Installationsmanual Certifikat

Owned by Hans Thunberg (Unlicensed)
Last updated: sep. 09, 2020 by Hans Bragman (Unlicensed)
4 min read




Generera keystore med mellanliggande CA

Nedan script kan användas för att generera en keystore innehållandes mellanliggande CAs.

Ladda ner SITHS root ca. Notera att det är olika ca för prod och test/qa. Nedan exempel är med prod ca.

Katalogstruktur för scriptet nedan

Säkerställ att klientcertifikat finns och dess lösenord, uppdatera scriptet med namnen på filerna med era certifikat.

Scriptet genererar 2 keystores i detta fallet, då det finns 2 klientcertifikat (ett för internet och ett för sjunet).

Produktion

generate-ntjpprod-Keystore.sh
rm -rf generated-jks
mkdir generated-jks

rm -rf generated-pem
mkdir generated-pem


echo "=== Export SITHS CA's as PEM ===" 
openssl x509 -inform DER -in "../CA/SITHS/SITHS_Type_2_CA_v1.cer" -out generated-pem/siths_type_2_ca_v1.pem -outform PEM
openssl x509 -inform DER -in "../CA/SITHS/SITHS_Root_CA_v1.crt" -out generated-pem/siths_root_ca_v1.pem -outform PEM


# Export P12 Certificate (PEM)


echo "=== Export esb.ntjp.sjunet.org.p12 Certificate (PEM) ===" 
openssl pkcs12 -in ../skltp/esb.ntjp.sjunet.org_legitimering_pkcs12_prod.p12 -out generated-pem/esb.ntjp.sjunet.org.p12.crt.pem -nokeys


# Export P12 Certificate (PEM)


echo "=== Export esb.ntjp.se.p12 Certificate (PEM) ===" 
openssl pkcs12 -in ../skltp/esb.ntjp.se_legitimering_pkcs12_prod.p12 -out generated-pem/esb.ntjp.se.p12.crt.pem -nokeys


# SITHS TYPE 2 CA V1 + SITHS ROOT V1 (PEM)


echo "=== Create SITHS CA Chain ==="
cat generated-pem/siths_type_2_ca_v1.pem generated-pem/siths_root_ca_v1.pem > generated-pem/ca_chain.pem


# Remove Header.


echo "=== Remove Bag Header from PEM ===" 
openssl x509 -in generated-pem/esb.ntjp.sjunet.org.p12.crt.pem -out generated-pem/esb.ntjp.sjunet.org.p12.crt.out.pem
openssl x509 -in generated-pem/esb.ntjp.se.p12.crt.pem -out generated-pem/esb.ntjp.se.p12.crt.out.pem


# Create Complete Certificate Chain.


echo "=== Create Complete Certificate Chain ===" 
cat generated-pem/esb.ntjp.sjunet.org.p12.crt.out.pem generated-pem/ca_chain.pem > generated-pem/esb.ntjp.sjunet.org_cert_chain.pem
cat generated-pem/esb.ntjp.se.p12.crt.out.pem generated-pem/ca_chain.pem > generated-pem/esb.ntjp.se_cert_chain.pem


# Import P12 to Keystore


echo "=== Import esb.ntjp.sjunet.org.p12 (alias: esb.ntjp.sjunet.org) to Keystore: esb.ntjp.sjunet.org.jks ===" 
keytool -importkeystore -srckeystore ../skltp/esb.ntjp.sjunet.org.p12 -srcalias esb.ntjp.sjunet.org -srcstoretype PKCS12 -destkeystore generated-jks/esb.ntjp.sjunet.org.jks  -destalias esb.ntjp.sjunet.org -deststoretype JKS


echo "=== Import esb.ntjp.se.p12 (alias: esb.ntjp.se) to Keystore: esb.ntjp.se.jks ===" 
keytool -importkeystore -srckeystore ../skltp/esb.ntjp.se.p12 -srcalias esb.ntjp.se -srcstoretype PKCS12 -destkeystore generated-jks/esb.ntjp.se.jks  -destalias esb.ntjp.se -deststoretype JKS

# Import Complete Certifcate Chain


echo "=== Import Complete Certificate Chain to Keystore: esb.ntjp.sjunet.org.jks===" 
keytool -import -trustcacerts -keystore generated-jks/esb.ntjp.sjunet.org.jks -alias esb.ntjp.sjunet.org -file generated-pem/esb.ntjp.sjunet.org_cert_chain.pem  -noprompt


echo "=== Import Complete Certificate Chain to Keystore: esb.ntjp.se.jks===" 
keytool -import -trustcacerts -keystore generated-jks/esb.ntjp.se.jks -alias esb.ntjp.se -file generated-pem/esb.ntjp.se_cert_chain.pem  -noprompt


# Change sharing and permissions on JKS files
chmod 444 generated-jks/*.jks

Notes!

