How to create new Certificates for Liferay Portal Integration
Summary
This how-to describes what must be done to renew your Liferay Portal Certificates.
Solution
Prerequisites
- openssl
- keytool (Java)
Preparation
- Open "/etc/fabasoft/web/ssl.conf"
- Note path of following 3 lines:
SSLCertificateFile /var/opt/fabasoft/instances/WebService_103/servercert.pem SSLCertificateKeyFile /var/opt/fabasoft/instances/WebService_103/serverkeynodes.pem SSLCACertificateFile /var/opt/fabasoft/instances/WebService_103/cacert.pem
This is the path where the certificates for the eServices are stored. The new certificates have to be placed in this folders.
CA & CA - Certificate
Following statements are necessary to create a Certificate Authority, the dedicated keys, requests and certificates.
Generate Key and Requests
openssl req -config -new -keyout .pem -out .pem -passout "pass:" -batch
Generate CA - Certificate
openssl ca -config -subj "" -out .pem -days -batch -keyfile .pem -selfsign -passin "pass:" -infiles .pem
subj could possibly look like this: "/C=AT/ST=Upper Austria/L=Linz/O=Fabasoft AG/CN=Fabasoft Local eService CA"
Export the CA - Certificate in a *.p12 - File
openssl pkcs12 -export -in .pem -inkey .pem -out .p12 -name "CaCertificate" -passin "pass:" -passout "pass:"
Export the CA - Certificate in a *.cer - File
openssl x509 -in .pem -out .cer -outform DER
Server Certificate
This certificate has to be available on the webservice.
Generate Key and Requests
openssl req -config -new -keyout .pem -out .pem -subj "" -passout "pass:" -days -batch
subj could possibly look like this: "/CN=servicedesktest.support.fabasoft.local"
Generate Server Certificate
openssl ca -config -policy policy_anything -out .pem -batch -infiles .pem
Generate Keynodes
openssl rsa -in .pem -out .pem
Use Created Certificates
Stop all Fabasoft Folio WebServices. In order to use the created certificates copy them to the right file system locations (noted at the beginnning). Make sure all certificates and keys have the same permissions as the originals had.
Liferay Service Certificate
Important: It is necessary that the CN of the liferay certificate is a loginstring of the Liferay Service User in the Fabasoft Folio installation.
Generate Key and Requests
openssl req -config -new -keyout .pem -out .pem -subj "" -passout "pass:" -days -batch
subj could possibly look like this: "/CN=liferaysvc"
Generate Server Certificate
openssl ca -config -policy policy_anything -out .pem -batch -infiles .pem
Generate Keynodes
openssl rsa -in .pem -out .pem
Export the CA - Certificate in a *.p12 - File
openssl pkcs12 -export -in .pem -inkey .pem -out keystore.p12 -name "CaCertificate" -passin "pass:" -passout "pass:"
Import the CA - Certificate in the Truststore
keytool -import -trustcacerts -alias "" -file cacert.cer -keystore truststore.jks -noprompt -storepass
alias could possibly look like this: "Fabasoft Local eService CA"
Exchange Liferay Certificate
To exchange the truststore and the liferay service user certificate two files have to be edited and the generated files have to be copied to the tomcat directory (webapps/ROOT/WEB-INF/certs).
In the following two files the passwords for the truststore and the keystore have to be edited:
- webapps/ROOT/WEB-INF/classes/portal-ext.properties
- webapps/fscportlet/WEB-INF/portlet.xml
Starting Liferay
Liferay can now be started. In order to get fully functionally portlets these portlets have to be instanced newly, so that the new certificates are choosen.
Applies to
- Fabasoft Folio (Linux)
- Fabasoft eGov-Suite (Linux)
- Liferay