Goal of the Document is to demonstrate the step-by-step procedure to create the CA using OpenSSL on Windows and getting the Certificates signed from the CA created.
NOTE:- This can only be used for testing puposes and cannot be used for Production Systems and this would be Private CA and will not be providing Security as provided by Authorised CA bodies.
Step1. Download and setup the open SSL Environment
Download the required binaries from the below link:
http://www.openssl.org/related/binaries.html which refers you to
http://slproweb.com/products/Win32OpenSSL.html
This link will also offers you to download “Visual C++ 2008
Redistributable for Windows” without which you will not be able to run
openssl binaries and will hit the below Error. So download the openssl
appropriate for your machine along with the Visual C++ Redistributable
:-http://slproweb.com/products/Win32OpenSSL.html
Once Installation is completed you will get the folder name “C:\OpenSSL-Win64” created under C:/ by default. (Name may vary according to the binaries used)
In order to identify the windows to openssl commands set the C:\OpenSSL-Win64\bin in your computer system PATH variable
Step 2 : Create Root CA Certificate and key
Open a DOS Command PromptNavigate to the OpenSSL Binaries directory type
cd C:\OpenSSL-Win64\bin
openssl genrsa -des3 -out PrivateRootCA.key 4096
When prompted enter a *very* strong password
And then verify the password
Create the public key. Type
openssl req -new -x509 -days 365 -key PrivateRootCA.key -out PrivateRootCA.cer
For Country Name enter the international standard two letter abbreviation (use GB, NOT UK if in the UK)
For State enter the state name in full, or for IN the county name
For Locality, enter where your company is registered, town or city
For organization name enter either the full company name e.g. Mycompany LTD
For organization unit enter Development or Support
For common name use your domain name e.g mycompany.com
For email address enter a valid address e.g. support@mycompany.com Or you can leave this blank and hit Enter
This will create a Public Key for the root ca named “PrivateRootCA.cer”
Now you are done with creation of a Root CA who can sign your Certificates.For State enter the state name in full, or for IN the county name
For Locality, enter where your company is registered, town or city
For organization name enter either the full company name e.g. Mycompany LTD
For organization unit enter Development or Support
For common name use your domain name e.g mycompany.com
For email address enter a valid address e.g. support@mycompany.com Or you can leave this blank and hit Enter
This will create a Public Key for the root ca named “PrivateRootCA.cer”
You can verify the Root CA by double clicking on RootCA.cer and you would see Issuer and Owner to be same as below:-
From above screen shots you it can be verified as the Subject Type is CA.
Step3:- Trusting the New CA in Windows trust Store
In order to use this certificate as trusted certificate for your
windows machine please install the certificate in to your Windows
trusted CA list as below:-1. Double Click on the certificate named RootCA.cer
2. Click on “Install Certificate” button at the bottom in the General Tab
3.You will get below screen and click on “Next”
4.Clicking on the next you will get below screen in this select “Place all certificate in the following store” and in the popup window select “Trusted Root certification Authorities” and click “Ok” and Finsh
5.Once you finish importing the new Trusted Root CA into the store you will get below warning appearing into the windows
Please read through the same and say yes if you are fine with this.If not please do not import the Rot CA into your Windows trust Store.
Step4:- How to get your Self-Signed certificate Signed from this CA?
keytool -genkey -alias server_cert -keyalg RSA -keypass
privatepassword -keystore keystore.jks -storepass password ( create a
key pair )
keytool -export -alias server_cert -file self-signed.cer -keystore keystore.jks ( export the certificate from keystore keystore into a file, say self-signed.cer
keytool -certreq -v -alias server_cert -file server.csr -keypass privatepassword -storepass password -keystore keystore.jks
Once above 3 commands executed you will get three files namedkeytool -export -alias server_cert -file self-signed.cer -keystore keystore.jks ( export the certificate from keystore keystore into a file, say self-signed.cer
keytool -certreq -v -alias server_cert -file server.csr -keypass privatepassword -storepass password -keystore keystore.jks
keystore.jks
self-signed.cer
server.csr
Now double click on the file named “self-signed.cer” and click on “Details” Tab inside details tab click on the “Serial number” on the lower box you will find a hex values something like
“4f b9 da 8c “ and keep it saved somewhere we would need it in the next step.
Now copy the file named “server.csr” to location “C:\OpenSSL-Win64\bin”
Execute the below command:-
openssl x509 -req -days 365 -in server.csr -CA PrivateRootCA.cer -CAkey PrivateRootCA.key -set_serial 0x4fb9da8c -out server.cer
NOTE:- Please look at the parameter named “-set_serial” which is given a value “0x4fb63530” which is nothing but the Serial Key which we had saved earlier as “4f b6 35 30″
from the self-signed certificate so as to generate the
signed-certificate with the same key as we need to import this back to
the keystore.It is prefixed with 0x to support the Hex value as 0x is
not needed if you Serial value if in Decimal format.
