사전 준비
- OpenSSL
- Certificate (예: *.pem, *.crt, ...)
- Private key file & 암호
- java (/opt/java/bin/keytool 필요)
Step 1) 준비물 확인
private key와 암호를 확인한다.
# > openssl rsa -in privateKey.key
Step 2) 키 스토어 생성
키가 저장될 공간을 생성한다.
하나의 서버내에 여러개의 tomcat instance가 구성된 경우 개별 keystore 구성을 권장한다.
# > keytool -genkey -alias jira -keyalg RSA -keystore /data/atlassian/application-data/jira/jira.jks
Step 3) PKCS12 파일 생성
인증서와 private key를 이용해 생성해놓은 키스토어에 import 할 키 스토어 파일을 생성한다.
Step 2)의 keyStore 암호와 Step 3)의 export 암호를 동일하게 설정한다.
# > openssl pkcs12 -export -in Wildcard.uincare.com.crt -inkey privateKey.key -out pkcs.p12 -name jira
위의 예에서 jira는 alias 이름이다.
Step 4) 키 스토어에 추가하기
# > keytool -importkeystore -srckeystore pkcs.p12 -srcstoretype pkcs12 -destkeystore /data/atlassian/application-data/jira/jira.jks
확인 방법:
# > keytool -list -keystore /data/atlassian/application-data/jira/jira.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries 1, Feb 4, 2018, PrivateKeyEntry, Certificate fingerprint (SHA1): 1D:A9:E4:44:0F:EC:EE:9B:B1:17:9B:B2:59:9E:CC:89:4E:3B:50:6A jira, Feb 4, 2018, PrivateKeyEntry, Certificate fingerprint (SHA1): 1D:A9:E4:44:0F:EC:EE:9B:B1:17:9B:B2:59:9E:CC:89:4E:3B:50:6A
Step 5) Atlassian Application SSL 설정
TIps
Java Keytool Commands for Creating and Importing
These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.
- Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
- Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
- Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
- Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
- Generate a keystore and self-signed certificate (see How to Create a Self Signed Certificate using Java Keytoolfor more info)
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
Java Keytool Commands for Checking
If you need to check the information within a certificate, or Java keystore, use these commands.
- Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
- Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks
- Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain
Other Java Keytool Commands
- Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks
- Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks
- Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
- List Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
- Import New CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts