1. JDK7 supports EC key algorithm
./jdk1.7.0_03/bin/keytool -v -genkey -alias https -keyalg EC -keystore /opt/jboss/https.keystore -keysize 409 -validity 730 -dname "CN=*.example.com, OU=TW, O=Home, L=OL, ST=WiM, C=PL" -storepass s0m3p15s -keypass S0m3p15s
max size is -keysize 571
2. Firefox (14.0a1) also supports EC .. partially - only keys generated with -keysize 256 and -keysize 384
3. Opera (12 alpha) doesn't support EC keys at all :(.
To use keys generated with keytool
keytool -v -genkey -alias https -keyalg DSA -keystore /opt/httpdsa.keystore -keysize 1024 -validity 730 -dname "CN=my.domain.com, OU=Lap, O=Home, L=City, ST=State, C=UK" -storepass s0m3Pa5s -keypass s0m3Pa5s
Subsytem must be set : native="false"
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="ssl" key-alias="https" password="s0m3Pa5s" certificate-key-file="/opt/httpdsa.keystore" protocol="TLSv1" verify-client="false"/> </connector> </subsystem>
To use keys generated with openssl
Subsytem must be set : native="true"
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="true"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl certificate-key-file="/opt/https-rsa4key.pem" protocol="TLSv1" verify-client="false" certificate-file="/opt/https-rsacert.pem" keystore-type="PKCS12" truststore-type="PKCS12"/> </connector> </subsystem>
Generating RSA keys with password
openssl genrsa -des3 -out https-rsa4key.pem 4096 openssl req -new -key https-rsa4key.pem -out https.csr openssl x509 -req -days 720 -in https.csr -signkey https-rsa4key.pem -out https-rsacert.pem
To test if browser can handle keys types/size - type password (set at runinng `openssl genrsa...`) when asked
openssl s_server -www -accept 443 -cert https-rsacert.pem -key https-rsa4key.pem
To use in Jboss AS7 standalone.xml (don't froget password="S0m3Pa5s"):
<ssl password="S0m3Pa5s" certificate-key-file="/opt/https-rsa4key.pem" protocol="TLSv1" verify-client="false" certificate-file="/opt/https-rsacert.pem" keystore-type="PKCS12" truststore-type="PKCS12"/>
I've managed to get Jboss AS7.1 to start with openssl DSA keys
openssl dsaparam -out dsaparam 1024 openssl gendsa -out https-dsa.pem dsaparam openssl req -new -key https-dsa.pem -out https.csr openssl x509 -req -days 720 -in https.csr -signkey https-dsa.pem -out https-dsacert.pem
To test if browser can handle keys types/size
openssl s_server -www -accept 443 -cert https-dsacert.pem -key https-dsa.pem
and in standalone.xml
<ssl certificate-key-file="/opt/https-dsa.pem" protocol="TLSv1" verify-client="false" certificate-file="/opt/https-dsacert.pem" keystore-type="PKCS12" truststore-type="PKCS12"/>
No comments:
Post a Comment