...
Generating certificates for a custom domain
Kiuwan on premises installater (kiuwan-cluster) contains a handy tool for creating certificates both with the provided CA or your own CA.
The tool is a bash script located here:
- [INSTALL_DIR]/ssl/kiuwan-certool.sh
Remember that, as stated in Installation guide - Installation requirements, you will need the specified versions of a JRE and OpenSSL in order to be able to generate certificates using the provided tool.
When generating custom certificates, it is recommended that you change the default properties in the configuration file located here:
- [INSTALL_DIR]/ssl/config/certs.properties
These is the meaning of the customizable properties of the previous file (default passwords are ommited):
Property | Default value | Meaning |
---|---|---|
java.keystore.password | The password to set to the generated Java keystore | |
java.truststore.password | The password to set to the generated Java truststore | |
ssl.ca.password | The password to set to the generated CA (only applies when generating a new custom CA). The set password will be used when signing certificates as well | |
ssl.country | US | Country, state, locality, organization or organization unit to set both to the subject of the CA certificate (in case of you are generating a new custom CA) and to the subject of the specified domain signing request |
ssl.state | mystate | |
ssl.locality | mylocality | |
ssl.organization | mycompany | |
ssl.organization.unit | myorganizationunit | |
ssl.company.domain | mycompany.com | Company domain to set to the subject's Common Name (CN) of the CA certificate (in case of you are generating a new custom CA) |
ssl.subject.alt.names | DNS:kiuwan.onpremise.local[:443,:3306,:6379] DNS:wildflykiuwan-f[1-2][:8143,:8443] DNS:wildflykiuwanContainer-f[1-2][:8143,:8443] DNS:mysqlkiuwan[:3306] DNS:mysqlkiuwanContainer[:3306] DNS:redis_0000[1-6][:6379] | Subject Alternative Names (SANs) that will be set to the specified domain certificate. These are needed in order to be able to share the same certificate between different services of the Kiuwan on premises infrastructure. |
Step 1: set the CA to use for signing your certificates
The provided tool will use the CA files located here:
- [INSTALL_DIR]/ssl/ca/cacert.pem
- [INSTALL_DIR]/ssl/ca/cakey.pem
You can either:
- Use the provided CA.
- Let the tool generate a new CA.
- Use your own CA.
Use the provided CA
Just continue to the next step.
Let the tool generate a new CA
Just backup the provided CA files and a new CA will be automatically generated:
Code Block | ||
---|---|---|
| ||
cd [INSTALL_DIR]/ssl/ca
mv cacert.pem cacert.pem.bak
mv cakey.pem cakey.pem.bak |
Use your own CA
Just replace the provided files with your own CA's ([INSTALL_DIR]/ssl/ca/cacert.pem and [INSTALL_DIR]/ssl/ca/cakey.pem).
We recommend backuping the provided CA files just in case you want to get back to the provided defaults (see HTTPS configuration, certificates and Java keystores).
Step 2: generate the certificates and keystores
To generate all the needed files using the provided CA and the default configuration, just run the following commands:
Code Block | ||
---|---|---|
| ||
cd [INSTALL_DIR]/ssl
./kiuwan-certool.sh [DOMAIN_NAME] |
This will create the following files under the ssl/[DOMAIN_NAME] folder:
- domaincert.pem
- domainkey.pem
- domainkeystore.jks
- truststore.jks
Step 3: copy the generated files to the user-content folder
You can run the following commands to automatically copy the needed files to the user-content folder, where the installer tool will read from to deploy them to the persistent volumes locations:
Code Block | ||
---|---|---|
| ||
cd [INSTALL_DIR]/ssl
./kiuwan-cercopy.sh [DOMAIN_NAME] |
Adding the provided or a custom CA to Kiuwan on premises clients
Using certificates signed by a
...
trusted CA
...