Step 1: find the keystore.jks file
[root@jboss ~]# find / -iname keystore.jks /opt/jboss/domain/configuration/security/main-loadbalancer-group/keystore.jks
Step 2: backup the keystore.jks file, and remove the old "https" keystore. This won't affect the running JBoss services until you restart it.
[root@jboss ~]# cd /opt/jboss/domain/configuration/security/main-loadbalancer-group [root@jboss ~]# cp keystore.jks keystore.jks.bak [root@jboss ~]# keytool -delete -keystore keystore.jks -alias https
Step 3: generate a new private key with alias of "https"
[root@jboss ~]# keytool -genkey -alias https -keyalg RSA -keystore keystore.jks -keysize 2048
Step 4: generate a certificate request for "https"
[root@jboss ~]# keytool -certreq -alias https -keystore keystore.jks -file myjbossserver.csr
Step 5: copy the certificate request to the CA server
Step 6: set up your CA config file with the SANs you want. Use this as a guide: http://apetec.com/support/GenerateSAN-CSR.htm
[ccondry@ca:~]$ sudo openssl ca -config ./myjbossserver.cnf -in myjbossserver.csr -out myjbossserver.crtStep 7: copy the signed certificate and the ca's public certificate back to the jboss server
Step 8: import the ca certificate (mine is ca.crt) as a trusted certificate, with the alias "myca"
[root@jboss ~]# keytool -import -trustcacerts -alias myca -file ca.crt -keystore keystore.jksStep 9: convert the certificate to DER so that keytool can import it
[root@jboss ~]# openssl x509 -outform der -in myjbossserver.crt -out myjbossserver.derStep 10: import the new "https" certificate, in DER format
[root@jboss ~]# keytool -import -trustcacerts -alias https -file myjbossserver.der -keystore keystore.jksStep 11: restart your jboss server for the changes to take effect! (note your jboss service is probably not "jboss", so just replace that with your service daemon script name)
[root@jboss ~]# service jboss restart
No comments:
Post a Comment