Using OpenSSL to create certificates - 7.0

Talend ESB STS User Guide

EnrichVersion
7.0
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB

First, create the keys.

Warning

Replace "<PW-Sk>", "<PW-Sk>","<PW-Cs>" and "<PW-Ck>" in the example below with your own passwords.

Creating the service keystore

Note: given the rm commands below, it is probably best to create a new directory and navigate to it before running these commands from a terminal window.

rm *.p12 *.pem *.jks *.cer
openssl req -x509 -days 3650 -newkey rsa:1024 -keyout servicekey.pem -out
    servicecert.pem -passout pass:<PW-Sk>

When running this openssl command, enter any geographic and company information desired, the key password in passout, and a common name of your choice (perhaps servicecn for the service and clientcn for the client).

openssl pkcs12 -export -inkey servicekey.pem -in servicecert.pem -out 
   service.p12 -name myservicekey -passin pass:<PW-Sk> -passout 
   pass:<PW-Sk>

This creates a pkcs12 certificate. Note the <PW-Sk> value will be used both for the keystore and the private key itself.

keytool -importkeystore -destkeystore servicestore.jks -deststorepass
   <PW-Sk> -deststoretype jks -srckeystore service.p12 -srcstorepass
   <PW-Sk> -srcstoretype pkcs12 # See Note 3

This places the certificate in a new JKS keystore. The keystore's password is changed here to <PW-Sk>, but the private key's password retains the earlier value of <PW-Sk>. Also note we're using Java 6 instead of Java 5 keytool commands (see changes between the two.)

keytool -list -keystore servicestore.jks -storepass <PW-Sk> -v

The list command is just to show the keys presently in the keystore.

keytool -exportcert -alias myservicekey -storepass <PW-Sk> -keystore 
   servicestore.jks -file service.cer
keytool -printcert -file service.cer
rm *.pem *.p12

Creating the client keystore

openssl req -x509 -days 3650 -newkey rsa:1024 -keyout clientkey.pem 
   -out clientcert.pem -passout pass:<PW-Cs> 
openssl pkcs12 -export -inkey clientkey.pem -in clientcert.pem 
   -out client.p12 
   -name myclientkey -passin pass:<PW-Cs> -passout pass: <PW-Ck>
keytool -importkeystore -destkeystore clientstore.jks -deststorepass  
   <PW-Cs> -deststoretype jks -srckeystore client.p12 
   -srcstorepass <PW-Ck>-srcstoretype pkcs12
keytool -list -keystore clientstore.jks -storepass <PW-Cs> -v
keytool -exportcert -alias myclientkey -storepass <PW-Cs> -keystore 
   clientstore.jks -file client.cer 
keytool -printcert -file client.cer
rm *.pem *.p12