Retail:Generate self-signed certificate for the Hardware Manager
Contents |
Introduction
The Hardware Manager is capable to generate automatically a new self-signed certificate if it does not exist but you can also generate it manually. This guide explains how to generate a self-signed certificate for the Hardware Manager using keytool and openssl.
- keytool. Is the tool to manage key stores. It is included in the Oracle Java JDK or OpenJDK. To check you have it properly installed type in the command line keytool -help and press ENTER.
- openssl. Is the tool to manage certificates. For Linux machines can be installed using the distribution package management tools and for Windows machines can be downloaded from [1]. To check you have it installed, open the command line, type openssl version and press ENTER.
Generate the private key
Execute from the command line:
openssl genrsa -out ca-certificate.pem.key.pem 2048
This command generates the file ca-certificate.pem.key.pem that contains the private key that will be used in the next step to generate the certificate.
Generate the certificate
First create the following configuration file and save it as ca-certificate.pem.cfg Replacing the values according your organization.
NOTE: The most important parameter is the Subject Alternative Name that must be the hostname of the machine where the Hardware Manager is installed.
[req] distinguished_name = req_distinguished_name x509_extensions = v3_ca prompt = no [req_distinguished_name] C = <Country Name> ST = <State or Province Name> L = Locality O = <Organization> OU = <Organizational Unit> CN = <Common name> [v3_ca] basicConstraints=CA:TRUE subjectAltName = @alternate_names [CA_default] copy_extensions = copy [alternate_names] DNS.1 = <Subject Alternative Name 1>
Then execute from the command line:
openssl req -new -x509 -sha256 -days 365 -config ca-certificate.pem.cfg -key ca-certificate.pem.key.pem -out ca-certificate.pem
This command generates the certificate file ca-certificate.pem valid for 365 days. Remember the key manager password, because will be used to configure the Hardware Manager later.
Import the certificate and the private key into a p12 key store
Execute from the command line:
openssl pkcs12 -export -name hardwaremanager -in ca-certificate.pem -inkey ca-certificate.pem.key.pem -out keystore.p12
This command generates a new key store file named keystore.p12 including the certificate and private key generated in the previous step.
Convert the p12 key store to a jks key store
Execute from the command line:
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias hardwaremanager
This command generates a new key store file named keystore.jks with jks format that is the format needed by the Hardware Manager. Remember the key store password of the converted jks key store because it will be needed in the next step to configure the Hardware Manager.
Configure the Hardware Manager
To configure the Hardware Manager you need the key store file keystore.jks and the key manager password and key store password. Open the Hardware Manager configuration file openbravohw.properties with a text editor and configure the following properties:
## Web server ## server.fqdn = localhost server.secureport = 8190 server.keystorepath = <KEYSTORE_PATH> server.keystorepassword = <STORE_PASSWORD> server.keymanagerpassword = <KEY_PASSWORD> |
Where server.keystorepath is the location of the generated file, server.keystorepassword is the key store password and server.keymanagerpassword is the key manager password.
With this configuration you will be able to start the Hardware Manager with Secure HTTP (HTTPS) support.