How do I create an SSL certificate with the Java key tool to use within SearchBlox?

To set up the SSL certificate with java keytool and install with SearchBlox, follow the steps below:

#Go to

cd /opt/searchblox

#Create a keystore

jre/bin/keytool -genkey -alias searchblox -keyalg RSA -keystore etc/SBkeystore.jks -keysize 2048

#create a signing request

jre/bin/keytool -certreq -alias searchblox -keystore etc/SBkeystore.jks -file searchblox.csr

Fill in the details as required: 

  • First name/last name is the CN (i.e must match FQDN that users will browse to)
  • Choose password

#Get CSR signed by CA and bring back crt/pem

jre/bin/keytool -import -trustcacerts -alias rootca -file Root.crt -keystore etc/SBkeystore.jks -storepass <pass>

jre/bin/keytool -import -trustcacerts -alias intca -file Issue_CA.crt -keystore etc/SBkeystore.jks -storepass <pass>

jre/bin/keytool -import -alias searchblox -file searchblox.crt -keystore etc/SBkeystore.jks -storepass <pass>

#If you have a certificate which is in a pfx format please follow the steps below

(To list the contents of a keystore)

keytool -list -v -keystore identity.jks -storepass password  

(To validate a certificate chain)

keytool -importkeystore -srckeystore <source_keystoreFile> -srcstoretype PKCS12 -destkeystore <destination_keystoreFile>  -deststoretype JKS -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt

Example : 

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore mykeystorefile.jks -deststoretype JKS
 
reference: https://blogs.oracle.com/blogbypuneeth/steps-to-create-a-jks-keystore-from-pfx-file 

#Replace versions and password but otherwise run:

(In Linux)

cd /opt/searchblox/lib

java -cp jetty-util-9.3.6.v20151106.jar org.eclipse.jetty.util.security.Password <keystore password>

(In Windows)

C:\SearchBloxServer\lib>java -cp jetty-util-9.3.6.v20151106.jar org.eclipse.jetty.util.security.Password <keystore password>

This will create OBF and MD5 hashes of the given password that can be added to sslcontextfactory ie jetty-ssl-context.xml as below:

#Ensure etc/jetty-ssl-context.xml refers to the directory of the new keystore + the hashed password from the previous step e.g:

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

  <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/SBkeystore.jks"/></Set>

  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1r2t1ugg1wgg1unj1ik8sjshy7hsk1ing1uof1wfi1kjs7jr55"/></Set>

  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1r2ldskfjfj7d7hjejdkd9jdy20ec1ing1uof1wfi1uha1r55"/></Set>

  <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/SBkeystore.jks"/></Set>

  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1r2t1ugg1wgg1udlkdkfjgjjg8duhjd7huha1r55"/></Set>

  <Set name="EndpointIdentificationAlgorithm"></Set>

  <Set name="ExcludeCipherSuites">

 

#Please update start.d/ssl.ini with the same details

jre/bin/java -server -jar start.jar --add-to-startd=https

#Stop and Start SearchBlox

SearchBlox will now be able to use the SSL certificate and serve up the search results from the specified secure port.

Additional Note:

1) When creating or exporting the JKS, be sure to specify format PKCS #12 and not simply JKS format. Jetty requires PKCS #12.

2) If working with a SearchBlox cluster, specify all of the hostnames in the cluster as Subject Alt Names on the certificate. This lets you use the same certificate/JKS file for all machines in the cluster

Have more questions? Submit a request

Comments