All is from a cygwin console like Babun under windows.
openssl genrsa -des3 -out root-ca.key 2048
openssl req -new -x509 -days 14600 -key root-ca.key -out root-ca.crt
openssl pkcs12 -export -in root-ca.crt -out root-ca-public.p12 -name root-ca
cat root-ca.crt root-ca.key > root-ca.pemThe .crt file can be double clicked from windows.
Necessary for signing with it
/usr/ssl/misc/CA.sh -newcaCA certificate filename (or enter to create): root-ca.pem
This will generate a .jks file that java can use with the public key of the CA.
"`cygpath -u $JAVA_HOME`"/bin/keytool.exe -importcert -keystore truststore.jks -file demoCA/cacert.pemcp /usr/ssl/openssl.cnf ./vbfox-node.cnfEdit the .cnf and in the section [v3_req] add (replacing IP and DNS) :
[v3_req]
...
subjectAltName = @alt_names
[alt_names]
DNS.1 = vbfox.test
IP.1 = 10.0.0.5Then use the commands :
openssl req -new -keyout vbfox-node.key -out vbfox-node.req -days 3650 -config vbfox-node.cnf
openssl ca -policy policy_anything -out vbfox-node.pem -days 3650 -config vbfox-node.cnf -extensions v3_req -infiles vbfox-node.reqJava keytool can't import a private key so we're forced to store the keypair in a .p12 file and then convert that to a keystore :
openssl pkcs12 -export -in vbfox-node.pem -inkey vbfox-node.key -out vbfox-node.p12 -name vbfox-node
"`cygpath -u $JAVA_HOME`"/bin/keytool.exe -importkeystore -destkeystore vbfox-node.jks -srckeystore vbfox-node.p12 -srcstoretype PKCS12 -alias vbfox-nodeSettings to disable authentication & https on the main transport but enable ssl on the inter-node one :
shield:
authc.anonymous.roles: admin # We don't want to use authentication
transport.ssl: true
http.ssl: false
ssl.keystore:
path: "c:\\Temp\\es-ca\\vbfox-node2.jks"
password: "xxx"
ssl.truststore:
path: "c:\\Temp\\es-ca\\truststore.jks"
password: "yyy"