Versions Compared

Old Version 11

changes.mady.by.user Keith Dwyer

Saved on

compared with

New Version 12

changes.mady.by.user Keith Dwyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Even more clarification on import process

...

keytool -import -v -alias shrine-hub-carootca.pem -file shrine-hub-carootca.pem -keystore shrine.keystore

...

keytool -import -v -alias shrine-hub-caroot.pemca -file shrine-hub-carootca.pem -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD
keytool -import -v -alias $KEYSTORE_ALIASshrine-hub-https -file shrine-clienthub-signedhttps.pem -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -keypass $KEYSTORE_PASSWORD
keytool -import -v -alias shrine-hub-https$KEYSTORE_ALIAS -file shrine-hubclient-httpssigned.pem -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -keypass $KEYSTORE_PASSWORD -trustcacerts

Make absolutely sure the -alias value in the second third and final command exactly matches the alias used for your original certificate! (the one marked as PrivateKeyEntry in the keystore) Otherwise, queries will fail with signature verification errors, since the CA's signature will not be on the exact same keystore entry that SHRINE uses. Upon importing your signed certificate, the following message should appear:

...

If it does not, verify that you $KEYSTORE_ALIAS is set appropriately and that the keytool command is set to import to the correct alias. Also make sure that the CA's signing certificate was imported first. This must be present before the second last command will work.

After a successful round of imports, verify the contents of the keystore with keytool -list -v -keystore $KEYSTORE_FILE. There should be at least 3 entries in the keystore:

  1. Your own PrivateKeyEntry, with an additional certificate chained to it. The "Issuer:" line should reflect information from the hub's CA, not your own.
  2. The hub's HTTPS certificate.
  3. The hub's CA signature certificate. The "Owner:" line on this should match the "Issuer:" line on your PrivateKeyEntry's certificate.

Update shrine.conf Update shrine.conf and Restart SHRINE

SHRINE must be configured to understand this type of setup, as it does not assume the presence of a CA by default. For more information on these values, consult the SHRINE Configuration File article and look up attachSigningCert and caCertAliases.

...

In all cases, add the caCertAliases option into the keystore block, and make sure that the values for privateKeyAlias and password are also set appropriately. privateKeyAlias should be the same as $KEYSTORE_ALIAS. Also note that caCertAliases is an array of values. Do NOT surround it in only quotation marks, square brackets must be used.

keystore {
  [...]
  caCertAliases = [shrine-hub-caroot.pemca] 
  [...]
}

Save these changes and restart SHRINE. Assuming all passwords and other values are set appropriately, SHRINE should start up successfully, and it will now trust incoming queries from any node that attaches the CA certificate to their query signature.

...