  • Använd samma lösenord för genererad jks fil som för ursprungliga p12 certifikatet.
  • Om det strular att skapa PEM filer från CA-certifikat kan Nyckelhanteraren på Macen generera PEM filer.
  • Innan sista operation när man lägger till kedjan behöver skapad jks fil ha skrivrättigheter, dvs chmod a+w ....

QA

generate-ntjpqa-Keystore.sh
rm -rf generated-jks
mkdir generated-jks
 
rm -rf generated-pem
mkdir generated-pem
 
 
echo "=== Export SITHS CA's as PEM ==="
openssl x509 -inform DER -in "../CA/SITHS/SITHS_Type_2_CA_v1_PP.crt" -out generated-pem/siths_type_2_ca_v1_PP.pem -outform PEM
openssl x509 -inform DER -in "../CA/SITHS/SITHS_Root_CA_v1_PP.crt" -out generated-pem/siths_root_ca_v1_PP.pem -outform PEM
 
 
# Export P12 Certificate (PEM) Sjunet
echo "=== Export esb.ntjp.sjunet.org.p12 Certificate (PEM) ==="
openssl pkcs12 -in ../skltp/qa.esb.ntjp.sjunet.org_auth.p12 -out generated-pem/qa.esb.ntjp.sjunet.org.p12.crt.pem -nokeys
  
 
# SITHS TYPE 2 CA V1 + SITHS ROOT V1 (PEM)
echo "=== Create SITHS CA Chain ==="
cat generated-pem/siths_type_2_ca_v1_PP.pem generated-pem/siths_root_ca_v1_PP.pem > generated-pem/ca_chain.pem
 
 
# Remove Header.
echo "=== Remove Bag Header from PEM ==="
openssl x509 -in generated-pem/qa.esb.ntjp.sjunet.org.p12.crt.pem -out generated-pem/qa.esb.ntjp.sjunet.org.p12.crt.out.pem
 
# Create Complete Certificate Chain.
echo "=== Create Complete Certificate Chain ==="
cat generated-pem/qa.esb.ntjp.sjunet.org.p12.crt.out.pem generated-pem/ca_chain.pem > generated-pem/qa.esb.ntjp.sjunet.org_cert_chain.pem 
 
# Import P12 to Keystore
echo "=== Import qa.esb.ntjp.sjunet.org.p12 (alias: qa.esb.ntjp.sjunet.org) to Keystore: qa.esb.ntjp.sjunet.org.jks ==="
keytool -importkeystore -srckeystore ../skltp/qa.esb.ntjp.sjunet.org_auth.p12 -srcalias qa.esb.ntjp.sjunet.org -srcstoretype PKCS12 -destkeystore generated-jks/qa.esb.ntjp.sjunet.org.jks  -destalias qa.esb.ntjp.sjunet.org -deststoretype JKS
 
  
# Import Complete Certifcate Chain
echo "=== Import Complete Certificate Chain to Keystore: qa.esb.ntjp.sjunet.org.jks==="
keytool -import -trustcacerts -keystore generated-jks/qa.esb.ntjp.sjunet.org.jks -alias qa.esb.ntjp.sjunet.org -file generated-pem/qa.esb.ntjp.sjunet.org_cert_chain.pem  -noprompt
 
  
 
# Change sharing and permissions on JKS files
chmod 444 generated-jks/*.jks


Verifiera certifikatskedjan med openssl

Nedan ett exempel på hur man kan verifiera innehållet i ett certifikat deployat och exponerat via port 20000 

