问题
I am a total newbie in WSO2 configuration and a relative newbie in how HTTPS certificates work, so please bear with me.
I am trying to change the certificate for HTTPS connections in WSO2. Without any configuration WSO2 returns a certificate with the DN CN = localhost,O = WSO2,L = Mountain View,ST = CA,C = US. I am trying to change this with my own certificate, following the instructions from this blog article.
I have imported my certificate in the keystore and changed the config as described in the article. One notable difference is that I couldn't find ${carbon.home}/repository/conf/mgt-transports.xml.
After doing this, connecting to the IS server management service results in the "localhost" certificate being returned, instead of the one imported.
The KeyStore and RegistryKeyStore entries in repository/conf/carbon.xml
<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>wso2carbon</Password>
<!-- Private Key alias-->
<KeyAlias>testcert</KeyAlias>
<!-- Private Key password-->
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
<!--
Encrypt Decrypt Store will be used for encrypting and decrypting
-->
<RegistryKeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>wso2carbon</Password>
<!-- Private Key alias-->
<KeyAlias>testcert</KeyAlias>
<!-- Private Key password-->
<KeyPassword>wso2carbon</KeyPassword>
</RegistryKeyStore>
回答1:
Step 1: Create a new keystore with private and public key (key-pair). Inside /repository/resources/security/ directory. The default keystore (wso2carbon.jks) and truststore (client-truststore.jks) will be stored here.
• Create a keystore containing a key-pair using java key tool (contained in the standard jdk) and save it as a jks file. The keystore contains THIS server’s key-pair (public & private keys).
• The Keystore/Key-Pair should have the following properties/attributes :
KeystoreType = JKS,
KeyPairAlgorithm = RSA,
Size = 2048 bits
SignatureAlgorithm = SHA-256 WITH RSA
Password (Must be exactly the same as the keystore password)
Name(Subject): The CN(Common Name) of the key-pair should be the server’s hostname upon which the IS will be deployed (if you intend to use it as the key manager for api manager)
Extensions:
Key usage : Digital Signature , Key Encipherment , Data Encipherment , on Repudian
Subject Alternate name : IP address = IP address of this server
Step 2: Import the certificate chain from the keystore created in Step 1 into a truststore.
Create new trust store with same attributes
• Export the certificate from the Keystore (step 1) into the truststore
Step 3: Change the configuration files as follows, reflecting the new keystore and truststore that have just been created.
Change the appropriate values in the following files (in /repository/conf/):
File Line number/s
identity.xml 180
carbon.xml 310
326
343
axis2/axis2_pt.xml 272
280
396
404
axis2/axis2.xml 272
280
396
404
axis2/axis2_nhttp.xml 278
286
405
413
security/secret-conf.properties 21
30
sec.policy 1
More or less , just search the files for "jks"
Delete the old keystores
Step4: Restart
来源:https://stackoverflow.com/questions/33253567/wso2-is-change-https-certificate