Creating self-signed SSL certificates for Solr

Blog Post created by wabson Employee on Aug 31, 2012
Since the default SSL certificates that ship with Alfresco's Solr integration expired the other week I've been having to fix up my local development installs that I'd previously configured with Solr.

The instructions on the wiki are pretty comprehensive, and together with the text file provided in the Solr integration package provide all the info you need to understand the process of creating your own keys and certificates for local testing.

After I stepped through the complete procedure documented there, with some slight modifications to avoid the interactive prompting, I found I had a set of commands which I could use in order to repeatedly re-generate a set of keys inside each installation directory on my system.

The first section in the following listing could be placed inside your .bash_profile file, and this is recommended to ensure that the password values you choose to use are not captured in your command history or in your terminal. The commands after that should be used repeatedly against each Alfresco installation you wish to generate keys and certificates for.

# The subject name of the key used to sign the certificates

REPO_SUBJECT_NAME='/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Repository'

# The repository server certificate subject name, as specified in tomcat/conf/tomcat-users.xml with roles='repository'

REPO_CERT_DNAME='CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB'

# The SOLR client certificate subject name, as specified in tomcat/conf/tomcat-users.xml with roles='repoclient'

SOLR_CLIENT_CERT_DNAME='CN=Alfresco Repository Client, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB'

# The number of days before the certificate expires


# Keystore password



openssl genrsa -des3 -passout pass:$KEYSTORE_PASSWORD -out ca.key 1024

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -passin pass:$KEYSTORE_PASSWORD -subj '$REPO_SUBJECT_NAME' -passout pass:$KEYSTORE_PASSWORD

# Generate Alfresco Repository SSL keystores

keytool -genkey -alias 'ssl.repo' -keyalg RSA -keystore ssl.keystore -storetype JCEKS -dname '$REPO_CERT_DNAME' -storepass '$KEYSTORE_PASSWORD' -keypass '$KEYSTORE_PASSWORD'

keytool -keystore ssl.keystore -alias 'ssl.repo' -certreq -file repo.csr -storetype JCEKS -storepass '$KEYSTORE_PASSWORD'

openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in repo.csr -out repo.crt -days '$CERTIFICATE_VALIDITY' -passin pass:$KEYSTORE_PASSWORD

keytool -import -alias 'alfresco.ca' -file ca.crt -keystore ssl.keystore -storetype JCEKS -storepass $KEYSTORE_PASSWORD -noprompt

keytool -import -alias 'ssl.repo' -file repo.crt -keystore ssl.keystore -storetype JCEKS -storepass $KEYSTORE_PASSWORD -noprompt

keytool -importkeystore -srckeystore ssl.keystore -srcstorepass $KEYSTORE_PASSWORD -srcstoretype JCEKS -srcalias 'ssl.repo' -srckeypass $KEYSTORE_PASSWORD -destkeystore browser.p12 -deststoretype pkcs12 -deststorepass $BROWSER_KEYSTORE_PASSWORD -destalias repo -destkeypass $BROWSER_KEYSTORE_PASSWORD

keytool -import -alias alfresco.ca -file ca.crt -keystore ssl.truststore -storetype JCEKS -storepass $KEYSTORE_PASSWORD -noprompt

# Generate Alfresco Solr SSL keystores

keytool -genkey -alias 'ssl.repo.client' -keyalg RSA -keystore ssl.repo.client.keystore -storetype JCEKS -storepass $KEYSTORE_PASSWORD -keypass '$KEYSTORE_PASSWORD' -dname '$SOLR_CLIENT_CERT_DNAME'

keytool -keystore ssl.repo.client.keystore -alias 'ssl.repo.client' -certreq -file ssl.repo.client.csr -storetype JCEKS -storepass $KEYSTORE_PASSWORD

openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in ssl.repo.client.csr -out ssl.repo.client.crt -days '$CERTIFICATE_VALIDITY' -passin pass:$KEYSTORE_PASSWORD

keytool -import -alias 'alfresco.ca' -file ca.crt -keystore ssl.repo.client.keystore -storetype JCEKS -storepass $KEYSTORE_PASSWORD -noprompt

keytool -import -alias 'ssl.repo.client' -file ssl.repo.client.crt -keystore ssl.repo.client.keystore -storetype JCEKS -storepass $KEYSTORE_PASSWORD -noprompt

keytool -import -alias 'alfresco.ca' -file ca.crt -keystore ssl.repo.client.truststore -storetype JCEKS -storepass $KEYSTORE_PASSWORD -noprompt

# Copy files

cp ssl.keystore ssl.truststore browser.p12 data/keystore/

cp ssl.repo.client.keystore ssl.repo.client.truststore solr/workspace-SpacesStore/conf

cp ssl.repo.client.keystore ssl.repo.client.truststore solr/archive-SpacesStore/conf

# Remove temporary files

rm repo.csr ca.key ca.crt repo.crt ssl.keystore browser.p12 ssl.truststore ssl.repo.client.csr ssl.repo.client.crt ssl.repo.client.keystore ssl.repo.client.truststore

Note that this will not update the Alfresco and Solr configuration with the password you choose for the keystores - you must do this separately in your alfresco-global.properties and in the properties file associated with each Solr core, as detailed in the Solr installation guide.

Lastly, this procedure should not be used in any public-facing or production instances, it is intended to be used in development environments only.