This outlines the method for installing a custom SSL Certificate to be used by your Diffusion server to encrypt traffic. In most production scenarios SSL offloading is performed by the load balancer. However in some cases this is not practical. Diffusion is provided with a self-signed certificate, and an SSL enabled connector using port 8443. This should be used for testing and development only. In production Certificate Authority (CA) signed certificates should be used. CA signed certificates ensure that the third party that you are communicating with has not been spoofed. Self-signed certificates have no way to prove that they are valid and not forged. Warning: For security reasons, the self-signed certificate included with Diffusion should not be used in a production environment.
Creating a KeyStore
If you already have a KeyStore skip this step. KeyStores store pairs of private and public keys. Each pair or entry stored in the keystore is refered by a unique alias. Creating a KeyStore can be completed using the following command.
- -alias – name to identify this private / public key pair.
- -keystore – name for the keystore file.
keytool -genkeypair -alias example -keyalg RSA -keystore keystore -keysize 1024
You will be prompted to enter a password You will then be asked to enter information that will be used in the certificate.
$ keytool -genkeypair -alias example -keyalg RSA -keystore keystore -keysize 1024 Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Diffusion Example What is the name of your organizational unit? [Unknown]: Push Technology Support What is the name of your organization? [Unknown]: Push Technology What is the name of your City or Locality? [Unknown]: City of London What is the name of your State or Province? [Unknown]: London What is the two-letter country code for this unit? [Unknown]: UK Is CN=Diffusion Example, OU=Push Technology Support, O=Push Technology, L=City of London, ST=London, C=UK correct? [no]: yes
You have now created a KeyStore. This contains a generated Private and Public Key.
Creating a Certificate Signing Request
When you have received the signed certificate from your certificate authority this must be installed into your KeyStore. This can be achieved with the following command.
keytool -import -trustcacerts -alias example -keystore keystore -file certificate_file.crt
Your KeyStore can now be added to your Diffusion
/etc configuration folder, this should replace the existing KeyStore provided by Diffusion. If you have not called your KeyStore ‘keystore’ it is required that you point Diffusion to the correct location / name. The configuration for this is within
etc/Connectors.xml. It is also advised that you add the password for the KeyStore that you generated earlier as obfuscated text.
<key-store> <file>../etc/keystore</file> <password>OB:0dm9lGVslzTpQ72S</password> </key-store>
You will now be able to view your installed certificate by accessing the Diffusion Console securely. The following screenshot is from Google Chrome.