IBM Sterling Connect:Direct: Trocando a chave TLS do C:D

From Wiki
Revision as of 14:54, 19 March 2025 by Ebasso (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Trocando a chave SSL do Connect:Direct

Vamos criar uma chave 2024/2025 como exemplo: 

keytool -genkeypair -alias cdnode01_24_25 -keyalg RSA -keysize 2048 -validity 10 -keystore cdkeystore.p12 -storetype PKCS12 \
   -sigalg SHA384withRSA -dname "CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR"
Enter keystore password:
Re-enter new password:
Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 10 days
  for: CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR

Gerando a nova chave 2025/2026 

keytool -genkeypair -alias cdnode01_25_26 -keyalg RSA -keysize 2048 -validity 365 -keystore cdkeystore.p12 -storetype PKCS12 \
   -sigalg SHA384withRSA -dname "CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR" \
   -ext san=dns:cdnode01.ebasso.net,dns:www.cdnode01.ebasso.net
Enter keystore password:
Generating 2,048 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 365 days
 for: CN=cdnode01.ebasso.net, O=EbassoNet, ST=Goias, C=BR

Exportando o CSR 

keytool -certreq -alias cdnode01_25_26 -keystore cdkeystore.p12 -file cdnode01_25_26.csr -storetype PKCS12 \
   -ext san=dns:cdnode01.ebasso.net,dns:www.cdnode01.ebasso.net
Enter keystore password:


Criando a nossa CA 

openssl genpkey -algorithm RSA -out ca-key.pem -aes256 -pass pass:MinhaSenhaForte -pkeyopt rsa_keygen_bits:4096
......+..+...+....+++++++++++++++++++++++++++++++++++++++++++++*..
....+........+.........+.......+...+..+....+..+....+......+..+....

openssl req -x509 -new -nodes -key ca-key.pem -sha384 -days 3650 -out ca-cert.pem -passin pass:MinhaSenhaForte \
   -subj "/C=BR/ST=Goias/O=ebasso.net/CN=Minha CA"

Criar o arquivo san.ext 

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = cdnode01.ebasso.net
DNS.2 = www.cdnode01.ebasso.net

Assinado o CSR 

openssl x509 -req -in cdnode01_25_26.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out cdnode01_25_26.crt \
   -days 365 -sha384 -passin pass:MinhaSenhaForte -extfile san.ext
Certificate request self-signature ok
subject=C=BR, ST=Goias, O=EbassoNet, CN=cdnode01.ebasso.net


Importando a nossa CA 

keytool -import -keystore cdkeystore.p12 -storetype PKCS12 -file ca-cert.pem -alias minha-ca -noprompt
Enter keystore password:
Certificate was added to keystore

Importando a nossa chave 

keytool -import -trustcacerts -alias cdnode01_25_26 -keystore cdkeystore.p12 -file cdnode01_25_26.crt -storetype PKCS12 -noprompt \
-ext san=dns:cdnode01.ebasso.net,dns:www.cdnode01.ebasso.net
Enter keystore password:
Certificate reply was installed in keystore

Listando as nossas chaves 

keytool -list -keystore cdkeystore.p12 -storetype PKCS12 -v

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_Sterling_Connect:Direct:_Trocando_a_chave_TLS_do_C:D&oldid=9273"