[
https://issues.apache.org/jira/browse/KNOX-477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-477:
-----------------------------
Description:
* created a private key using openssl - "openssl genrsa -out privatekey.pem
1024"
* created cert using openssl - "openssl req -new -x509 -key privatekey.pem -out
publickey.cer -days 1825"
* converted them to a PKCS12 store using openssl - "openssl pkcs12 -export -out
public_privatekey.pfx -inkey privatekey.pem -in publickey.cer"
* import PKCS12 store into gateway.jks using keytool - "keytool -importkeystore
-srckeystore public_privatekey.pfx -srcstoretype PKCS12 -keystore gateway.jks"
* changed the alias of the imported key pair to "gateway-identity" using
keytool - "keytool -changealias -alias "1" -destalias "gateway-identity"
-keystore gateway.jks -storepass knoxpw"
* changed the key passphrase to something that I could know using keytool -
"keytool -keypasswd -alias gateway-identity -keystore gateway.jks"
* provisioned the key passphrase into __gateway-credentials.jceks using
knoxcli.sh create-alias gateway-identity-passphrase - "bin/knoxcli.sh
create-alias gateway-identity-passphrase"
NOTE: You have to make sure that the keystore passwords are the same as the
master secret for the knox instance. If you are unsure of the master secret
then create a new one before you start the above: "bin/knoxcli.sh create-master"
was:
* created a private key and public cert using openssl - "openssl genrsa -out
privatekey.pem 1024"
* converted them to a PKCS12 store using openssl - "openssl req -new -x509 -key
privatekey.pem -out publickey.cer -days 1825"
* imported the PKCS12 store into a new gateway.jks using keytool - "openssl
pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in
publickey.cer"
* changed the alias of the imported key pair to "gateway-identity" using
keytool - "keytool -importkeystore -srckeystore public_privatekey.pfx
-srcstoretype PKCS12 -keystore gateway.jks"
* changed the key passphrase to something that I could know using keytool -
"keytool -changealias -alias "1" -destalias "gateway-identity" -keystore
gateway.jks -storepass knoxpw"
* provisioned the key passphrase into __gateway-credentials.jceks using
knoxcli.sh create-alias gateway-identity-passphrase - "bin/knoxcli.sh
create-alias gateway-identity-passphrase"
NOTE: You have to make sure that the keystore passwords are the same as the
master secret for the knox instance. If you are unsure of the master secret
then create a new one before you start the above: "bin/knoxcli.sh create-master"
> Document the use of openssl and keytool to import cert for gateway SSL
> ----------------------------------------------------------------------
>
> Key: KNOX-477
> URL: https://issues.apache.org/jira/browse/KNOX-477
> Project: Apache Knox
> Issue Type: Bug
> Components: Site
> Reporter: Larry McCay
> Assignee: Larry McCay
>
> * created a private key using openssl - "openssl genrsa -out privatekey.pem
> 1024"
> * created cert using openssl - "openssl req -new -x509 -key privatekey.pem
> -out publickey.cer -days 1825"
> * converted them to a PKCS12 store using openssl - "openssl pkcs12 -export
> -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer"
> * import PKCS12 store into gateway.jks using keytool - "keytool
> -importkeystore -srckeystore public_privatekey.pfx -srcstoretype PKCS12
> -keystore gateway.jks"
> * changed the alias of the imported key pair to "gateway-identity" using
> keytool - "keytool -changealias -alias "1" -destalias "gateway-identity"
> -keystore gateway.jks -storepass knoxpw"
> * changed the key passphrase to something that I could know using keytool -
> "keytool -keypasswd -alias gateway-identity -keystore gateway.jks"
> * provisioned the key passphrase into __gateway-credentials.jceks using
> knoxcli.sh create-alias gateway-identity-passphrase - "bin/knoxcli.sh
> create-alias gateway-identity-passphrase"
> NOTE: You have to make sure that the keystore passwords are the same as the
> master secret for the knox instance. If you are unsure of the master secret
> then create a new one before you start the above: "bin/knoxcli.sh
> create-master"
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
