Hi Ricardo, Dogtag is all about signing and managing certificates. Our documentation covers how to submit a CSR to Dogtag, how to sign the cert and retrieve the certificate. It is not really in scope for our documentation to explain how to configure TLS/SSL for a particular server program.
Cheers, Fraser On Sun, Oct 02, 2016 at 12:16:37AM -0500, Ricardo Alexander Perez Ricardez wrote: > This is a request or suggestion: > > It would be possible to include in the documentation website DogTag > Certificate System, How to Installing and configuring a certificate wildfly > jboss server. > > We provided the following information: > > http://reallifejava.com/configuring-ssl-in-wildfly-8/ > > Instructions for Generating Repository SSL Keystores > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > <store password> is the keystore password. The file > ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the > SSL keystore, > ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for > the SSL truststore. > > These instructions will create an RSA public/private key pair for the > repository with a certificate that has been signed by the Alfresco > Certificate Authority (CA). > It will also create a truststore for the repository containing the CA > certificate; this will be used to authenticate connections to specific > repository > URLs from Solr. It assumes the existence of the Alfresco CA key and > certificate to sign the repository certificate; for security reasons these > are not generally available. > You can either generate your own CA key and certificate (see instructions > below) or use a recognised Certificate Authority such as Verisign. For > Alfresco employees the key > and certificate are available in svn. > > (i) Generate the repository public/private key pair in a keystore: > > $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore > -storetype JCEKS -storepass <store password> > Enter keystore password: > Re-enter new password: > What is your first and last name? > [Unknown]: Alfresco Repository > What is the name of your organizational unit? > [Unknown]: > What is the name of your organization? > [Unknown]: Alfresco Software Ltd. > What is the name of your City or Locality? > [Unknown]: Maidenhead > What is the name of your State or Province? > [Unknown]: UK > What is the two-letter country code for this unit? > [Unknown]: GB > Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., > L=Maidenhead, ST=UK, C=GB correct? > [no]: yes > > Enter key password for <ssl.repo> > (RETURN if same as keystore password): > > (ii) Generate a certificate request for the repository key > > $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr > -storetype JCEKS -storepass <store password> > > (iii) Alfresco CA signs the certificate request, creating a certificate that > is valid for 365 days. > > $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr > -out repo.crt -days 365 > Signature ok > subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software > Ltd./OU=Unknown/CN=Alfresco Repository > Getting CA Private Key > Enter pass phrase for ca.key: > > (iv) Import the Alfresco CA key into the repository key store > > $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore > -storetype JCEKS -storepass <store password> > Enter keystore password: > Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Serial number: 805ba6dc8f62f8b8 > Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021 > Certificate fingerprints: > MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0 > SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3 > Signature algorithm name: SHA1withRSA > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 [email protected]..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > ] > > #2: ObjectId: 2.5.29.19 Criticality=false > BasicConstraints:[ > CA:true > PathLen:2147483647 > ] > > #3: ObjectId: 2.5.29.35 Criticality=false > AuthorityKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 [email protected]..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > > [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB] > SerialNumber: [ 805ba6dc 8f62f8b8] > ] > > Trust this certificate? [no]: yes > Certificate was added to keystore > > (v) Import the CA-signed repository certificate into the repository keystore > > $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore > -storetype JCEKS -storepass <store password> > Enter keystore password: > Certificate reply was installed in keystore > > (vi) Convert the repository keystore to a pkcs12 keystore (for use in > browsers such as Firefox). Give the pkcs12 key store the key store password > 'alfresco'. > > keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <keystore > password> -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t > -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco > -destalias ssl.repo -destkeypass alfresco > > (vi) Create a repository truststore containing the Alfresco CA certificate > > keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore > -storetype JCEKS -storepass <store password> > keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore > -storetype JCEKS -storepass <store password> > > (vii) Copy the keystore and truststore to the repository keystore location > defined by the property 'dir.keystore'. > (viii) Update the SSL properties i.e. properties starting with the prefixes > 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'. > > Instructions for Generating a Certificate Authority (CA) Key and Certificate > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > (i) Generate the CA private key > > $ openssl genrsa -des3 -out ca.key 1024 > Generating RSA private key, 1024 bit long modulus > ..........++++++ > ..