Friday, June 24, 2016
Creating an internal CA and signed server certificates for OpenDJ using cfssl, keytool and openssl
Yes, that title is quite a mouthful, and mostly intended to get the Google juice if I need to find this entry again.
I spent a couple of hours figuring out the magical incantations, so thought I would document this here.
The problem: You want OpenDJ to use something other than the default self-signed certificate for SSL connections. A "real" certificate signed by a CA (Certificate Authority) is expensive and a pain to procure and install.
The next best alternative is to create your own "internal" CA, and have that CA sign certificates for your services. In most cases, this is going to work fine for *internal* services that do not need to be trusted by a browser.
You might ask why is this better than just using self-signed certificates? The idea is that you can import your CA certificate once into the truststore for your various clients, and thereafter those clients will trust any certificate presented that is signed by your CA.
For example, assume I have OpenDJ servers: server-1,server-2 and server-3. Using only self-signed certificates, I will need to import the certs for each server (three in this case) into my client's truststore. If instead, I use a CA, I need only import a single CA certificate. The OpenDJ server certificates will be trusted because they are signed by my CA. Once you start to get a lot of services deployed using self-signed certificates becomes super painful. Hopefully, that all makes sense...
Now how do you create all these certificates? Using CloudFlare's open source cfssl utility, Java keytool, and a little openssl.
I'll spare you the details, and point you to this shell script which you can edit for your environment:
Here is the gist: