Retail:Generate self-signed certificate for the Hardware Manager

Introduction

The Hardware Manager is capable to generate automatically a new self-signed certificate if it does not exist but you can also generate it manually. This guide explains how to generate a self-signed certificate for the Hardware Manager using keytool and openssl.

• keytool. Is the tool to manage key stores. It is included in the Oracle Java JDK or OpenJDK. To check you have it properly installed type in the command line keytool -help and press ENTER.
• openssl. Is the tool to manage certificates. For Linux machines can be installed using the distribution package management tools and for Windows machines can be downloaded from [1]. To check you have it installed, open the command line, type openssl version and press ENTER.

Generate the private key

Execute from the command line:

openssl genrsa -out ca-certificate.pem.key.pem 2048

This command generates the file ca-certificate.pem.key.pem that contains the private key that will be used in the next step to generate the certificate.

Generate the certificate

First create the following configuration file and save it as ca-certificate.pem.cfg Replacing the values according your organization.

NOTE: The most important parameter is the Subject Alternative Name that must be the hostname of the machine where the Hardware Manager is installed.

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[req_distinguished_name]
C = <Country Name>
ST = <State or Province Name>
L = Locality
O = <Organization> 
OU = <Organizational Unit>
CN = <Common name>
[v3_ca]
basicConstraints=CA:TRUE
subjectAltName = @alternate_names
[CA_default]
copy_extensions = copy
[alternate_names]
DNS.1 = <Subject Alternative Name 1>

Then execute from the command line:

openssl req -new -x509 -sha256 -days 365 -config ca-certificate.pem.cfg -key ca-certificate.pem.key.pem -out ca-certificate.pem

This command generates the certificate file ca-certificate.pem valid for 365 days. Remember the key manager password, because will be used to configure the Hardware Manager later.

Import the certificate and the private key into a p12 key store

Execute from the command line:

openssl pkcs12 -export -name hardwaremanager -in ca-certificate.pem  -inkey ca-certificate.pem.key.pem  -out keystore.p12

This command generates a new key store file named keystore.p12 including the certificate and private key generated in the previous step.

Convert the p12 key store to a jks key store

Execute from the command line:

keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias hardwaremanager

This command generates a new key store file named keystore.jks with jks format that is the format needed by the Hardware Manager. Remember the key store password of the converted jks key store because it will be needed in the next step to configure the Hardware Manager.

Warning: Store safely the private key ca-certificate.pem.key.pem and key store files keystore.p12 and keystore.jks, because can be used to sign new certificates accepted by the browsers you will configure later to access the Hardware Manager.

Configure the Hardware Manager

To configure the Hardware Manager you need the key store file keystore.jks and the key manager password and key store password. Open the Hardware Manager configuration file openbravohw.properties with a text editor and configure the following properties:

## Web server ##
server.fqdn = localhost
server.secureport = 8190
server.keystorepath = <KEYSTORE_PATH>
server.keystorepassword = <STORE_PASSWORD>
server.keymanagerpassword = <KEY_PASSWORD>

Where server.keystorepath is the location of the generated file, server.keystorepassword is the key store password and server.keymanagerpassword is the key manager password.

With this configuration you will be able to start the Hardware Manager with Secure HTTP (HTTPS) support.