 Command details


openssl x509 -inform DER -in "<target source>" -out <dest target> -outform PEM

openssl s_client kommandot implementerar en generisk SSL/TLS klient

-connect host:port

-prexit print on exit

Länka: s_client


&>openssl s_client -connect 33.33.33.33:20000 -prexit
 
 
CONNECTED(00000003)
depth=2 /C=SE/O=Inera AB/CN=SITHS Root CA v1
verify error:num=19:self signed certificate in certificate chain
verify return:0
22047:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s3_pkt.c:1106:SSL alert number 42
22047:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s23_lib.c:182:
---
Certificate chain
 0 s:/C=se/DC=Services/DC=Nod1/O=Inera_AB/CN=esb.ntjp.sjunet.org/serialNumber=HSASERVICES-106J
   i:/C=SE/O=Inera AB/CN=SITHS Type 2 CA v1
 1 s:/C=SE/O=Inera AB/CN=SITHS Type 2 CA v1
   i:/C=SE/O=Inera AB/CN=SITHS Root CA v1
 2 s:/C=SE/O=Inera AB/CN=SITHS Root CA v1
   i:/C=SE/O=Inera AB/CN=SITHS Root CA v1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGWzCCBEOgAwIBAgIQCQOCyORSzlnKHi8ZZ7PbtDANBgkqhkiG9w0BAQUFADA9
MQswCQYDVQQGEwJTRTERMA8GA1UECgwISW5lcmEgQUIxGzAZBgNVBAMMElNJVEhT
IFR5cGUgMiBDQSB2MTAeFw0xNDA0MTAxNDM2NDJaFw0xNjA0MTAyMTU4MDBaMIGJ
MQswCQYDVQQGEwJzZTEYMBYGCgmSJomT8ixkARkWCFNlcnZpY2VzMRQwEgYKCZIm
iZPyLGQBGRYETm9kMTERMA8GA1UECgwISW5lcmFfQUIxHDAaBgNVBAMME2VzYi5u
dGpwLnNqdW5ldC5vcmcxGTAXBgNVBAUTEEhTQVNFUlZJQ0VTLTEwNkowggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAaioXbk3QusJSTm7S49si8MOVixso
HT5F4IuK/9x1qaCIk7kVlTtLhOxrxKUz3OSlaSzhZ+D2uJ3O7USFglMDLVDvxGpB
+xymCg0aty0Hb4WQGZHjMFumEsJASo2qqkg18BdWJOecwhISp19LizB/NaGcnOlc
26Ghmbbnhku76a6RW/5ALmEW32+toeHOE2jo++qrXNNMRwe6oVEtgdQKWK3J6Cw0
KsHhrsE/FNrzHsCWHSW1zvjdsMws+OgKL3o40qeWnhgXYiXV1aarMyk2p2yxsI32
jzRuwQaDVYvcWnL6evjUu2MOYr5/pwXGwzWz9u9q5hQu1lGOLx8dzSMTAgMBAAGj
ggIIMIICBDAOBgNVHQ8BAf8EBAMCAKAwbwYDVR0fBGgwZjAtoCugKYYnaHR0cDov
L2NybDEuc2l0aHMuc2Uvc2l0aHN0eXBlMmNhdjEuY3JsMDWgM6Axhi9odHRwOi8v
Y3JsMi5zaXRocy5zanVuZXQub3JnL3NpdGhzdHlwZTJjYXYxLmNybDCBzgYIKwYB
BQUHAQEEgcEwgb4wIQYIKwYBBQUHMAGGFWh0dHA6Ly9vY3NwMS5zaXRocy5zZTAp
BggrBgEFBQcwAYYdaHR0cDovL29jc3AyLnNpdGhzLnNqdW5ldC5vcmcwMgYIKwYB
BQUHMAKGJmh0dHA6Ly9haWEuc2l0aHMuc2Uvc2l0aHN0eXBlMmNhdjEuY2VyMDoG
CCsGAQUFBzAChi5odHRwOi8vYWlhLnNpdGhzLnNqdW5ldC5vcmcvc2l0aHN0eXBl
MmNhdjEuY2VyMEcGA1UdIARAMD4wPAYHKoVwSggDAjAxMC8GCCsGAQUFBwIBFiNo
dHRwOi8vcnBhLnNpdGhzLnNlL3NpdGhzcnBhdjEuaHRtbDAnBgNVHSUEIDAeBggr
BgEFBQcDBAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTK0PxEbXw5qJbD
ih/NijAIstpnzjAfBgNVHSMEGDAWgBRRiNwkxNxKiOSL9J7Vs846FL9WSDANBgkq
hkiG9w0BAQUFAAOCAgEAgzesycxpUin9tKpzUwXxxZWs1mi0Qtdqd3auY67bmws8
iBXdjrF+C3n4JXSzyiV0q6zpyDcmsr6Cup34FWnXM8JWdqKZLx1Nkef0jV6T7r8U
