Versions Compared

Old Version 26

changes.mady.by.user Simon Chang

Saved on

compared with

New Version 27

changes.mady.by.user Simon Chang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A typical keystore after importing all the certs in would look like this (assuming that the downstream site is called "acttestshrine.harvardshrineexample.netedu"):

Code Block
languagebash
themerdark
Keystore type: jks
Keystore provider: SUN

Your keystore contains 3 entries

acttestshrine.harvardshrineexample.netedu, Oct 31, 2018, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 26:0B:FE:98:21:BA:C8:5A:A5:F5:35:79:8E:81:1A:E9:F4:3B:FF:56

shrine-act-test-ca, Jul 31, 2019, trustedCertEntry, 
Certificate fingerprint (SHA1): 13:4D:B5:5C:E3:48:A0:7B:9B:20:22:8B:0B:C1:BE:DD:B9:E4:1B:AD

shrine-act-test.hms.harvard.edu, Jul 31, 2019, trustedCertEntry, 
Certificate fingerprint (SHA1): 52:82:A0:6D:D1:48:B2:EA:BB:2C:58:BD:E5:C7:3B:21:75:2B:46:F6

...

Code Block
languagebash
themerdark
keystore {
    file = "/opt/shrine/shrine.keystore"
    password = "xxxxxx"
    privateKeyAlias = "acttestshrine.harvardshrineexample.netedu"
    keyStoreType = "JKS"
    caCertAliases = ["shrine-act-test-ca"]
  }

...

Code Block
languagexml
themerdark
<Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/opt/shrine/shrine.keystore"
               keystorePass="xxxxxx"
               keyAlias="acttestshrine.harvardshrineexample.netedu"/>


One drawback when using the above approach is that a web browser attempting to access a shrine host whose certificates have been configured this way will generate a warning.  The reason for the warning is that, by default, the browser does not trust the CA that is used to generate the downstream certificate, because none of the ACT CAs are public.  Consequently, any certificate that the CA signs is not trusted by the browser.  While the browser can be configured to ignore the warning and the CA can be manually imported into the browser's trust store, some downstream sites may opt for a more elegant approach.  Indeed, the option of using a third-party-signed certificate provides a more seamless user experience in the web browser, because the root and intermediate CAs are already trusted by the browser.

...

Code Block
languagebash
themerdark
$ keytool -importkeystore -srckeystore shrine.keystore -srcstorepass <source_keystore_password> -srcalias <source_alias>shrine.example.edu -destalias <destination_alias>shrine.example.edu -destkeystore shrine.keystore.p12 -deststoretype PKCS12 -deststorepass <destination_keystore_password>
$ openssl pkcs12 -in shrine.keystore.p12 -nodes -nocerts -out private_key.pem

...

Code Block
languagebash
themerdark
$ openssl pkcs12 -export -in <certificates_file> -inkey private_key.pem -out <pkcs12_file> -name <source_entry_alias>shrine.example.edu -CAfile <ca_certificate> -chain -password pass:<password>

...