...
In order to provide a default installation configuration that enables secure protocols on most communications channels, Kiuwan on premises comes with a set of certificates and keystores for the default configured domain (kiuwan.onpremise.local).
...
Provided SSL related files
Kiuwan on premises installation tool (kiuwan-cluster) provides a number of files to allow secure communications between containers. These files are located in kiuwan-cluster distributions under the ssl folder.
The following table shows the provided certificate files:
Location | File | Format | Content | Purpose | Expiration date |
---|---|---|---|---|---|
ssl/ca | cacert.pem | RSA 4096 bits SHA256 | The CA certificate that signed Kiuwan on premises domain certificate | Allows Kiuwan servers to provide the CA that signed their certificates | 2029/10/13 |
ssl/kiuwan.onpremise.local | domaincert.pem | RSA 4096 bits SHA256 | The Kiuwan on premises domain certificate | Allows Kiuwan servers to identify themselves | 2029/10/13 |
The following table shows the provided key files:
Location | File | Format | Content | Purpose |
---|---|---|---|---|
ssl/ca | cakey.pem | RSA 4096 bits PKCS #8 | The provided CA key | Allows signing certificates with the provided CA |
ssl/kiuwan.onpremise.local | domainkey.pem | RSA 4096 bits PKCS #8 | The Kiuwan on premises domain key | Allows encrypting traffic for the provided domain |
The following table shows the provided Java keystore files:
Location | File | Content | Purpose |
---|---|---|---|
ssl/kiuwan.onpremise.local | domainkeystore.jks | This keystore contains cacert.pem and domaincert.pem files. Its password is the one provided in the default installation configuration (see java.keystore.password property). | Allows Kiuwan instances to identify themselves to enable secure connections |
ssl/kiuwan.onpremise.local | truststore.jks | This keystore contains all the CA certificates included in the OpenJDK default truststore (see next row in this table) plus the provided CA certificate. Its password is the one provided in the default installation configuration (see java.truststore.password property). | Allows Kiuwan instances to communicate to external servers that offer certificates signed by trusted CAs (needed both for AWS based installations and Kiuwan central servers communications) |
ssl/truststore | truststore.jks | This keystore contains the OpenJDK trusted CAs as of 2019/10/16. Its password is the one provided by OpenJDK for its cacerts file. | Allows generating a custom truststore that includes most needed trusted CAs certificates plus the one provided by the installation tool |
Generating certificates for a custom domain
...