In a production environment you need to setup your own certificate to work with the WSO2 Identity Solution and this post explains how to do it.
These are the steps you need to do.
1. Create a private/public key pair for your server [say, identity-provider]
2. Create a sample CA
3. Get your public key signed by your CA
4. Download and install WSO2 Identity Solution
5. Configure Identity Solution to use your certificate for identity-provider
In this case, we'll be creating the certificate for the host name 'identity-provider' - to test this scenario as it is, please add the following entry to the C:\windows\system32\drivers\etc\hosts file.
127.0.0.1 identity-provider
We use OpenSSL to build the required CA infrastructure. For Windows you can download Win32 OpenSSL v0.9.8g from here.Once installed make sure you add C:\OpenSSL\bin [i.e [INSTALLED_LOCATION]\bin] to the PATH env variable.
Create a folder "keystore" locally and inside that folder create two sub folders, "CA" and "IS".
From the "keystore" folder,
:\> cd IS
Creating private/public key pair for the server.
:\> keytool -genkey -alias identity-provider -keyalg RSA -sigalg MD5withRSA -keysize 1024 -dname "CN=identity-provider,L=SL,S=WS,C=LK" -keypass wso2is -keystore wso2is.jks -storepass wso2is
Creating a certificate signing request.
:\> keytool -certreq -v -alias identity-provider -file ../CA/csr.pem -keypass wso2is -storepass wso2is -keystore wso2is.jks
Building the CA infrastructure.
:\> cd ../CA
Creating CA public/private key pair - you need to give a password when requested.
:\> openssl req -x509 -newkey rsa:1024 -md5 -keyout wso2cakey.pem -out wso2cacert.crt
Signing the server certificate.
:\> openssl x509 -req -days 365 -md5 -in csr.pem -CA wso2cacert.crt -CAkey wso2cakey.pem -CAcreateserial -out ../IS/iscert.crt
:\> cd ../IS
Importing CA public certificate to the server keystore.
:\> keytool -import -alias wso2ca -file ../CA/wso2cacert.crt -keystore wso2is.jks -storepass wso2is
Importing the signed server certificate to the server keystore.
:\> keytool -import -alias identity-provider -file iscert.crt -keystore wso2is.jks -storepass wso2is -keypass wso2is
At the end of this process, you'll end up with a keystore, wso2is.jks at [keystore]\IS. The password we provided for this keystore and it's private key is wso2is.
Now let's download the WSO2 Identity Solution from here and unzip it to a local location.
You also need to download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0 from here and copy the two jar files from the extracted jce directory (local_policy.jar and US_export_policy.jar) to $JAVA_HOME/jre/lib/security.
Now copy [keystore]\IS\wso2is.jks to [IS_UNZIPPED_LOCATION]\conf and replace the existing one.
Open the file [IS_UNZIPPED_LOCATION]\conf\server.xml and do a find for 'localhost' and do a replace all with 'identity-provider'.
That's all you need to do - to get this working.
Anyway following section in the same file is useful to have a look.
<KeyStore>
<!-- Keystore file location-->
<Location>${wso2wsas.home}/conf/wso2is.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>wso2is</Password>
<!-- Private Key alias-->
<KeyAlias>identity-provider</KeyAlias>
<!-- Private Key password-->
<KeyPassword>wso2is</KeyPassword>
</KeyStore>
Now, you can start the server with [IS_UNZIPPED_LOCATION]\bin\wso2is.bat.
Just type https://identity-provider:12443 to access the Identity Provider home page.
You may see browser indicating a warning here - that is because our CA is not trusted by the browser. To avoid that you can simply add our CA cert to the trusted CA certificate store.