This is a continuation of my previous blog post where I explained the theoretical background of SSL certificates. So now let’s generate the certificates to your website. Here I am going to generate a wild card certificate and import it to the key store and the client trust-store for an API gateway.
1) If you need to generate a Self-signed certificate, then you can directly generate the certificate and key file using the below command.
> openssl req -x509 -nodes -days 500 -newkey rsa:2048 -keyout wildlife.key -out wildlife.crt
If you need to create a internal CA signed certificate, then first you should create a CSR and share it with the CA to get the signed certificate.
> openssl req -new -newkey rsa:2048 -nodes -keyout wildlife.key -out wildlife.csr
You will need to enter some information specific to your web service in the above commands.
Eg : EMAILADDRESSfirstname.lastname@example.org, CN=*.wildlife.com, OU=dev, O=Danuka, L=Colombo, ST=Western, C=SL
CSR- A file that contains your public key and the data that describes your service. The CSR generated from the above command should be shared with the CA who will then review the CSR you submit and issue a certificate, which is usually the same data as in the CSR plus CA’s own digital signature.
2) If you received the CA signed certificate other than in crt ( p7b) format, we have to convert in to crt. For that use the below command.
> openssl pkcs7 -print_certs -in Base64.p7b -out wildlife.crt
3) Now let’s export certificate to the PKCS12/PFX format. Give a strong passwords for your certificate. Here I am using the default password of WSO2 APIM, ‘wso2carbon’
> openssl pkcs12 -export -in wildlife.crt -inkey wildlife.key -name "wso2carbon" -out wildlife.pfx
4) Then generate a new key store for your WSO2 APIM using the previously generated PFX file.
> keytool -importkeystore -srckeystore wildlife.pfx -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS
5) Now export the public key
> keytool -export -alias wso2carbon -keystore wso2carbon.jks -file wildlife.pem
5) Finally import the public key and generate the client trust-store
> keytool -import -alias wso2carbon -file wildlife.pem -keystore client-truststore.jksEnter keystore password: wso2carbon
Trust this certificate? [no]: yes
Now you should have generated all below files in your directory,
Below are some useful commands to verify your certificate files.
Check the certificate file
> openssl x509 -in wildlife.crt -text -noout
Check the key file
> openssl rsa -in wildlife.key -check
Check the CSR file
> openssl req -text -noout -verify -in wildlife.csr
Verify whether your certificate match with your key file
> openssl x509 -noout -modulus -in wildlife.crt| openssl md5
> openssl rsa -noout -modulus -in wildlife.key| openssl md5
Check which certificates are in a Java key-store
> keytool -list -v -keystore wso2carbon.jks
Generating a pem file from key files
> openssl pkcs12 -export -in wildlife.crt -inkey wildlife.key -out hostname.p12
> openssl pkcs12 -in wildlife.p12 -nodes -out wildlife.pem
How Can you install a SSL Certificate?
- Host your website with a dedicated IP address
- Buy a certificate
- Activate the certificate
- Install the certificate
- Update your site to use HTTPS
If you applied the certificate successfully on your website, then you should be able to access your service securely with the URL as in below example.