FYxNgKrsxRvBW0A3fyPRU3RQ00rw89/VoLE71xtvU7xGjxGo0a0ev8OyT09WXP9R
XzMRdCIYUAWk7RmnC1hvcoLz+euR7tobsYCrXmUjZpqCcSFHdZAsvRgThGFgMini
PBPsiAYwtZhd3j1q7lTibatnNIo7srC21lJZtp7n6qzJ+1ppcTmeWuhi+PewM8Uo
Xb5KSW2UYRlIFezmLNAbCCJwmIrTdFisAhMmFHPaTc2nO/uDoV/vSayfliNJ73xI
hEG3I/riLfGNSpyO4PCRxPggsF9M2KhVPLXTSEZl1xeXduvVmywu4/A/eOWPOvai
9gBkkLj9Fa7XxOXHRQ7i2IsNfnTeb+Wzzg2oADmG4K/iPIErtClz2NXRcNnP37V/
JYEnXE9/5v0xkqFJUQIJtRnWOPw6/TcN0iSgqZAJuDpC0jnAob54Sg6kGy4ttGKV
F0YR7TaVqpDUzdRLnRDoB60tvmUC0xOvlCkXv6ocNx/9W4kIrBw8+d0U4UfDtyz4
hEkq3/WHcaNNnEW1QeMri9LFWFDlP3p2YzHVYKzie5VKd2Xz62fRhXd+HDWs0vU=
-----END CERTIFICATE-----
subject=/C=se/DC=Services/DC=Nod1/O=Inera_AB/CN=esb.ntjp.sjunet.org/serialNumber=HSASERVICES-106J
issuer=/C=SE/O=Inera AB/CN=SITHS Type 2 CA v1
---
Acceptable client certificate CA names
/C=SE/O=Inera AB/CN=SITHS Root CA v1 PP
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
/C=SE/O=SITHS CA/CN=SITHS CA TEST v3
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=SE/O=162321000016/OU=Infrastruktur/CN=HVAL/emailAddress=liston_support@brainpool.se
/C=SE/O=Inera AB/CN=SITHS Type 2 CA v1
/C=SE/O=Steria AB/CN=Steria AB EID CA v1
/C=US/O=Thawte, Inc./CN=Thawte SSL CA
/C=SE/O=Carelink/CN=SITHS CA v3
/C=SE/O=Inera AB/CN=SITHS Type 2 CA v1 PP
/C=SE/O=SITHS CA/CN=SITHS CA TEST v4
/C=SE/O=Inera AB/CN=SITHS CA v4
/C=SE/O=Inera AB/CN=SITHS Root CA v1
/O=AlphaSSL/CN=AlphaSSL CA - G2
/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
SSL handshake has read 6683 bytes and written 170 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 534D94B2F76105F39728EA014975BE1541205FA959DEE868F3890DBB43D9F2B5
    Session-ID-ctx:
    Master-Key: 43B89A535AC90D9B9BB968D7E521B869ED305C00FDE5C6235B8804532F235182A57EF021F4C1551E990702F58AA76D97
    Key-Arg   : None
    Start Time: 1397629508
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
 
 

Verifiera certifikatskedjan med keytool

&>keytool -v -list -keystore esb.ntjp.sjunet.org.jks
Enter keystore password:
 
Keystore type: JKS
Keystore provider: SUN
-
-
-


Installera root certifikat

Lägga till root certifikat i truststore

Importera

keytool -import -file rootCertifikat.cer -alias aliasRootCertifikat -storepass password -keystore truststore.jks

-file, root certifikatet som skall installeras
-alias, unikt alias på root ca
-storepass. lösenordet till den truststore som root certifikatet skall installeras till 

Verifiera

keytool -v -list -keystore truststore.jks -storepass password

Länk till Ineras CA cert för produktion:

Ineras CA certifikat

Verisign och Thawte tillhandahåller också root CA's som kan användas:

Verisigns root CA

Thawte root CA's