Generating a TLS certificate with the SAN extension

Release Notes
- SAKA 4.13.0
- SAKA 4.12.0
- SAKA 4.11.0
- Upgrading from SAKA 4.x
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- HSM Battery Replacement
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Internal Repositories Rocky 9.x
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Check Replication
- Replicate Essentials Only
- Disable Replication to Inactive Nodes
- Known Behavior
- Manual Replication For Specific Range of Data
- Back
Appendices
- Adding a Disaster Recovery Backup (DRB) Node to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the DRB Node
  - Step #3 on the EXISTING server
  - Step #4 on the DRB node
  - Post-Installation
  - Back
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Configure Syslog
- Create Software Keystore HSM Credential
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Migration Information
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.3
  - Back
- Modifying the Appliance's IP Address or Hostname
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Replace CMOS Battery
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Using a Custom Trust Store
- Using HAProxy as a Load Balancer
- Using the Key Migration Tool (KMTool)
  - Prerequisites
  - Mechanics
  - Details
  - Back
- Test Appliance Funcationality
  - Using pingsaka script
  - Back
- Back

keytool is a cryptographic key management utility, provided as a standard component of the Java Development Kit (JDK) – please note, it is not included in the Java Runtime Environment (JRE) – only the JDK.

A capability of keytool is to generate a cryptographic key-pair with a self-signed TLS certificate within a Java Keystore (JKS) file. Only in JDK 7 and above did keytool introduce the ability to add certificate extensions to the certificates it generates.

The following steps can be performed on any computer device that can install and run the Java Development Kit (JDK). It is assumed JDK7 or above has already been installed on this system.

Please note that the “official” FQDN of the SAKA in this example is shown to be saka.domain.name, and the aliases to be embedded in the SAN extension are saka.domain.name, saka01.domain.name and saka02.domain.name. Please replace these examples with your choice of FQDN and aliases within your DNS domain.

On the Client device

Log into the machine
Start a terminal native to your Operating System

Generate a new keystore with key-pair and Self-Signed Certificate. The following example has been expanded with new lines to better show the options provided to keytool. When inputting the command newlines must be omitted.

shell> <Path to keytool executable> -genkeypair -keystore <Path to writable location>/keystore.jks -sigalg SHA256withRSA -validity 3652 -dname "CN=saka.domain.name,OU=StrongAuth KeyAppliance,O=<Company Name>" -keypass changeit -storepass changeit -keyalg RSA -alias s1as -ext san=dns:saka.domain.name,dns:saka01.domain.name,dns:saka02.domain.name

Modify the Paths, FQDNs, and company name in the example above. Do NOT change the values to the keypass , storepass, or alias options unless your SAKA has been modified since its installation to not use these default values.

Note: In the above command, the correct alias is critical for Glassfish to properly access the private key. The character highlighted in red text is the number one (1).

The example shown below utilizes the Microsoft Windows platform to generate a certificate for Acme Inc that has a Load Balancer with FQDN saka.acme.com and two SAKA nodes with FQDNs saka01.acme.com and saka02.acme.com respectively:

For Payara6 which uses keystore.p12, use the following command:

shell> "c:\Program Files\Java\jdk1.7.0_71\bin\keytool.exe" -genkeypair -keystore "c:\tmp\keystore.p12" -sigalg SHA256withRSA -validity 3652 -dname "CN=saka.acme.com,OU=StrongAuth KeyAppliance,O=Acme Inc" -keypass changeit -storepass changeit -keyalg RSA -alias s1as -ext san=dns:saka.acme.com,dns:saka01.acme.com,dns:saka02.acme.com

For Payara5 which uses keystore.jks, use the following command:

shell> "c:\Program Files\Java\jdk1.7.0_71\bin\keytool.exe" -genkeypair -keystore "c:\tmp\keystore.jks" -sigalg SHA256withRSA -validity 3652 -dname "CN=saka.acme.com,OU=StrongAuth KeyAppliance,O=Acme Inc" -keypass changeit -storepass changeit -keyalg RSA -alias s1as -ext san=dns:saka.acme.com,dns:saka01.acme.com,dns:saka02.acme.com

In SAKA clusters larger than two, as many additional SAKA can be specified to the ext option by appending to the comma separated list more entries like 'dns:<SAKA FQDN>'.

View the contents of the new keystore file to confirm details in the certificate.

shell> <Path to keytool executable> -list -keystore <Path to writable location>/keystore-type> -storepass changeit -alias s1as -v 

Example:
For Payara6, use the following command:
shell>  keytool -list -keystore keystore.p12 -storepass changeit -alias s1as -v

For Payara5, use the following command:
shell>  keytool -list -keystore keystore.jks -storepass changeit -alias s1as -v

Review the output of the command and confirm the certificate extension for SubjectAlternativeName (ObjectID: 2.5.29.17) is present and correct.

Export the certificate from the keystore to be used by client applications making TLS connections to the SAKA.

shell> <Path to keytool executable> -export -keystore <Path to keystore> -storepass changeit -alias s1as -file <Path to writable location>/saka.domain.name.crt

Example:
For Payara6, use the following command:
shell>  keytool -export -keystore keystore.p12 -storepass changeit -alias s1as -file ~/saka.domain.name.crt

For Payara5, use the following command:
shell>  keytool -export -keystore keystore.jks -storepass changeit -alias s1as -file ~/saka.domain.name.crt

Before the new keystore can be installed on the SAKA, the certificate in the crt file must be installed into the truststore of the calling application and the JDK truststore of each Key Custodian's and Domain Administrator's client device.

Use the following command to import a certificate into a Java keystore.
```
shell> <Path to keytool executable> -import -keystore <Path to Java installation>/jre/lib/security/cacerts -storepass changeit -alias saka.domain.name -file <Path to saka.domain.name.crt>
```
Note: You may need Administrative privileges in your shell/terminal when executing this command.

If the alias 'saka.domain.name' already exists in the truststore, it is safe to choose any other alias that does not already exist in the truststore.