...
| View file | ||
|---|---|---|
|
| View file | ||
|---|---|---|
|
Create the following directory tree and empty, two index.txt and serial files containing integer values.
Place files in their corresponding directories and modify them to match your organisation’s information.
Your keystores and truststores will be output to a directory named keystores one level above your working directory.
| Code Block |
|---|
mkdir -p certs crl intermediate intermediate/certs intermediate/csr intermediate/newcerts intermediate/private private newcerts ../keystores; touch index.txt intermediate/index.txt; echo 1001 | tee serial intermediate/serial; |
| Note |
|---|
In each openssl.cnf modify |
Root CA
First we want to create a private key and root CA
...
| Code Block |
|---|
cat intermediate/certs/intermediate.cert.pem \
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem;
chmod 444 intermediate/certs/ca-chain.cert.pem; |
...
Server Certificate
Next we will be creating a certificate and key for our server, sign it and generate the keystore to be used by HiveMQ. In the following examples, you will need to replace broker.hivemq.local with the FQDN of the individual nodes you are creating these for.
...
We now have all necessary parts to produce a keystore…
...
Concatenate the certificate chain:
cat
...
certs/ca.cert.pem
...
intermediate/certs/intermediate.cert.pem
...
intermediate/certs/broker.hivemq.local.cert.pem
...
>
...
../keystores/broker.hivemq.local.chain.pem;
...
Import the certificate chain and the private key in to a PKCS12 container
openssl pkcs12 -export -in ../keystores/broker.hivemq.local.chain.pem
...
-inkey
...
intermediate/private/broker.hivemq.local.key.pem
...
>
...
../keystores/broker.hivemq.local.p12;
...
Import the contents of the PKCS12 container in to an JKS container.
keytool -importkeystore -trustcacerts -srckeystore ../keystores/broker.hivemq.local.p12
...
-destkeystore
...
../keystores/broker.hivemq.local-keystore.jks
...
-srcstoretype
...
pkcs12
...
-destalias
...
broker.hivemq.local
...
-alias
...
1;
...
Remove the concatenated certificate chain and the PKCS12 container
rm -f
...
../keystores/broker.hivemq.local.p12
...
../keystores/broker.hivemq.local.chain.pem;
… and truststore
| Code Block |
|---|
keytool -import -trustcacerts -alias 'Root CA' -file certs/ca.cert.pem -keystore ../keystores/broker.hivemq.local-truststore.jks; |
...
Now it is time to generate the client’s keystore…
...
Concatenate the certificate chain:
cat
...
certs/ca.cert.pem
...
intermediate/certs/intermediate.cert.pem
...
intermediate/certs/client1.cert.pem
...
> ../keystores/client1.chain.pem;
If you want to create a certificate chain to be used in PEM format directly the order of the certificates needs to be changed:cat intermediate/certs/client1.cert.pem intermediate/certs/intermediate.cert.pem certs/ca.cert.pem> ../keystores/new-client1.chain.pem;
...
Importing pem files to jks
| Code Block |
|---|
openssl pkcs12 -export -in user.pem -inkey user.key -certfile user.pem -out testkeystore.p12 keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS |
Import the certificate chain and the private key in to a PKCS12 container
openssl pkcs12 -export -in ../keystores/client1.chain.pem
...
-inkey
...
intermediate/private/client1.key.pem
...
>
...
../keystores/client1.p12;
...
Import the contents of the PKCS12 container in to an JKS container.
keytool -importkeystore -trustcacerts -srckeystore ../keystores/client1.p12
...
-destkeystore
...
../keystores/client1-keystore.jks
...
-srcstoretype
...
pkcs12
...
-destalias
...
client1
...
-alias
...
1;
...
Remove the concatenated certificate chain and the PKCS12 container
rm -f
...
../keystores/client1.p12
...
../keystores/client1.chain.pem;
…and truststore
| Code Block |
|---|
keytool -import -trustcacerts -alias 'Root CA' -file certs/ca.cert.pem -keystore ../keystores/client1-truststore.jks; |
...