Adding CA (Certificate Authority) Signed Certificate to WSO2 Products
- Amila Jayasekara
- Research Assistant - WSO2
Introduction
By default WSO2 products comes with a self-signed certificate. This knowledge base describes how you can install a CA Signed Certificate into WSO2 products.
The main key store used by WSO2 products can be found at ${carbon.home}/repository/resources/security directory.
There you will find 2 certificate stores.
- wso2carbon.jks – This is the default JKS used by WSO2 products.
- client-truststore.jks – This is the trust store used by WSO2 products. This is where WSO2
products refer all trusted certificates.
To create a CA signed certificate you need follow steps given below,
- Create a key and a certificate
- Create a certificate request
- Install CA signed certificate
- Change configurations
In following sections above steps are explained in detail.
1. Create a key and a certificate
To generate a keystore and a key pair you can use Java Key tool [1].
E.g : amila@aj:~$ keytool genkey alias wso2carbon keyalg RSA keystore wso2carbon.jks keysize 2048 Enter keystore password: Reenter new password: What is your first and last name? [Unknown]: Amila Jayasekara What is the name of your organizational unit? [Unknown]: ENGINEERING What is the name of your organization? [Unknown]: WSO2 What is the name of your City or Locality? [Unknown]: Colombo What is the name of your State or Province? [Unknown]: Western What is the twoletter country code for this unit? [Unknown]: LK Is CN=Amila Jayasekara, OU=ENGINEERING, O=WSO2, L=Colombo, ST=Western, C=LK correct? [no]: yes Enter key password for(RETURN if same as keystore password):
2. Create a certificate request
In-order for CA to sign the request we need to create a “certificate signing request” (CSR). For
that also we can use the Java Key tool. After creating the CSR we can submit it to CA to sign the
certificate. You may need to find more information about the CSR format requested by the CA. Consult
documentation instructions provided by CA to find more information about the CSR.
An example CSR can be generated as follows,
amila@aj:~$ keytool certreq alias wso2carbon keyalg RSA keystore wso2carbon.jks storepass wso2carbon BEGIN NEW CERTIFICATE REQUEST MIICtjCCAZ4CAQAwcTELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0Nv bG9tYm8xDTALBgNVBAoTBFdTTzIxFDASBgNVBAsTC0VOR0lORUVSSU5HMRkwFwYDVQQDExBBbWls YSBKYXlhc2VrYXJhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAivVfXxoDN0zaxi2+ d5wPqvfwo7MO4lWht4+465R9ZskcFAqfadIHFqVbW5r+H6uJMSQFew5QSUgwawAhv+ZbPkdLFMSd 5PEObZJurKJpKcZUv1By9N9csiOdHqlUd6RcmR+/zAi4y7NzvJSiIzugK+oCcKAE5VPiyLta7fRY b7yDowqXW/a9RU8Gf/AMfILpsXKqeo3tkHX/bs06odgmw08b1XmqtJwjkWz58zncUlSmUX0YX+f6 anLn7WoUafdY6T5ZGYEOoL3unGfD6mBqEfu3AJyZKy7mzk4MPN3pHBMPbD81J5WmdyDVYleiMHII 1UZ3UqvXwjnEf9RuKcVmBQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBABAMmiUnyCOkk6L7Kw3B NPnsY97qrWwrejzTQTbC5XItacmrSTEZgrMBaRWFAz5si5mIuA56ExkLIRK4k/G0ltK4f/GCQ19g KM9Ekba6YSK70CAH+pleWXz4Uk71+229F6NaxOcwtVZGP5qH07xdFrDaabC7i1jV/+DWfBrvffSL 3fLyOAVtuKiINPm4XsLkUAd2WHzEmKMJUlVCZbf+ttXG+wkPZA3Dw7YJVuqFuEbjUw51SGdUQFlT b2xp94+C5tJpItI60NspGoNYjxrNDMygfsIi8e5zeWZYkKKQ6hgMRRHBw8gUl14PsDoSBiQ6NSQY rq/6SGdYEirYrIfPVGw= END NEW CERTIFICATE REQUEST
You need to submit above created certificate request to CA.
