This blog post will contain multiple posts as it is too long to have all the information in one post.
Part 1 - Creating a keystore and generating Certificate Signing Request (CSR)
When you are searching for the topic of this post or for the following exception on the internet with related to WSO2, you will come across following article from Amila Jayasekara [1]
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
It is a great article from Amila and i followed the same some time back. However, I thought to share my experience on using easy UI tool for the same task.
When it comes to using CA (Certificate Authority) signed certificate in your production server, There are few steps to carry out.
First, you need to decide whether you are going to use your already existing and valid CA signed certificate or whether you are going to create new keystore and generate key pair and get them signed from a CA.
So here we are discussing both of those approaches.
1. Create a keystore and generate keypair and use them for configuring
2. Use existing keypair in default wso2 keystore
The tool which i am going to use here is Keystore Explorer. You can get it from [2]
Creating a keystore and keypair
Launch Keystore Explorer
Select Create a new key store
Choose KeyStore type as JKS and then save (CTRL + S). It will ask for password for keystore.
Note: When using WSO2 products, Key password and Keystore password should be same.
After setting the password, It will ask for the name for the keystore. You can provide any name and save it.
Once you saved it, Generate a key pair from the tools menu as bellow.
It will ask for the algorithm
It will ask for the other fields
You need to provide the host name as your CN when you configuring the name field by clicking on the icon in front of the name field as bellow.
then you have to confirm the information.
Now it will ask for the key alias, By default it will select the given CN name.
Provide a password for the key pair. As in the above given note When using WSO2 products, Key password and Keystore password should be same.
Our next step is to create a Certificate Signing Request (CSR) from the above keypair
Creating a CSR (Certificate Signing Request)
By right clicking on the keypair , you can select the Generate CSR option. It will generate the CSR and ask for saving.
In my case it will generate it as myhostname.net.csr. When you open it with text editor, It will look like follows. This is the one you need to provide to the Certificate Authority (CA) to get it signed.
[1] http://wso2.com/library/knowledge-base/2011/08/adding-ca-certificate-authority-signed-certificate-wso2-products/
[2] http://keystore-explorer.org/
