certificates used for securing dcm4chee-arc-light

[Jonathan Brooks]

Hi,

Can someone help me understand what's going on with certificates in keycloak/wildfly/JAVA? 

Questions/Steps:

(1) We can use openssl to create our own private.key, but should it be protected by its own password? I.e. use the -nodes option(?)

(2) In creating the key you also create a request for a certificate for the computer that created the key - a certificate authority (CA) can then issue your own certificate (my_cert.cer).

(3) combining the CA's own certificate (their_cert.cer) with the one they generated for you will give you the certificate you need(?) 

I.e. cat my_cert.cer their_cert.cer > cacerts.cer

(4) this cacerts.cer is a text file with the encrypted certificates contained. We need to convert them to PKCS12 format - is this the correct command?:

openssl pkcs12 -export -out cacerts.p12 -inkey private.key -in cacerts.cer -name "my_computer.some.where.com" -certfile their_cert.cer

This prompts you for a password for the certificate and generates cacerts.p12.

The .p12 file contains both the key and the certificate as an encrypted binary file.

(5) When creating the equivalent key file in PKCS12 format do you just copy cacerts.p12 to key.p12?

(6) Throughout the instructions for installing the secured archive and RESTful services there are several instances where the password (secret) is used - I think this should be replaced with the password chosen at step (4)? This only applies to the sections referring to HTTPS when using the jboss-cli (not mysql, ldap, keycloak user etc passwords)

(7) When importing the cacerts.p12 into the JAVA cacerts keystore the password (changeit) is referenced to the keytool command - however if you change this password the import doesn't work. Why is the password called changeit if you can't change it? :-)

Obviously this is a humungous question and I won't be offended if I get RTFM replies, but I have tried to understand this process, and am a bit unclear about the different hooks in dcm4chee.

As always, any help would be gratefully received.

Best wishes,

Jon