Once above command is executed successfully you will get a file named “server.cer” created on the same location.Double Click on the file named “server.cer” and you will see as below:-
Where the things to be noticed are “Issued to” and Issued by” which are showing it as the signed by Private RootCA Ltd.
Now go to “Details” tab and check whether the signed certificate has been generated with the same Serial as self-signed certificate:-
Check in the Certification Path and you would be able to see hierarchy of the certification:-
NOTE:- You might not see the chain directly and
would see only one cert in the list that happens because the CA (Our
own created) is not known to windows Trust store so in order to get
away with that you would have to add this CA into Windows Trust store.
(As mentioned above step-by-step) in Step 3
Step 5:- Importing the Signed Certificate into your Keystore to create a cert-chain and use the same
Execute below command to import the RootCA.cer certificate into your keystore as this is needed to be present in the keystore before importing the signed certificate.
keytool -import -v -noprompt -trustcacerts -alias rootcacert -file PrivateRootCA.cer -keystore keystore.jks -storepass password
Certificate was added to keystore
[Storing keystore.jks]
Now import the Signed certificate into your keystore[Storing keystore.jks]
keytool -import -v -alias server_cert -file server.cer -keystore keystore.jks -keypass privatepassword -storepass password
Certificate reply was installed in keystore
[Storing keystore.jks]
Which implies the Signed certificate had been imported successfully.[Storing keystore.jks]
Now list the keystore and verify that the certificate chain had been created successfully in the keystore:-
keytool -list -v -keystore keystore.jks -alias server_cert -storepass passwordD:\keystore>keytool -list -keystore keystore.jks -v -alias server_cert
Enter keystore password:
Alias name: server_cert
Creation date: May 21, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=My.Machine.Host.Name, OU=Support, O=Oracle, L=KA, ST=Ban, C=IN
Issuer: CN=Private RootCA Ltd., OU=Support, O=Oracle, L=BAN, ST=KA, C=IN
Serial number: 4fb9da8c
Valid from: Mon May 21 11:44:04 IST 2012 until: Tue May 21 11:44:04 IST 2013
Certificate fingerprints:
MD5: 5F:FF:6F:8A:C5:22:3D:51:23:A8:FF:AF:96:5A:98:BB
SHA1: 29:4A:14:5A:42:31:57:94:57:3A:CA:B4:E2:AB:00:90:D5:69:96:1C
Signature algorithm name: SHA1withRSA
Version: 1
Certificate[2]:
Owner: CN=Private RootCA Ltd., OU=Support, O=Oracle, L=BAN, ST=KA, C=IN
Issuer: CN=Private RootCA Ltd., OU=Support, O=Oracle, L=BAN, ST=KA, C=IN
Serial number: 9126d09b3c5e8c3c
Valid from: Mon May 21 11:40:41 IST 2012 until: Tue May 21 11:40:41 IST 2013
Certificate fingerprints:
MD5: 7A:8E:2A:3B:19:51:8C:F7:B3:3A:31:CE:78:30:DF:E6
SHA1: B7:7D:58:B2:85:EC:44:15:FB:78:F6:B3:4E:A3:AD:A4:25:5C:B4:C2
Signature algorithm name: SHA1withRSA
Version: 3Extensions:#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 99 A1 64 8D 58 58 2F AE 05 04 4B 3D C4 35 EA 39 ..d.XX/...K=.5.9
0010: 04 E3 8F 7F ....
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 99 A1 64 8D 58 58 2F AE 05 04 4B 3D C4 35 EA 39 ..d.XX/...K=.5.9
0010: 04 E3 8F 7F ....
]
]
D:\keystore>
Step 6:- Configuring and using the Keystore and Certificates created
From the Admin console, go to your server page, and in the Keystore&SSL tab choose:
Ensure that SSL Listen Port Enabled is selected, then restart your server.
You are done.
WebLogic is now configured successfully to do one-way SSL (no client authentication).
Custom Identity and Custom TrustCustom IdentityCustom Identity Key Store File Name: keystore.jksCustom Identity Key Store Type: jksCustom Identity Key Store Pass Phrase: passwordConfirm Custom Identity Key Store Pass Phrase: passwordCustom TrustCustom Trust Key Store File Name: keystore.jksCustom Trust Key Store Type: jksCustom Trust Key Store Pass Phrase: passwordConfirm Custom Trust Key Store Pass Phrase: passwordPrivate Key Alias: server_certPassphrase: password privatepasswordConfirm Passphrase: privatepasswordEnsure that SSL Listen Port Enabled is selected, then restart your server.
You are done.
WebLogic is now configured successfully to do one-way SSL (no client authentication).
No comments:
Post a Comment