++++++ > e is 65537 (0x10001) > Enter pass phrase for ca.key: > Verifying - Enter pass phrase for ca.key: > > (ii) Generate the CA self-signed certificate > > $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > Enter pass phrase for ca.key: > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [AU]:GB > State or Province Name (full name) [Some-State]:UK > Locality Name (eg, city) []:Maidenhead > Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software > Ltd. > Organizational Unit Name (eg, section) []: > Common Name (eg, YOUR name) []:Alfresco CA > Email Address []: > > Instructions for Generating Repository SSL Keystores > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > <store password> is the keystore password. The file > ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the > SSL keystore, > ${dir.keystore}/ssl-truststore-passwords.properties contains passwords for > the SSL truststore. > > These instructions will create an RSA public/private key pair for the > repository with a certificate that has been signed by the Alfresco > Certificate Authority (CA). > It will also create a truststore for the repository containing the CA > certificate; this will be used to authenticate connections to specific > repository > URLs from Solr. It assumes the existence of the Alfresco CA key and > certificate to sign the repository certificate; for security reasons these > are not generally available. > You can either generate your own CA key and certificate (see instructions > below) or use a recognised Certificate Authority such as Verisign. For > Alfresco employees the key > and certificate are available in svn. > > (i) Generate the repository public/private key pair in a keystore: > > $ keytool -genkey -alias ssl.repo -keyalg RSA -keystore ssl.keystore > -storetype JCEKS -storepass <store password> > Enter keystore password: > Re-enter new password: > What is your first and last name? > [Unknown]: Alfresco Repository > What is the name of your organizational unit? > [Unknown]: > What is the name of your organization? > [Unknown]: Alfresco Software Ltd. > What is the name of your City or Locality? > [Unknown]: Maidenhead > What is the name of your State or Province? > [Unknown]: UK > What is the two-letter country code for this unit? > [Unknown]: GB > Is CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., > L=Maidenhead, ST=UK, C=GB correct? > [no]: yes > > Enter key password for <ssl.repo> > (RETURN if same as keystore password): > > (ii) Generate a certificate request for the repository key > > $ keytool -keystore ssl.keystore -alias ssl.repo -certreq -file repo.csr > -storetype JCEKS -storepass <store password> > > (iii) Alfresco CA signs the certificate request, creating a certificate that > is valid for 365 days. > > $ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr > -out repo.crt -days 365 > Signature ok > subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software > Ltd./OU=Unknown/CN=Alfresco Repository > Getting CA Private Key > Enter pass phrase for ca.key: > > (iv) Import the Alfresco CA key into the repository key store > > $ keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore > -storetype JCEKS -storepass <store password> > Enter keystore password: > Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB > Serial number: 805ba6dc8f62f8b8 > Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021 > Certificate fingerprints: > MD5: 4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0 > SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3 > Signature algorithm name: SHA1withRSA > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > SubjectKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 [email protected]..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > ] > > #2: ObjectId: 2.5.29.19 Criticality=false > BasicConstraints:[ > CA:true > PathLen:2147483647 > ] > > #3: ObjectId: 2.5.29.35 Criticality=false > AuthorityKeyIdentifier [ > KeyIdentifier [ > 0000: 08 42 40 DC FE 4A 50 87 05 2B 38 4D 92 70 8E 51 [email protected]..+8M.p.Q > 0010: 4E 38 71 D6 N8q. > ] > > [CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB] > SerialNumber: [ 805ba6dc 8f62f8b8] > ] > > Trust this certificate? [no]: yes > Certificate was added to keystore > > (v) Import the CA-signed repository certificate into the repository keystore > > $ keytool -import -alias ssl.repo -file repo.crt -keystore ssl.keystore > -storetype JCEKS -storepass <store password> > Enter keystore password: > Certificate reply was installed in keystore > > (vi) Convert the repository keystore to a pkcs12 keystore (for use in > browsers such as Firefox). Give the pkcs12 key store the key store password > 'alfresco'. > > keytool -importkeystore -srckeystore ssl.keystore -srcstorepass <keystore > password> -srcstoretype JCEKS -srcalias ssl.repo -srckeypass kT9X6oe68t > -destkeystore firefox.p12 -deststoretype pkcs12 -deststorepass alfresco > -destalias ssl.repo -destkeypass alfresco > > (vi) Create a repository truststore containing the Alfresco CA certificate > > keytool -import -alias ssl.alfreco.ca -file ca.crt -keystore ssl.keystore > -storetype JCEKS -storepass <store password> > keytool -import -alias alfreco.ca -file ca.crt -keystore ssl.truststore > -storetype JCEKS -storepass <store password> > > (vii) Copy the keystore and truststore to the repository keystore location > defined by the property 'dir.keystore'. > (viii) Update the SSL properties i.e. properties starting with the prefixes > 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'. > > Instructions for Generating a Certificate Authority (CA) Key and Certificate > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > (i) Generate the CA private key > > $ openssl genrsa -des3 -out ca.key 1024 > Generating RSA private key, 1024 bit long modulus > ..........++++++ > ..++++++ > e is 65537 (0x10001) > Enter pass phrase for ca.key: > Verifying - Enter pass phrase for ca.key: > > (ii) Generate the CA self-signed certificate > > $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > Enter pass phrase for ca.key: > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [AU]:GB > State or Province Name (full name) [Some-State]:UK > Locality Name (eg, city) []:Maidenhead > Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software > Ltd. > Organizational Unit Name (eg, section) []: > Common Name (eg, YOUR name) []:Alfresco CA > Email Address []: > > _______________________________________________ > Pki-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
