Manipulating KeyStores using the CLI in WildFly 12
Posted by fjuma in Farah Juma's Blog on Mar 2, 2018 5:41:28 PMWith WildFly 12, it is now possible to perform various KeyStore manipulation operations on a key-store resource in the Elytron subsystem using the JBoss CLI. In particular, the new operations make it possible to:
- Generate a key pair
- Generate a certificate signing request (CSR)
- Import a certificate or a certificate chain from a file
- Export a certificate to a file
- Change an existing alias
With these new operations, it is now possible to set up one-way and two-way SSL for applications and management interfaces using only the CLI - going back and forth between the CLI and keytool is no longer necessary. This blog post is going to give an overview of these new operations.
To start the server, use the following command:
$WILDFLY_HOME/bin/standalone.sh
To connect to the running server to execute CLI commands, use:
$WILDFLY_HOME/bin/jboss-cli.sh --connect
Prerequisite configuration
First, configure a key-store in the Elytron subsystem. Note that the path to the keystore file doesn’t actually have to exist yet.
/subsystem=elytron/key-store=exampleKS:add(path=server.keystore.jks, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=JKS)
Generating a key pair
The generate-key-pair command generates a key pair and wraps the resulting public key in a self-signed X.509 certificate. The generated private key and self-signed certificate will be added to a new PrivateKeyEntry in the KeyStore.
/subsystem=elytron/key-store=exampleKS:generate-key-pair(alias=example, algorithm=RSA, key-size=1024, validity=365, credential-reference={clear-text=secret}, distinguished-name="CN=www.example.com")
After performing the above command, you can check the alias names in the KeyStore and confirm the new alias, "example", is listed:
/subsystem=elytron/key-store=exampleKS:read-aliases() { "outcome" => "success", "result" => ["example"] }
Generating a certificate signing request (CSR)
The generate-certificate-signing-request command generates a PKCS #10 CSR using a PrivateKeyEntry from the KeyStore. The generated CSR will be output to a file (in the example below, the CSR is output to server.csr).
/subsystem=elytron/key-store=exampleKS:generate-certificate-signing-request(alias=example, path=server.csr, relative-to=jboss.server.config.dir, distinguished-name="CN=www.example.com", \ extensions=[{critical=false, name=KeyUsage,value=digitalSignature}], credential-reference={clear-text=secret})
Notice that in the above command, alias=example refers to the PrivateKeyEntry that was created using the generate-key-pair command.
Importing a certificate or certificate chain from a file
The import-certificate command imports a certificate or certificate chain from a file into an entry in the KeyStore. This can be used to either import a trusted certificate or to import a certificate reply that’s received after submitting a CSR to a certificate authority.
/subsystem=elytron/key-store=exampleKS:import-certificate(alias=example, path=/path/to/certificate/chain/file, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, trust-cacerts=true)
Exporting a certificate to a file
The export-certificate command exports a certificate from an entry in the KeyStore to a file (in the example below, the certificate is exported to serverCert.cer).
/subsystem=elytron/key-store=exampleKS:export-certificate(alias=example, path=serverCert.cer, relative-to=jboss.server.config.dir, pem=true)
Changing an existing alias
The change-alias command moves an existing KeyStore entry to a new alias.
/subsystem=elytron/key-store=exampleKS:change-alias(alias=example, new-alias=new-example, credential-reference={clear-text=secret})
After performing the above command, you can check the alias names in the KeyStore and confirm the new alias name, "new-example", is listed:
/subsystem=elytron/key-store=exampleKS:read-aliases() { "outcome" => "success", "result" => ["new-example"] }
Storing changes
The store command persists any changes that you have made using the above commands to the file that backs the KeyStore.
/subsystem=elytron/key-store=exampleKS:store()
Summary
This blog post has given an overview of the new KeyStore manipulation operations that are available via the CLI in WildFly 12. For information on how to set up one-way and two-way SSL for applications and management interfaces, check out the Elytron documentation.
Comments