Pages

May 19, 2012

Creating Multi Domain Java Key Store

You often may need to access to a host with different host headers. By means of the subjectAltName field introduced in X.509 v3, we are able to specify multiple domains in a single certificate. You can create certificate requests including subjectAltName field by openssl tool. On the other hand, lots of applications require certificates in Java Key Stores. In our case, we should have achieved to configure VMware View Connection Servers with multiple host headers. Since i am familiar with openssl, i have done it in the following way.
First of all create a configuration file;
# my.cnf
[ req ]
distinguished_name= req_distinguished_name
default_days  = 1460 # (4 years)
encrypt_key  = no
default_bits  = 1024
string_mask  = nombstr
req_extensions  = v3_req # Extensions to add to certificate request

[ req_distinguished_name ]
countryName   = Country Name (2 letter code)
countryName_default  = TR
stateOrProvinceName  = State or Province Name (full name)
stateOrProvinceName_default = Istanbul
localityName   = Locality Name (eg, city)
localityName_default  = Istanbul
0.organizationName  = Organization Name (eg, company)
0.organizationName_default = MyOrganization
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default = MyUnit
emailAddress   = Email Address
emailAddress_default  = myemail@mydomain.com
commonName   = Common Name (eg, YOUR name)
commonName_default  = mydomain.com

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = view
DNS.2 = viewconn01
DNS.3 = viewconn02
DNS.4 = view.mydomain.intra
DNS.5 = viewconn01.mydomain.intra
DNS.6 = viewconn02.mydomain.intra
DNS.7 = view.mydomain.com
Then, create the certificate request and the private key using the configuration file;
$ openssl req -batch -new -config req.cnf -out req.pem -keyout key.pem
Generating a 1024 bit RSA private key
..++++++
...........................++++++
writing new private key to 'key.pem'
-----
Verify that your host headers are listed in the X509v3 Subject Alternative Name section
$ openssl req -in req.pem -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=TR, ST=Istanbul, L=Istanbul, O=MyOrganization, OU=MyUnit/emailAddress=myemail@mydomain.com, CN=mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:dc:57:b5:4d:5b:74:59:e9:6b:df:68:66:f6:af:
                    ab:1a:c3:47:5f:bd:ca:20:d1:d1:12:a8:fa:d9:b4:
                    97:99:f4:c3:6c:84:89:06:c8:12:c7:c6:40:5c:8b:
                    31:b1:23:e6:16:af:ea:9d:40:17:78:74:2e:e4:80:
                    da:08:60:17:9f:3d:59:19:19:15:02:49:db:03:f2:
                    a3:02:cd:b8:16:48:5f:d1:8b:7a:7c:e2:c2:67:cf:
                    15:bc:85:8f:1e:d2:da:e8:08:5e:33:5f:b9:ab:e0:
                    f3:31:ad:74:1f:50:30:86:b1:2a:cc:76:48:cf:6d:
                    75:94:4c:ae:58:c5:e0:29:0b
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:view, DNS:viewconn01, DNS:viewconn02, DNS:view.mydomain.intra, DNS:viewconn01.mydomain.intra, DNS:viewconn02.mydomain.intra, DNS:view.mydomain.com
    Signature Algorithm: sha1WithRSAEncryption
         8a:72:30:04:0f:8d:17:74:d3:62:46:a6:01:51:f8:fa:da:f5:
         ce:30:0a:e0:28:bb:ca:e3:9e:3b:25:bf:67:c7:9f:f2:b4:c9:
         54:f8:a3:66:cd:f6:ef:fc:98:64:d7:9d:6d:ae:4a:7b:f4:95:
         28:d3:93:62:e3:15:9b:4e:7f:59:bd:a2:0b:7e:8e:86:da:ec:
         fd:b4:f8:a0:08:da:2d:58:93:0a:b3:c4:e7:42:c1:17:42:40:
         49:0c:af:5f:57:db:9c:41:2e:75:eb:94:e8:06:de:2d:ed:9a:
         13:2b:25:6a:98:e4:02:60:56:46:da:ba:6e:a2:ee:14:5a:2d:
         5e:46
Now, the multi domain certificate request is created. You should make it signed by the Certificate Authority. After getting the signed certifate in PEM format we need to import the certificate into JKS (Java Key Store). You can import the certificates by ImportKey (Thanks to Joachim Karrer and Jens Carlberg), but first you have to convert base64 encoded PEM files to DER format.
openssl x509 -in cert.pem -out cert.der -outform der
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform der
You can download the source (ImportKey.java) or the compiled (ImportKey.class) one, run it as follows
$ java ImportKey key.der cert.der
Using keystore-file : /home/user/keystore.ImportKey
One certificate, no chain.
Key and certificate stored.
Alias:importkey  Password:importkey
Now it is time to configure VMware View Connection Server to make it use newly generated JKS.
Type the following lines into the locked.properties file.

C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties
keyfile=keystore.ImportKey
keypass=importkey
storetype=jks
Then restart the "VMware View Connection Server" service;
>net stop "VMware View Connection Server"
The VMware View Connection Server service is stopping........
The VMware View Connection Server service was stopped successfully.

>net start "VMware View Connection Server"
The VMware View Connection Server service is starting.
The VMware View Connection Server service was started successfully.
When you browse your host headers, everything should be fine and certificate details should look similar to those below.

3 comments:

  1. hi,

    I follow your steps and LOST at below:
    1) where to get this file "cert.pem"?
    "openssl x509 -in cert.pem -out cert.der -outform der"

    2) can replace "Keytool.exe" with " java ImportKey key.der cert.der" ?

    many thanks

    thomasyeo8234@gmail.com

    ReplyDelete
  2. Hi Thomas,
    1) You should send the req.pem (Certificate Request) to the CA (Certificate Authority) and make it signed. Then, you can rename it as cert.pem.
    If you want to sign the request with openssl by yourself, make sure to use "copy_extensions = copy" directive while signing with CA certificate. Otherwise it drops the extensions including subjectAltName.

    2) Keytool is not able import existing private keys, this is why we need to use ImportKey.

    ReplyDelete