Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add passwords directly to command line + refer to attached script for the same.


Documenting SSL/TLS certificate installation on go.genivi.org

(green star) The steps to copy the have been converted into a shell script which is also attached to this page


The rest of this page only documents the manual steps and more information.

...



First Nicholas Contino created the certificates with Letsencrypt, by closing down the go-server and starting a vanilla apache install, and then going through the standard Letsencrypt procedures to confirm ownership of the site, and all that stuff.

This created

...

  $ openssl rsa -des3 -in privkey.pem -out privkey.key.new

...

 -passout pass:serverKeystorepa55w0rd

The PEM passphrase is requested, input serverKeystorepa55w0rdno longer requested since it is given on the command line.


Then to put the certificate into a Java compatible keystore it first needs to be converted to a PKCS12 format.

(From Go.CD documentation):
    openssl pkcs12 -inkey privkey.key.new -in <example.com.crt>  -export -out cert1.crt.pkcs12
I failed at the first attempt I assumed example.crt meant our own cert file only.  But this will make the Go server output the cert as self-signed as usual.   It turns out that the fullchain file should be used, which includes both our cert, and the trust chain.  Ref: [2] (ignore the first answer which is wrong, and see further down)

So we run: 

  $ openssl pkcs12 -inkey privkey.key.new -in fullchain.pem -export -out fullchain.pkcs12 -passin pass:serverKeystorepa55w0rd -passout pass:serverKeystorepa55w0rd

Againthe passwords are given on the command line.

In this step the new privkey we created of course needs be decrypted again.  Input the previously used password to decrypt, then use the same again, for the output stage.

...