WSO2 IS:更改 HTTPS 证书 [英] WSO2 IS: Change HTTPS certificate
问题描述
我是 WSO2 配置的新手,而 HTTPS 证书如何工作的相对新手,请多多包涵.
I am a total newbie in WSO2 configuration and a relative newbie in how HTTPS certificates work, so please bear with me.
我正在尝试更改 WSO2 中 HTTPS 连接的证书.在没有任何配置的情况下,WSO2 返回具有 DN CN = localhost,O = WSO2,L = Mountain View,ST = CA,C = US
的证书.我正在尝试按照 这篇博文.
I am trying to change the certificate for HTTPS connections in WSO2. Without any configuration WSO2 returns a certificate with the DN CN = localhost,O = WSO2,L = Mountain View,ST = CA,C = US
. I am trying to change this with my own certificate, following the instructions from this blog article.
我已将我的证书导入到密钥库中,并按照文章中的说明更改了配置.一个显着的区别是我找不到 ${carbon.home}/repository/conf/mgt-transports.xml
.
I have imported my certificate in the keystore and changed the config as described in the article. One notable difference is that I couldn't find ${carbon.home}/repository/conf/mgt-transports.xml
.
完成此操作后,连接到 IS 服务器管理服务会导致返回localhost"证书,而不是导入的证书.
After doing this, connecting to the IS server management service results in the "localhost" certificate being returned, instead of the one imported.
repository/conf/carbon.xml
<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>wso2carbon</Password>
<!-- Private Key alias-->
<KeyAlias>testcert</KeyAlias>
<!-- Private Key password-->
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
<!--
Encrypt Decrypt Store will be used for encrypting and decrypting
-->
<RegistryKeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>wso2carbon</Password>
<!-- Private Key alias-->
<KeyAlias>testcert</KeyAlias>
<!-- Private Key password-->
<KeyPassword>wso2carbon</KeyPassword>
</RegistryKeyStore>
推荐答案
第 1 步:使用私钥和公钥(密钥对)创建一个新的密钥库.在/repository/resources/security/目录中.默认的密钥库 (wso2carbon.jks) 和信任库 (client-truststore.jks) 将存储在这里.
Step 1: Create a new keystore with private and public key (key-pair). Inside /repository/resources/security/ directory. The default keystore (wso2carbon.jks) and truststore (client-truststore.jks) will be stored here.
• 使用 java 密钥工具(包含在标准 jdk 中)创建包含密钥对的密钥库,并将其保存为 jks 文件.密钥库包含此服务器的密钥对(公钥和私钥).
• Create a keystore containing a key-pair using java key tool (contained in the standard jdk) and save it as a jks file. The keystore contains THIS server’s key-pair (public & private keys).
• 密钥库/密钥对应具有以下属性/属性:
• The Keystore/Key-Pair should have the following properties/attributes :
KeystoreType = JKS,
KeyPairAlgorithm = RSA,
Size = 2048 bits
SignatureAlgorithm = SHA-256 WITH RSA
Password (Must be exactly the same as the keystore password)
Name(Subject): The CN(Common Name) of the key-pair should be the server’s hostname upon which the IS will be deployed (if you intend to use it as the key manager for api manager)
Extensions:
Key usage : Digital Signature , Key Encipherment , Data Encipherment , on Repudian
Subject Alternate name : IP address = IP address of this server
第 2 步:将证书链从第 1 步中创建的密钥库中导入到信任库中.
Step 2: Import the certificate chain from the keystore created in Step 1 into a truststore.
创建具有相同属性的新信任库
Create new trust store with same attributes
• 将证书从密钥库(步骤 1)导出到信任库
• Export the certificate from the Keystore (step 1) into the truststore
步骤 3:更改配置文件如下,反映刚刚创建的新密钥库和信任库.
Step 3: Change the configuration files as follows, reflecting the new keystore and truststore that have just been created.
更改以下文件中的适当值(在/repository/conf/中):
Change the appropriate values in the following files (in /repository/conf/):
File Line number/s
identity.xml 180
carbon.xml 310
326
343
axis2/axis2_pt.xml 272
280
396
404
axis2/axis2.xml 272
280
396
404
axis2/axis2_nhttp.xml 278
286
405
413
security/secret-conf.properties 21
30
sec.policy 1
或多或少,只需在文件中搜索jks"
More or less , just search the files for "jks"
删除旧的密钥库
第四步:重启
这篇关于WSO2 IS:更改 HTTPS 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!