<< Previous | Home

Security Tip #2 - Generating your own intermediate CA certificate

In the previous blog entry we generated a root CA certificate. This blog entry will deal with creating an intermediate CA certificate signed by the root CA we created before.

The main reason why we do it this way is so we can keep the root CA keystore completely on offline storage. And use the intermediate CA certificate which we can revoke if necessary.

Lets generate your intermediate CA keystore

keytool -keystore my-intermediate-ca.jks -genkeypair 
-alias my-intermediate-ca -noprompt -dname "CN=My Intermediate CA"
-keyalg rsa -keysize 8192 -validity 365

 In order for us to be able to get the intermediate CA certificate signed by the root CA we need a CSR, so lets generate it

keytool -keystore my-intermediate-ca.jks 
-alias my-intermediate-ca -certreq -rfc
-file my-intermediate-ca.csr

Now we can use the root CA keystore to generate a signed certificate with the CSR we just generated. Lets do that now!

keytool -keystore my-ca.jks 
-alias my-ca -gencert -infile my-intermediate-ca.csr
-dname "CN=My Intermediate CA" -validity 365 -rfc
-outfile my-intermediate-ca.pem
-ext BasicConstraints:critical=ca:true
-ext KeyUsage:critical=keyCertSign,cRLSign

Now we will import both the root CA PEM file and the intermediate CA PEM file into the intermediate CA keystore. Note we need to import them both as the root CA certificate is needed to validate the signed intermediate certificate.

First we need to import the root CA certificate

keytool -keystore my-intermediate-ca.jks  -importcert 
-alias my-ca -file my-ca.pem

And then we need to import the intermediate CA certificate

keytool -keystore my-intermediate-ca.jks 
-alias my-intermediate-ca -importcert -file my-intermediate-ca.pem

And that is it.

Enjoy!

Security Tip #1 - Generating your own root CA certificate

If you are interested in creating your own root CA certificate then read on. 

The command line below will generate a root CA certificate (who by their nature are self-signed) with a keysize of 8192 and using the RSA key algorithm and a lifetime of 365 days from the time you issue the command.

Additional we say this certificate is a root CA certificate that will be used for certificate and revocation list signing.

keytool -keystore my-ca.jks -genkeypair 
-alias my-ca -dname "CN=My CA"  
-keyalg rsa -keysize 8192 -validity 365 -noprompt
-ext BasicConstraints:critical=CA:true
-ext KeyUsage:critical=keyCertSign,cRLSign

As we know that we will need to import the root CA certificate we will generate a PEM file for it.

keytool -exportcert -keystore my-ca.jks -rfc 
-alias my-ca > my-ca.pem

In the next blog entry we will create an intermediate CA so we can keep the root CA keystore safe.

And that is it.

Enjoy!

JSF Tip #65 - JSF 2.1 Facelet VDL documentation

If you are looking for the JSF 2.1 Facelet VDL documentation, see https://javaserverfaces.java.net/docs/2.1/vdldocs/facelets/

Enjoy!

 

JSF Tip #64 - JSF 2.2 Facelet VDL documentation

If you are looking for the JSF 2.2 Facelet VDL documentation, see https://javaserverfaces.java.net/nonav/docs/2.2/vdldocs/facelets/index.html

Enjoy!

 

CDI Tip #1 - Get the annotation for a proxied class

In the Ozark runtime there is a time we need to get the annotation on a class. In some cases those instances are proxies and we need to get the annotation of the class behind the proxy. The code snippet below shows you how to do that.


public static <T extends Annotation> T getAnnotation(
Class<?> clazz, Class<T> annotationType) {
final T an = clazz.getDeclaredAnnotation(annotationType);
if (an != null) {
return an;
}
final BeanManager bm = CDI.current().getBeanManager();
final AnnotatedType<?> type = bm.createAnnotatedType(clazz);
return type != null ? type.getAnnotation(annotationType) : null;
}

Enjoy!