3. Install CA signed certificate
After submitting the CSR, you will receive a signed certificate. Now you need to import
this certificate into the keystore. Note that you might have to import any intermediate certificates that
might have been used to sign your certificate, before you can import your signed certificate. The
following command shows how an import could be performed.
E .g :- > keytool importcert alias wso2carbon keystore wso2carbon.jks storepass wso2carbon file [PATH_TO_SAVED_CERTIFICATE]
Now copy above created JKS file to ${carbon.home}/repository/resources/security directory. (Replace
if there is an existing wso2carbon.jks)
You also need to import signed certificate into client-truststore.jks. client-truststore.jks resides in ${carbon.home}/repository/resources/security directory. To import CA signed certificate to trust store do following execute following command;
> keytool importcert alias wso2carbon keystore client-truststore.jks storepass wso2carbon file [PATH_TO_SAVED_CERTIFICATE]
You need to execute above command after going into ${carbon.home}/repository/resources/security directory.
4. Change configurations
Usually when we create a new certificate we are changing default JKS password. If we change default
JKS password, we have to do configuration changes given below,
Change highlighted places.
a. ${carbon.home}/repository/conf/carbon.xml
Locate Securty/Keystore tag,
<KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> <Type>JKS</Type> <!-- Keystore password--> <Password>wso2carbon</Password> <!-- Private Key alias--> <KeyAlias>wso2carbon</KeyAlias> <!-- Private Key password--> <KeyPassword>wso2carbon</KeyPassword> </KeyStore>
b. ${carbon.home}/repository/conf/mgt-transports.xml
<parameter name="keystorePass">wso2carbon</parameter>
c. ${carbon.home}/repository/conf/axis2.xml – This change only applies to WSO2ESB.
Change HTTPS transport receiver configuration,
<transportReceiver name="https" class="org.apache.synapse.transport.nhttp.HttpCoreNIOSSLListener"> ..... ..... <parameter name="keystore" locked="false"> <KeyStore> <Location>repository/resources/security/wso2carbon.jks</Location> <Type>JKS</Type> <Password>wso2carbon</Password> <KeyPassword>wso2carbon</KeyPassword> </KeyStore> </parameter> <parameter name="truststore" locked="false"> <TrustStore> <Location>repository/resources/security/client truststore.jks</Location> <Type>JKS</Type> <Password>wso2carbon</Password> </TrustStore> </parameter> <!<parameter name="SSLVerifyClient">require</parameter> supports optional|require or defaults to none > </transportReceiver>
Change HTTPS transport sender configuration,
<transportSender name="https" class="org.apache.synapse.transport.nhttp.HttpCoreNIOSSLSender"> <parameter name="nonblocking" locked="false">true</parameter> <parameter name="keystore" locked="false"> <KeyStore> <Location>repository/resources/security/wso2carbon.jks</Location> <Type>JKS</Type> <Password>wso2carbon</Password> <KeyPassword>wso2carbon</KeyPassword> </KeyStore> </parameter> <parameter name="truststore" locked="false"> <TrustStore> <Location>repository/resources/security/client truststore.jks</Location> <Type>JKS</Type> <Password>wso2carbon</Password> </TrustStore> </parameter> <!<parameter name="HostnameVerifier">DefaultAndLocalhost</parameter>> <!supports Strict|AllowAll|DefaultAndLocalhost or the default if none specified > </transportSender>
5. Add CA certificate as a trusted certificate
All trusted certificates reside inside repository/resources/security/client-truststore.jks file. Most of the popular trusted certificates are already installed as trusted certificates. You can list existing trusted CA certificates using following command,
> keytool -list -v -keystore client-truststore.jks
But if you are using a different CA to certify your public key, you should include CA's certificate in the repository/resources/security/client-truststore.jks file. For that get CA's certificate and install in repository/resources/security/client-truststore.jks file.
E.g :-
> keytool importcert alias [CA_CERT_ALIAS] keystore client-truststore.jks file [PATH_TO_SAVED_CERTIFICATE]
References
- The Most Common Java Keytool Keystore Commands - https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
- Certification Authority Signed Certificate - https://wso2.org/library/3002#CA_Signed_Certificate
Author
Amila Jayasekara, Tech Lead, WSO2 Inc.