Page History
...
- On the JOC Cockpit server create the keystore using
openssl
and thekeytool
from your Java JRE, JDK or other third party utility.- For use with a third party utility create a keystore, e.g.
https-keystore.p12,
in PKCS12 format and import:- the JOC Cockpit private key and certificate for Server Authentication
- the Root CA Certificate
- Intermediate CA Certificate(s)
- The examples below describe a possible approach for certificate management, however, there are other ways to achieve similar results.
Example for importing an existing private key and CA-signed certificate to a keystore:
Code Block language bash title Example how to add a private key and CA-signed certificate to a PKCS12 keystore # Assume the fully qualified domain name (FQDN) of the JOC Cockpit server to be "joc.example.com" # If the JOC Cockpit CA-signed certificate is provided from a pkcs12 keystore (certificate.p12), extract the JOC Cockpit certificate to a .crt file in PEM format (joc.example.com.crt) # openssl pkcs12 -in certificate.p12 -nokeys -out joc.example.com.crt # Import the JOC Cockpit private key (joc.example.com.key) and JOC Cockpit certificate (joc.example.com.crt) from PEM format to a new keystore (joc.example.com.p12) openssl pkcs12 -export -in joc.example.com.crt -inkey joc.example.com.key --name joc.example.com -out "JETTY_BASE/resources/joc/https-keystore.p12"
Hide If currentSpace JS7 Code Block language bash title Example how to add a private key and CA-signed certificate to a PKCS12 keystore # If the JOC Cockpit's private key and certificate are provided with a .jks keystore (keypair.jks) then temporarily convert the keystore to pkcs12 (keystore.p12) # for later use with openssl, assuming the alias name of the JOC Cockpit private key being "joc.example.com" # keytool -importkeystore -srckeystore keypair.jks -srcstoretype JKS -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias joc.example.com # Assuming the JOC Cockpit private key from a pkcs12 keystore (keystore.p12), store the JOC Cockpit private key to a .key file in PEM format (joc-https.key) openssl pkcs12 -in keystore.p12 -nocerts -out joc-https.key # Concatenate the CA Root certificate and optionally CA Intermediate certificates to a single CA Bundle certificate file (ca-bundle.crt) cat RootCACertificate.crt > ca-bundle.crt cat CACertificate.crt >> ca-bundle.crt # Export the JOC Cockpit private key (joc-https.key), JOC Cockpit certificate (joc-https.crt) and CA Bundle (ca-bundle.crt) in PEM format to a new keystore (https-keystore.p12) # assume the fully qualified domain name (FQDN) of the JOC Cockpit server to be "joc.example.com" openssl pkcs12 -export -in joc-https.crt -inkey joc-https.key -chain -CAfile ca-bundle.crt -name joc.example.com -out "JETTY_BASE/resources/joc/https-keystore.p12" # If you require use of a .jks keystore type then convert the pkcs12 keystore, assuming the alias name of the JOC Cockpit private key to be "joc.example.com" # keytool -importkeystore -srckeystore https-keystore.p12 -srcstoretype PKCS12 -destkeystore https-keystore.jks -deststoretype JKS -srcalias joc.example.com
Example for creating a private key and self-signed certificate and importing to a keystore
Refer to examples available from JS7 - How to create self-signed Certificates, chapter Creating a Server Certificate.
Code Block language bash title Example how to create a private key and self-signed certificate # Creating the private key and self-signed certificate for the given validity period ./create_certificate.sh --dns=joc.example.com --days=365
Refer to examples available from JS7 - How to add SSL TLS Certificates to Keystore and Truststore.
Code Block title Example how to add a private key and certificate to a PKCS12 keystore # Adding the private key and certificate to a keystore ./js7_create_certificate_store.sh \ --keystore=JETTY_BASE/resources/joc/https-keystore.p12 \ --key=joc.example.com.key \ --cert=joc.example.com.crt \ --alias=joc.example.com \ --password="jobscheduler"
When using additional arguments for creation of a truststore then users can skip the later step 3:Code Block title Example how to add a private key and certificate to a PKCS12 keystore and the Root CA Certificate to a truststore # Adding the private key and certificate to a keystore and Root CA Certificate to a truststore ./js7_create_certificate_store.sh \ --keystore=JETTY_BASE/resources/joc/https-keystore.p12 \ --truststore=JETTY_BASE/resources/joc/https-keystore.p12 \ --key=joc.example.com.key \ --cert=joc.example.com.crt \ --alias=joc.example.com \ --password="jobscheduler" \ --ca-root=root-ca.crt
Hide If currentSpace JS7 Code Block language bash title Example how to generate a private key and self-signed certificate for import into a PKCS12 keystore collapse true # Generate the JOC Cockpit's private key with the "joc.example.com" alias name and certificate in a keystore (https-keystore.p12) # use the fully qualified domain name (FQDN) assumed to be "joc.example.com" and name of your organization for the distinguished name # Note that PKCS12 keystores require to use the same key password and store password keytool -genkey -alias "joc.example.com" -dname "CN=joc.example.com,O=organization" -validity 1461 -keyalg RSA -keysize 2048 -keypass jobscheduler -keystore "JETTY_BASE/resources/joc/https-keystore.p12" -storepass jobscheduler -storetype PKCS12
- For use with a third party utility create a keystore, e.g.
...
Overview
Content Tools