Let’s create your SSl Certificate

This is a continuation of my previous blog post where I explained the theoretical background of SSL certificates. So now let’s generate the certificates to your website. Here I am going to generate a wild card certificate and import it to the key store and the client trust-store for an API gateway.

1) If you need to generate a Self-signed certificate, then you can directly generate the certificate and key file using the below command.

> openssl req -x509 -nodes -days 500 -newkey rsa:2048 -keyout wildlife.key -out wildlife.crt

If you need to create a internal CA signed certificate, then first you should create a CSR and share it with the CA to get the signed certificate.

> openssl req -new -newkey rsa:2048 -nodes -keyout wildlife.key -out wildlife.csr

You will need to enter some information specific to your web service in the above commands.

Eg : EMAILADDRESS=support@wildlife.com, CN=*.wildlife.com, OU=dev, O=Danuka, L=Colombo, ST=Western, C=SL

Sample certificate generation command execution

CSR- A file that contains your public key and the data that describes your service. The CSR generated from the above command should be shared with the CA who will then review the CSR you submit and issue a certificate, which is usually the same data as in the CSR plus CA’s own digital signature.

2) If you received the CA signed certificate other than in crt ( p7b) format, we have to convert in to crt. For that use the below command.

> openssl pkcs7 -print_certs -in Base64.p7b -out wildlife.crt

3) Now let’s export certificate to the PKCS12/PFX format. Give a strong passwords for your certificate. Here I am using the default password of WSO2 APIM, ‘wso2carbon’

> openssl pkcs12 -export -in wildlife.crt -inkey wildlife.key -name "wso2carbon" -out wildlife.pfx

4) Then generate a new key store for your WSO2 APIM using the previously generated PFX file.

> keytool -importkeystore -srckeystore wildlife.pfx -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS

Generating the key store

5) Now export the public key

> keytool -export -alias wso2carbon -keystore wso2carbon.jks -file wildlife.pem

5) Finally import the public key and generate the client trust-store

> keytool -import -alias wso2carbon -file wildlife.pem -keystore client-truststore.jks
Enter keystore password: wso2carbon
Trust this certificate? [no]: yes

Generation of the client trust-store

Now you should have generated all below files in your directory,

All the certificate files generated from above commands

Below are some useful commands to verify your certificate files.

Check the certificate file

> openssl x509 -in wildlife.crt -text -noout

Check the key file

> openssl rsa -in wildlife.key -check

Check the CSR file

> openssl req -text -noout -verify -in wildlife.csr

Verify whether your certificate match with your key file

> openssl x509 -noout -modulus -in wildlife.crt| openssl md5
> openssl rsa -noout -modulus -in wildlife.key| openssl md5

Check which certificates are in a Java key-store

> keytool -list -v -keystore wso2carbon.jks

Generating a pem file from key files

> openssl pkcs12 -export -in wildlife.crt -inkey wildlife.key -out hostname.p12
> openssl pkcs12 -in wildlife.p12 -nodes -out wildlife.pem

How Can you install a SSL Certificate?

1. Host your website with a dedicated IP address
2. Buy a certificate
3. Activate the certificate
4. Install the certificate
5. Update your site to use HTTPS

If you applied the certificate successfully on your website, then you should be able to access your service securely with the URL as in below example.

https secured website

Thank you!