Let me summarize what we intend to do here.
First we will create a public cert and a private key for CA.
Then we'll create a public/private key pair for the server [say WSAS].
Next step is to generate CSR [Certificate Signing Request] for the server and submit it to the CA.
CA signs the certificate.
Then we need to convert both CAs public cert as well as the server's signed cert from PEM to DER.
After the conversion, the server will import the CA's public cert and server's signed certificate to it's key store.
That's it and we are done.
Let's get started.
First you need to download Visual C++ 2008 Redistributables from here and install it locally.
Then download and install OpensSSL from here.
Also make sure you have added [JAVA_HOME]\bin to the PATH env variable.
Let's create the folder structure for our example.
Make sure you have the following folder structure.
[SAMPLE]\ca
[SAMPLE]\ca\certs
[SAMPLE]\ca\crl
[SAMPLE]\ca\newcerts
[SAMPLE]\ca\private
[SAMPLE]\ca\index.txt
[SAMPLE]\wsas
Copy [OPENSSL_HOME]\bin\openssl.cfg to [SAMPLE]\.
Copy [OPENSSL_HOME]\bin\PEM\demoCA\serial to [SAMPLE]\ca.
Lets edit [SAMPLE]\ca\openssl.cfg - add the following section to the end of the file - make sure you do not violate the existing file structure.
Find the following section in [SAMPLE]\ca\openssl.cfg - and edit as below.
####################################################################
[ WSO2WSAS_CA ]
dir = ./ca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Lets create public/private key pair for CA first. Once you are asked to input, do it approriately.
####################################################################
[ ca ]
#default_ca = CA_default
default_ca = WSO2WSAS_CA
####################################################################
Now we can create the public/private key pair for server and generate the CSR.
[SAMPLE]\>openssl req -x509 -newkey rsa:1024 -keyout ca\private\cakey.pem -out ca\cacert.pem -config openssl.cfg
Next, CA can sign the server cert.
[SAMPLE]\>keytool -genkey -alias wso2wsas -keyalg RSA -keystore wsas\wso2wsas.jks
[SAMPLE]\>keytool -certreq -keystore wsas\wso2wsas.jks -alias wso2wsas -file wsas\wso2wsas.cert.req
Now we need to convert both CAs public cert as well as the server's signed cert from PEM to DER.
[SAMPLE]\>openssl ca -config openssl.cfg -out wsas\wso2wsas.pem -infiles wsas\wso2wsas.cert.req
After the conversion, the server can import the CA's public cert and server's signed certificate to it's key store.
[SAMPLE]\>openssl x509 -outform DER -in wsas\wso2wsas.pem -out wsas\wso2wsas.cert
[SAMPLE]\>openssl x509 -outform DER -in ca\cacert.pem -out wsas\wso2wsasca.cert
That's it and we are done.
[SAMPLE]\>keytool -import -file wsas\wso2wsasca.cert -alias wso2wsasca -keystore wsas\wso2wsas.jks
[SAMPLE]\>keytool -import -file wsas\wso2wsas.cert -alias wso2wsas -keystore wsas\wso2wsas.jks