Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Creating Openssl certs and using them with Glassfish
74 views
Skip to first unread message
Gloria Binette
Sep 25, 2012, 7:41:57 AM9/25/12
to
I have been tasked with using OpenSSL to create certificates and then use them with Glassfish. I have created the CA, CSRs and CRTs, have tried various ways to import them into glassfish's keystore.jks, have tried creating a new javakeystore. Have read many tutorials and forum comments, but have yet to have success. Does anyone have a tutorial specific to doing this or could offer some advice? I would really appreciate it! Sometimes the simplest things trip me up the most.
Thanks
Rede
Thanks
Rede
Dave Thompson
Sep 25, 2012, 8:15:56 PM9/25/12
to
>From: owner-ope...@openssl.org On Behalf Of Gloria Binette
>Sent: Tuesday, 25 September, 2012 07:42
>I have been tasked with using OpenSSL to create certificates and
>then use them with Glassfish. I have created the CA, CSRs and CRTs,
>have tried various ways to import them into glassfish's keystore.jks,
>have tried creating a new javakeystore. Have read many tutorials and
>forum comments, but have yet to have success. Does anyone have a
>tutorial specific to doing this or could offer some advice?
I don't use Glassfish, but Java keystore used for "standard" Java
(JSSE) should all be the same. I've seen tools advertised for this,
but you (I) can do it with JRE-standard keytool.
1. with openssl create privatekey and corresponding cert
(via CSR and CA, or otherwise), in PEM format (which is the
default for most openssl commandline, otherwise convert).
2. with openssl put privatekey+cert and maybe chain into pkcs12 using
openssl pkcs12 -export ... -out $p12file
If you keep privatekey + cert in one file, which some people do,
use that as -in or stdin; or on Unixy cat them and pipe as stdin.
Otherwise use -in certfile -inkey keyfile . Either way if you created
a multi-level CA hierarchy, include all chain certs (above entity cert
and below root) using -certfile. You can include the root if you like,
such as for documentation, but it's not needed; the client(s) using
the server must have their own local copy of the root.
Caveat: don't use an empty passphrase for the pkcs12,
keytool doesn't handle that correctly.
3. with keytool convert pkcs12 into jks
keytool -importkeystore -srckeystore $p12file -srcstoretype pkcs12
-destkeystore $jksfile
I don't know if Glassfish cares about the alias(es) for its keystore
entries; the default keymanager for JSSE doesn't. If it does, you can
specify the desired alias in step 2 with -alias, or change the default
in step 3 with -srcalias 1 -destalias $whatever . Or you can change it
in the jks later/anytime with keytool.
4. optional: use keytool -list -v to check the result is correct
5. maybe: for many Java apps you must start or restart the app
(sometimes the whole JVM, sometimes not) after putting in new keystore.
I have no clue for Glassfish, although "enterprise" stuff often
tries to be clever about this and sometimes succeeds.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
>Sent: Tuesday, 25 September, 2012 07:42
>I have been tasked with using OpenSSL to create certificates and
>then use them with Glassfish. I have created the CA, CSRs and CRTs,
>have tried various ways to import them into glassfish's keystore.jks,
>have tried creating a new javakeystore. Have read many tutorials and
>forum comments, but have yet to have success. Does anyone have a
>tutorial specific to doing this or could offer some advice?
(JSSE) should all be the same. I've seen tools advertised for this,
but you (I) can do it with JRE-standard keytool.
1. with openssl create privatekey and corresponding cert
(via CSR and CA, or otherwise), in PEM format (which is the
default for most openssl commandline, otherwise convert).
2. with openssl put privatekey+cert and maybe chain into pkcs12 using
openssl pkcs12 -export ... -out $p12file
If you keep privatekey + cert in one file, which some people do,
use that as -in or stdin; or on Unixy cat them and pipe as stdin.
Otherwise use -in certfile -inkey keyfile . Either way if you created
a multi-level CA hierarchy, include all chain certs (above entity cert
and below root) using -certfile. You can include the root if you like,
such as for documentation, but it's not needed; the client(s) using
the server must have their own local copy of the root.
Caveat: don't use an empty passphrase for the pkcs12,
keytool doesn't handle that correctly.
3. with keytool convert pkcs12 into jks
keytool -importkeystore -srckeystore $p12file -srcstoretype pkcs12
-destkeystore $jksfile
I don't know if Glassfish cares about the alias(es) for its keystore
entries; the default keymanager for JSSE doesn't. If it does, you can
specify the desired alias in step 2 with -alias, or change the default
in step 3 with -srcalias 1 -destalias $whatever . Or you can change it
in the jks later/anytime with keytool.
4. optional: use keytool -list -v to check the result is correct
5. maybe: for many Java apps you must start or restart the app
(sometimes the whole JVM, sometimes not) after putting in new keystore.
I have no clue for Glassfish, although "enterprise" stuff often
tries to be clever about this and sometimes succeeds.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
0 new messages