サーバ証明書作成の際、これまで、openssl を使用してきましたが、 keystore / keytools for java は、殆ど利用したことがない為、メモ。
keystore / keytools for java とは
鍵fileや証明書fileを複数保管できるfileで、keystoreのfile全体もpasswordで暗号化されます。
keystore file は、 keytools for java コマンドで作成/管理します。
keystore の JCEKS とは
keystore の file形式には、 JKS(Java KeyStore), JCEKS(Java Cryptography Extension KeyStore), PKCS#12 があります。
このうち、JCEKS は、JKS の独自代替keystoreで、Triple DES により強力に暗号化されています。
SSOのプロダクトであるOpenAMは、過去、JKS形式をdefaultとしていましたが OpenAM ver13.5より JCEKS を default としています。
keytools for java の コマンド例
JKS 形式 の keypair 作成 と、JKS->JKS インポート
# echo -n "keypass" > /tmp/keypass ## 作成するkey用 # echo -n "storepass" > /tmp/storepass ## keysotre 用 ## keypair(有効期間=10年、エイリアス名=SAML)を keystore.jks へ作成 $ keytool -genkeypair -keyalg RSA -keysize 2048 -validity 3650 -alias saml \ -dname "CN=sso.end0tknr.com,OU=sso,O=end0tknr,L=Tokyo,C=JP" \ -keystore /tmp/keystore.jks \ -keypass `cat /tmp/keypass` -storepass `cat /tmp/storepass` ## import用に更に作成 $ keytool -genkeypair -keyalg RSA -keysize 2048 -validity 3650 -alias saml \ -dname "CN=sso.end0tknr.com,OU=sso,O=end0tknr,L=Tokyo,C=JP" \ -keystore ~/tmp/keystore_2.jks \ -keypass `cat ~/tmp/keypass` -storepass `cat ~/tmp/storepass` ## keystore_2.jks -> keystore.jks で import $ keytool -importkeystore \ -srckeystore ~/tmp/keystore_2.jks -srcstoretype jks \ -destkeystore ~/tmp/keystore.jks -deststoretype jks \ -srcstorepass `cat ~/tmp/storepass` \ -deststorepass `cat ~/tmp/storepass` Existing entry alias saml exists, overwrite? [no]: no Enter new alias name (RETURN to cancel import for this entry): saml2 Enter key password for <saml> Entry for alias saml successfully imported. ## keystore.jks の内容確認 $ keytool -v -list -keystore ~/tmp/keystore.jks -storetype jks \ -storepass `cat ~/tmp/storepass` Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries Alias name: saml Creation date: Aug 10, 2020 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=sso.end0tknr.com, OU=sso, O=end0tknr, L=Tokyo, C=JP Issuer: CN=sso.end0tknr.com, OU=sso, O=end0tknr, L=Tokyo, C=JP Serial number: 7bed8067 Valid from: Mon Aug 10 10:52:11 JST 2020 until: Thu Aug 08 10:52:11 JST 2030 Certificate fingerprints: MD5: 2C:D8:DB:4C:C9:89:47:96:0E:A5:01:13:42:F5:7E:1B SHA1: C7:74:5B:D1:EC:FC:BD:96:9C:BD:34:3B:19:F3:E4:86:DE:2C:93:E4 SHA256: AC:9E:DB:DC:0C:2E:22:FC:18:FC:6F:5E:FF:5A:7E:01:18:F6:97:~ Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3
(おまけ) JKS の OpenAMへの配備
参考 https://www.identityfusion.com/how-to-configure-openam-signing-keys/
$ sudo /opt/openam/admin/sso/bin/ampassword --encrypt /tmp/keypass > /tmp/.keypass $ sudo /opt/openam/admin/sso/bin/ampassword --encrypt /tmp/storepass > /tmp/.storepass $ rm /tmp/keypass /tmp/storepass $ sudo mv /tmp/keystore.jks /tmp/.keypass /tmp/.storepass /usr/share/tomcat8/sso/sso/ $ sudo chown tomcat:tomcat /usr/share/tomcat8/sso/sso/keystore.jks \ /usr/share/tomcat8/sso/sso/.keypass \ /usr/share/tomcat8/sso/sso/.storepass
JCEKS 形式 の keypair 作成 と、JKS->JCEKS インポート
## keypair(有効期間=10年、エイリアス名=SAML3)を keystore.jceks へ作成 $ keytool -genkeypair -keyalg RSA -keysize 2048 -validity 3650 -alias saml3 \ -dname "CN=sso.end0tknr.com,OU=sso,O=end0tknr,L=Tokyo,C=JP" \ -keystore ~/tmp/keystore.jceks -storetype jceks \ -keypass `cat ~/tmp/keypass` -storepass `cat ~/tmp/storepass` ## keystore.jks -> keystore.jceks で import $ keytool -importkeystore \ -srckeystore ~/tmp/keystore.jks -srcstoretype jks \ -destkeystore ~/tmp/keystore.jceks -deststoretype jceks \ -srcstorepass `cat ~/tmp/storepass` \ -deststorepass `cat ~/tmp/storepass` Importing keystore /home/end0tknr/tmp/keystore.jks to /home/end0tknr/tmp/keystore.jceks... Enter key password for <saml> Entry for alias saml successfully imported. Enter key password for <saml2> Entry for alias saml2 successfully imported. ## keystore.jks の内容確認 $ keytool -v -list -keystore ~/tmp/keystore.jceks -storetype jceks \ -storepass `cat ~/tmp/storepass` Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 3 entries Alias name: saml Creation date: Aug 10, 2020 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=sso.end0tknr.com, OU=sso, O=end0tknr, L=Tokyo, C=JP Issuer: CN=sso.end0tknr.com, OU=sso, O=end0tknr, L=Tokyo, C=JP Serial number: 7bed8067 Valid from: Mon Aug 10 10:52:11 JST 2020 until: Thu Aug 08 10:52:11 JST 2030 Certificate fingerprints: MD5: 2C:D8:DB:4C:C9:89:47:96:0E:A5:01:13:42:F5:7E:1B SHA1: C7:74:5B:D1:EC:FC:BD:96:9C:BD:34:3B:19:F3:E4:86:DE:2C:93:E4 SHA256: AC:9E:DB:DC:0C:2E:22:FC:18:FC:6F:5E:FF:5A:7E:01:18:F6:97:~ Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 :