Performed on a linux machine)

  • Create a directory to hold all of the certificate bit
    • mkdir cert
    • cd cert
  • Create the private keys
    • openssl genrsa -des3 -out ssl_cert.key 1024
  • Create the Certificate Signing Request (CSR)
    • openssl req -new -key ssl_cert.key -out ssl_cert.csr
  • Send the CSR to your Certificate Authority (CA) for signing
  • When you receive the certificate, copy and past it to a file named ssl_cert.cert

Converting the key and certificates to a Jave Key Store (JKS) file

Note: This section is based on ImportKey Page and uses the ImportKey tool found there. For clarity, the steps from the original page are included here. (Disclaimer: Check the safety of all code managing/manipulating private keys & certificates downloaded from the net prior to use, basically you are responsible for what you do yourself)

(On the same linux machine)

  • Create the java class path structure
    • cd cert
    • mkdir comu
  • Download ImportKey.java from the linked site to the comu directory
  • Compile the code
    • javac ImportKey.java
  • Convert the key and certificate to binary DER format
    • openssl pkcs8 -topk8 -nocrypt -in ssl_cert.key -out ssl_cert.key.der -outform der
    • openssl x509 -in ssl_cert.cert -out ssl_cert.cert.der -outform der
  • Import the key and certificate
    • java comu.ImportKey ssl_cert.key.der ssl_cert.cert.der

* This creates/replaces a file called ~/keystore.ImportKey

  • Add a password to the JKS file
    • cd
    • keytool -storepasswd -v -new <password> -keystore keystore.ImportKey -storepass “”

You can change the name of the file and use it as your JKS file for various application servers.

Converting the certificates to a PKCS12/.p12 Export and a CMS format key DB

On a machine with WebSphere & IKeyman installed.

  • Set the JAVA_HOME
    • export JAVA_HOME=/opt/IBM/WebSphere/AppServer/java
  • Set the path
    • export PATH=/opt/IBM/WebSphere/AppServer/java/bin:$PATH
  • Replace the Security Policy settings files in the IBM JRE such that they use US/Unrestricted configurations

N.B. You will need to download this updated policy from IBM

    • cd /opt/IBM/WebSphere/AppServer/java/jre/lib/security
    • unzip ~/unrestricted.zip

** You need to overwrite these files in this directory, please back them up before hand just in case.

  • Convert the key and certificate to PKCS12 format so IKeyMan can import it
    • openssl pkcs12 -export -inkey ssl_cert.key -in ssl_cert.cert -out ssl_cert.p12

You can use this PKCS12 export directly to import in to WebSphere, or you can proceed to the steps below to generate a CMS DB using IKeyman.

To import the keys into a CMS format DB using IKeyman:

Open IKeymay

  • /opt/IBM/WebSphere/AppServer/bin/ikeyman.sh&
  • Create a new database (CMS format), you need to check the password in a stash file option
  • Go to Signer Certificates
    • Check that the CA that has signed your certificate is included in the list. If it is not, you will need to import their Root Key prior to importing your certificate.
  • Go to Personal Certificates
    • Import
    • Select PKCS12 format type
    • Navigate to the file created above
    • You may wish to rename the alias for the certificate if the one read is unwieldy
    • Click Okay & Exit IKeyman

Note: Importing the CMS DB generated by IKeyman or the PKCS12/.p12 file into Websphere is left to another post

It's only fair to share...
Share on FacebookGoogle+Tweet about this on TwitterShare on LinkedIn

Leave a Reply