How to create new Certificates for Liferay Portal Integration

Last update: 8 March 2018

Summary

This how-to describes what must be done to renew your Liferay Portal Certificates.

Solution

Prerequisites

  • openssl
  • keytool (Java)

Preparation

  • Open "/etc/fabasoft/web/ssl.conf"
  • Note path of following 3 lines:
SSLCertificateFile /var/opt/fabasoft/instances/WebService_103/servercert.pem
SSLCertificateKeyFile /var/opt/fabasoft/instances/WebService_103/serverkeynodes.pem
SSLCACertificateFile /var/opt/fabasoft/instances/WebService_103/cacert.pem

This is the path where the certificates for the eServices are stored. The new certificates have to be placed in this folders.

CA & CA - Certificate

Following statements are necessary to create a Certificate Authority, the dedicated keys, requests and certificates.

Generate Key and Requests

openssl req -config  -new -keyout .pem -out .pem -passout "pass:" -batch

Generate CA - Certificate

openssl ca -config  -subj "" -out .pem -days  -batch -keyfile .pem -selfsign -passin "pass:" -infiles .pem

subj could possibly look like this: "/C=AT/ST=Upper Austria/L=Linz/O=Fabasoft AG/CN=Fabasoft Local eService CA"

Export the CA - Certificate in a *.p12 - File

openssl pkcs12 -export -in .pem -inkey .pem -out .p12 -name "CaCertificate" -passin "pass:" -passout "pass:"

Export the CA - Certificate in a *.cer - File

openssl x509 -in .pem -out .cer -outform DER

Server Certificate

This certificate has to be available on the webservice.

Generate Key and Requests

openssl req -config  -new -keyout .pem -out .pem -subj "" -passout "pass:" -days  -batch

subj could possibly look like this: "/CN=servicedesktest.support.fabasoft.local"

Generate Server Certificate

openssl ca -config  -policy policy_anything -out .pem -batch -infiles .pem

Generate Keynodes

openssl rsa -in .pem -out .pem

Use Created Certificates

Stop all Fabasoft Folio WebServices. In order to use the created certificates copy them to the right file system locations (noted at the beginnning). Make sure all certificates and keys have the same permissions as the originals had.

Liferay Service Certificate

Important: It is necessary that the CN of the liferay certificate is a loginstring of the Liferay Service User in the Fabasoft Folio installation.

Generate Key and Requests

openssl req -config  -new -keyout .pem -out .pem -subj "" -passout "pass:" -days  -batch

subj could possibly look like this: "/CN=liferaysvc"

Generate Server Certificate

openssl ca -config  -policy policy_anything -out .pem -batch -infiles .pem

Generate Keynodes

openssl rsa -in .pem -out .pem

Export the CA - Certificate in a *.p12 - File

openssl pkcs12 -export -in .pem -inkey .pem -out keystore.p12 -name "CaCertificate" -passin "pass:" -passout "pass:"

Import the CA - Certificate in the Truststore

keytool -import -trustcacerts -alias "" -file cacert.cer -keystore truststore.jks -noprompt -storepass 

alias could possibly look like this: "Fabasoft Local eService CA"

Exchange Liferay Certificate

To exchange the truststore and the liferay service user certificate two files have to be edited and the generated files have to be copied to the tomcat directory (webapps/ROOT/WEB-INF/certs).

In the following two files the passwords for the truststore and the keystore have to be edited:

  • webapps/ROOT/WEB-INF/classes/portal-ext.properties
  • webapps/fscportlet/WEB-INF/portlet.xml

Starting Liferay

Liferay can now be started. In order to get fully functionally portlets these portlets have to be instanced newly, so that the new certificates are choosen.

Applies to

  • Fabasoft Folio (Linux)
  • Fabasoft eGov-Suite (Linux)
  • Liferay

Further questions?