With WildFly 12, it is now possible to perform various KeyStore manipulation operations on a key-store resource in the Elytron subsystem using the JBoss CLI. In particular, the new operations make it possible to:

  • Generate a key pair
  • Generate a certificate signing request (CSR)
  • Import a certificate or a certificate chain from a file
  • Export a certificate to a file
  • Change an existing alias

 

With these new operations, it is now possible to set up one-way and two-way SSL for applications and management interfaces using only the CLI - going back and forth between the CLI and keytool is no longer necessary. This blog post is going to give an overview of these new operations.

 

To start the server, use the following command:

$WILDFLY_HOME/bin/standalone.sh  

 

To connect to the running server to execute CLI commands, use:

$WILDFLY_HOME/bin/jboss-cli.sh --connect

 

Prerequisite configuration

 

First, configure a key-store in the Elytron subsystem. Note that the path to the keystore file doesn’t actually have to exist yet.

 

/subsystem=elytron/key-store=exampleKS:add(path=server.keystore.jks, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=JKS)

 

Generating a key pair

 

The generate-key-pair command generates a key pair and wraps the resulting public key in a self-signed X.509 certificate. The generated private key and self-signed certificate will be added to a new PrivateKeyEntry in the KeyStore.

 

/subsystem=elytron/key-store=exampleKS:generate-key-pair(alias=example, algorithm=RSA, key-size=1024, validity=365, credential-reference={clear-text=secret}, distinguished-name="CN=www.example.com")

 

After performing the above command, you can check the alias names in the KeyStore and confirm the new alias, "example", is listed:

 

/subsystem=elytron/key-store=exampleKS:read-aliases()  
{  
    "outcome" => "success",  
    "result" => ["example"]  
}  

 

Generating a certificate signing request (CSR)

 

The generate-certificate-signing-request command generates a PKCS #10 CSR using a PrivateKeyEntry from the KeyStore. The generated CSR will be output to a file (in the example below, the CSR is output to server.csr).

 

/subsystem=elytron/key-store=exampleKS:generate-certificate-signing-request(alias=example, path=server.csr, relative-to=jboss.server.config.dir, distinguished-name="CN=www.example.com", \
extensions=[{critical=false, name=KeyUsage,value=digitalSignature}], credential-reference={clear-text=secret}) 

 

Notice that in the above command, alias=example refers to the PrivateKeyEntry that was created using the generate-key-pair command.

 

Importing a certificate or certificate chain from a file

 

The import-certificate command imports a certificate or certificate chain from a file into an entry in the KeyStore. This can be used to either import a trusted certificate or to import a certificate reply that’s received after submitting a CSR to a certificate authority.

 

/subsystem=elytron/key-store=exampleKS:import-certificate(alias=example, path=/path/to/certificate/chain/file, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, trust-cacerts=true)

 

Exporting a certificate to a file

 

The export-certificate command exports a certificate from an entry in the KeyStore to a file (in the example below, the certificate is exported to serverCert.cer).

 

/subsystem=elytron/key-store=exampleKS:export-certificate(alias=example, path=serverCert.cer, relative-to=jboss.server.config.dir, pem=true)

 

Changing an existing alias

 

The change-alias command moves an existing KeyStore entry to a new alias.

 

/subsystem=elytron/key-store=exampleKS:change-alias(alias=example, new-alias=new-example, credential-reference={clear-text=secret})

 

After performing the above command, you can check the alias names in the KeyStore and confirm the new alias name, "new-example", is listed:

 

/subsystem=elytron/key-store=exampleKS:read-aliases()
{
    "outcome" => "success",
    "result" => ["new-example"]
}

 

Storing changes

 

The store command persists any changes that you have made using the above commands to the file that backs the KeyStore.

 

/subsystem=elytron/key-store=exampleKS:store()

 

Summary

 

This blog post has given an overview of the new KeyStore manipulation operations that are available via the CLI in WildFly 12. For information on how to set up one-way and two-way SSL for applications and management interfaces, check out the Elytron documentation.