...
- Generate an Apple Push Notification Service (APNS) certificate.
Make a copy of the
openssl.cnf
file and , move it to another location and edit the following:
The Certificate Authority (CA) and Registration Authority (RA) certificates should be created as version 3 certificates. This step is carried out for the latter mentioned purpose.Code Block [ v3_req ] # Extensions to add to a certificate request basicConstraints=CA:TRUE keyUsage = Digital Signature, Key Encipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer # This is what PKIX recommends but some broken software chokes on critical # extensions. basicConstraints = critical,CA:true # So we do this instead. #basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. keyUsage = Digital Signature, Certificate Sign, CRL Sign
Generate a self signed Certificate Authority (CA) certificate (version 3) and convert the certificate to to the
.pem
format using the following commands:Info It is assumed that the script is executed from the location where the modified
openssl.cnf
file was saved.openssl genrsa -out <CA PRIVATE KEY> 4096
For example:openssl genrsa -out ca_private.key 4096
openssl req -new -key <CA PRIVATE KEY> -out <CA CSR>
For example:openssl req -new -key ca_private.key -out ca.csr
openssl x509 -req -days <DAYS> -in <CA CSR> -signkey <CA PRIVATE KEY> -out <CA CRT> -extensions v3_ca -extfile <PATH-TO-MODIFIED-openssl.cnf-FILE>
For example:openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt -extensions v3_ca -extfile ./openssl.cnf
openssl rsa -in <CA PRIVATE KEY> -text > <CA PRIVATE PEM>
For example:openssl rsa -in ca_private.key -text > ca_private.pem
openssl x509 -in <CA CRT> -out <CA CERT PEM>
For example:openssl x509 -in ca.crt -out ca_cert.pem
Generate a Registration Authority (RA) certificate (version 3), sign it with the CA and convert the certificate to to the
.pem
format using the following commands:Info It is assumed that the script is executed from the location where the modified
openssl.cnf
file was saved.openssl genrsa -out <RA PRIVATE KEY> 4096
For example:openssl genrsa -out ra_private.key 4096
openssl req -new -key <RA PRIVATE KEY> -out <RA CSR>
For example:openssl req -new -key ra_private.key -out ra.csr
openssl x509 -req -days <DAYS> -in <RA CSR> -CA <CA CRT> -CAkey <CA PRIVATE KEY> -set_serial <SERIAL NO> -out <RA CRT> -extensions v3_req -extfile <PATH-TO-MODIFIED- openssl.cnf-FILE>
For example:openssl x509 -req -days 365 -in ra.csr -CA ca.crt -CAkey ca_private.key -set_serial 02 -out ra.crt -extensions v3_req -extfile ./openssl.cnf
openssl rsa -in <CA PRIVATE KEY> -text> <RA PRIVATE PEM>
For example:openssl rsa -in ra_private.key -text > ra_private.pem
openssl x509 -in <RA CRT> -out <RA CERT PEM>
For example:openssl x509 -in ra.crt -out ra_cert.pem
Generate the SSL certificate (version 3) based on your domain/IP address:
Info Your domain/IP address needs to be added as the Common Name, otherwise provisioning will fail.
- Generate a RSA key.
openssl genrsa -out <RSA_key>.key 4096
For example:
openssl genrsa -out ia.key 4096
- Generate a CSR file.
openssl req -new -key <RSA_key>.key -out <CSR>.csr
For example:
openssl req -new -key ia.key -out ia.csr
Enter your server IP address/domain name (e.g., 192.168.1.157) as the Common Name else provisioning will fail. - Generate the SSL certificate
openssl x509 -req -days 730 -in <CSR>.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial <serial number> -out ia.crt
For example:
openssl x509 -req -days 730 -in ia.csr -CA ca_cert.pem -CAkey ca_private.pem -set_serial 044324343 -out ia.crt
- Generate a RSA key.
Export the SSL, CA and RA files as PKCS12 files with an alias.
Export the SSL file as a PKCS12 file with an "
wso2carbo
n" as the alias.
openssl pkcs12 -export -out <KEYSTORE>.p12 -inkey <RSA_key>.key -in ia.crt -CAfile ca_cert.pem -name "<alias>"
For example:
openssl pkcs12 -export -out KEYSTORE.p12 -inkey ia.key -in ia.crt -CAfile ca_cert.pem -name "wso2carbon"
- Export the CA file as a PKCS12 file with an alias.
openssl pkcs12 -export -out <CA>.p12 -inkey <CA private key>.pem -in <CA Cert>.pem -name "<alias>"
For example:
openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem -name "cacert"
In the above example,cacert
has been used as the CA alias. - Export the RA file as a PKCS12 file with an alias.
openssl pkcs12 -export -out <RA>.p12 -inkey <RA private key>.pem -in <RA Cert>.pem -chain -CAfile <CA cert>.pem -name "<alias>"
For example:
openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem -chain -CAfile ca_cert.pem -name "racert"
In the above example,racert
has been used as the RA alias.
- Copy the three P12 extension files to the
<EMM_HOME>/repository/resources/security
directory. - Import the generated P12 extension files as follows:
Import the generated
<KEYSTORE>.p12
file into thewso2carbon.jks
andclient-truststore.jks
in the<EMM_HOME>/repository/resources/security
directory.
keytool -importkeystore -srckeystore <KEYSTORE>.p12 -srcstoretype PKCS12 -destkeystore <wso2carbon.jks/client-truststore.jks>
Info Ensure to enter the keystore password and keystore key password as password as
wso2carbon
For example:
keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
keytool -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -destkeystore client-truststore.jks
Import the generated
<CA>.p12
and<RA>.p12
files into thewso2EMM.jks
in the<EMM_HOME>/repository/resources/security
directorysecurity
directory.
keytool -importkeystore -srckeystore <CA/RA>.p12 -srcstoretype PKCS12 -destkeystore wso2mdm.jks
For example:
keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore wso2mdm.jks
Enter the keystore password aswso2carbon
and the keystore key password ascacert
.keytool -importkeystore -srckeystore ra.p12 -srcstoretype PKCS12 -destkeystore wso2mdm.jks
Enter the keystore password aswso2carbon
and the keystore key password as
.racert
Info title Troubleshooting Excerpt Why does the following error occur:
"
keytool error: java.io.IOException: Invalid keystore format"
?If you enter the wrong private key password when importing the
<CA>.p12
or<RA>.p12
filesp12
files, thewso2emm.jks
file will get corrupted and the above error message will appear.In such a situation, delete the
wso2emm.jks
file and execute the following command to import the generated<CA>.p12
and<RA>.p12
files into thewso2emm.jks
file again.
keytool -importkeystore -srckeystore <CA/RA>.p12 -srcstoretype PKCS12 -destkeystore wso2emm.jks
When the above command is executed, WSO2 EMM will automatically create a newwso2emm.jks
file with the imported file.
...