红帽全球峰会此内容没有您所选择的语言版本。
15.2. Generate encryption keys and certificate
15.2.1. Generate a self-signed certificate with keytool
复制链接链接已复制到粘贴板!
15.2.1.1. Generate a key pair
复制链接链接已复制到粘贴板!
The keytool command, part of the JDK, is used to generate a new key pair. Keytool can either add the new key pair to an existing key store, or create a new key store at the same time as the key pair.
This key pair will be used to negotiate SSL encryption between the server and remote clients. The following procedure generates a key pair and stores it in a key store called
localhost.keystore . You will need to make this key store available to the EJB3 invoker on the server. The key pair in our example will be saved in the key store under the alias 'ejb-ssl'. We will need this key alias, and the key pair password you supply (if any), when configuring the EJB3 Remoting connector in Create a secure remoting connector for RMI .
Procedure 15.1. Generate a new key pair and add it to the key store "localhost.keystore" in the conf directory.
This procedure generates a new key pair for SSL encryption.
- The following command will create a key pair for use with SSL encryption:
keytool -genkey -alias ejb-ssl -keystore localhost.keystore -storepass KEYSTORE_PASSWORD -keypass EJB-SSL_KEYPAIR_PASSWORD -dname "CN=SERVER_NAME,OU=QE,O=example.com,L=Brno,C=CZ"
keytool -genkey -alias ejb-ssl -keystore localhost.keystore -storepass KEYSTORE_PASSWORD -keypass EJB-SSL_KEYPAIR_PASSWORD -dname "CN=SERVER_NAME,OU=QE,O=example.com,L=Brno,C=CZ"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Result:A key pair will be added to the key store
localhost.keystoreunder the aliasejb-ssl.The parameters for this command are explained inkeytoolparameters
keytool parameters
- alias
- An alphanumeric token used to identify the key pair within the key store. A key store can contain multiple keys. The alias provides a means to uniquely identify a key pair within a key store. The alias for a key pair must by unique within a key store.
- keystore
- The key store that will be used to store the key pair. This can be a relative or absolute file path.
- storepass
- The password for key store. If the key store already exists, this must be the existing password for the key store. If the key store specified does not already exist, it will be created and this password will be the new password. This password is needed to access the key store to retrieve or store keys and certificates.
- keypass
- The password for the new key pair. This password must be supplied to use the key pair in the future.
- dname
- The identifying details of the certificate.
- CN
- Common Name: the name of the server. This must match the server name as returned to clients in a JNDI lookup. If a client attempts to make an SSL connection to the server using one name from JNDI, and receives a certificate with a different name, the connection will fail.
- OU
- Organizational Unit: the name of the organizational unit that is responsible for the server.
- O
- Organization: The name of the organization, sometimes expressed as a URL.
- L
- Location: the location of the server.
- C
- Country: two letter country code
Note
For best security practice, store key store files on a secure file system, readable only by the owner of the JBoss Application Server process.
Note that if no key store is specified on the command line,
keytool adds the key pair to a new key store called keystore in the current user's home directory. This key store file is a hidden file.
15.2.1.2. Export a self-signed certificate
复制链接链接已复制到粘贴板!
Once a key pair has been generated for the server to use, a certificate must be created. Procedure 15.2, “Export a certificate” details the steps to export the
ejb-ssl key from the key store named localhost.keystore .
Procedure 15.2. Export a certificate
This procedure exports a certificate from a key store into a file.
- Issue the following command:
keytool -export -alias ejb-ssl -file mycert.cer -keystore localhost.keystore
keytool -export -alias ejb-ssl -file mycert.cer -keystore localhost.keystoreCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Enter the key store passwordResult:
A certificate is exported to the file
mycert.cer.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}