How to create SAN Certificate and its usage

 SAN Stands for Subject alternative name . Where the same certificate with multiple names used for multiple domains . This will save cost .Example we can generate one certificate and add other domain names in the subject Alternative Names can use for multiple sites .

Follow below steps for generation SAN certificate to configure in Apache WebServer .

create san.conf file with the below sample content
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt= no
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = abc.com
DNS.2 = def.com
DNS.3 = fgh.com

Updated san.conf looks like below for multiple common names

Generate key with csr file using below openssl command
openssl req -out sslcert.csr -newkey rsa:2048 -sha256 -nodes -keyout private.key -config san.conf

once CSR file is generated you can verify the content on the https://www.entrust.net/ssl-technical/csr-viewer.cfm
copy content of sslcert.csr into the above UR or use below
openssl req -noout -text -in sslcert.csr | grep DNS

You can verify CSR with openssl

Once CSR is verified .Get this signed with Third pary vendor line Entrust ,Symatic --etc
Down load the CSR and root , Intermediate certs in PEM format .

for Apache SSL configuration we need 3 files . 
Rename given CER to httpd.cer for SSLCertificateFile . private.key to httpd.key . Create SSLCACertificateFile by appending Intermediate with Root.cer files.

cat intermediate.cer >httpd_ca.crt && cat root.cer >>httpd_ca.crt

SSLCertificateFile /web/apache/WEB1A/ssl/httpd.cer
SSLCertificateKeyFile /web/apache/WEB1A/ssl/httpd.key
SSLCACertificateFile /web/apache/WEB1A/ssl/httpd_ca.crt

JBOSS EAP Patching and Rollback steps

Refer below JBOSS patching and reversion steps 

JBOSS Patching

Download Patch from https://access.redhat.com/downloads/.
Before running any jboss commands please make sure JAVA_HOME is set
export JAVA_HOME=/app/java8_64
Go to JAVA_HOME/bin and run jboss-cli.sh then run below to patch
patch apply /path/to/downloaded-patch.zip

[standalone@localhost:9999/] patch apply /tmp/jboss-eap-6.4.2.zip
"outcome" : "success",
"response-headers" : {
"operation-requires-restart" : true,
"process-state" : "restart-required"
}
}
updated modules available in JBOSS_HOME/modules/system/layer/base/.overlay
Once patch is successfull then restart the services

Patch Rollback

[standalone@localhost:9999/] patch rollback --patch-id=jboss-eap-6.4.2.CP --reset-configuration=true
{
"outcome" : "success",
"response-headers" : {
"operation-requires-restart" : true,
"process-state" : "restart-required"
}
}

Restart the services after successfull rollback

-->During Jboss patching if you get any error says /tmp is full . By default jboss used /tmp as temperary directory .
Can change it by -Djava.io.tmpdir=<new path>
export JAVA_OPTS="-Djava.io.tmpdir=<new path>"
--> To preseve any config file use --preserve=[bin/jboss-cli.xml]

configure Custom Identity and Custom Trust store in Weblogic

 

In this we will see how to generate self-signed certificate and configure to Weblogic Admin server .Before configuration we have demo certificate

Generated Self-Signed certificate with the below command . We can generate CSR from it and get it signed from third party . SSL configuration steps remain same .

/apps/java11_64/bin/keytool -genkey -v -alias weblogic -keyalg RSA -keysize 2048 -sigalg SHA256withRSA \
-dname "CN=www.abc.com, OU=abc, O=ABC Corp, C=IN, ST=Banglore, L=India" \
--keypass password -storepass password -validity 365 -keystore keystore.jks

Configuring Custom Keystore and truststore will see now .

Login to WLS Admin console
--> Go to Enviroment /Servers and click on the server for which ssl need to enable
--> Go Keystores tab change keystore to Custom Identity and Custom Trust
--> Enter keystore and truststore details then save
--> GO to SSL Tab then enter the certificate to use and keypassword and save

Restart the Admin sever since we did the SSL configuration to Admin server . We need to follow same for each Managed instance on Weblogic for SSL

Now admin logs are loding cert and trust certs from /apps/ssl/keystore.jks 
Here we used same keystore for both key and trust certs . We can configure seperate trust store if need.

<Dec 25, 2020, 12:24:07,261 PM Singapore Standard Time> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias weblogic from the jks keystore file /apps/ssl/keystore.jks.> 
<Dec 25, 2020, 12:24:07,565 PM Singapore Standard Time> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /apps/ssl/keystore.jks.> 
<Dec 25, 2020, 12:24:07,929 PM Singapore Standard Time> <Warning> <Security> <BEA-090172> <No trusted certificates have been loaded. Server will not trust to any certificate it receives.> 

Expot same cert and import back to same keystore as trust cert. because self signed is signed by it self so same cert is need in trust as well.
Export certificate
keytool -exportcert -alias weblogic -file wls.cer -keystore keystore.jks

Add as trust 
[wlsuser@localhost ssl]$ /apps/java11_64/bin/keytool -import -alias root -file wls.cer -keystore keystore.jks 

Enter keystore password:  
Certificate already exists in keystore under alias <weblogic>
Do you still want to add it? [no]:  yes
Certificate was added to keystore
[wlsuser@localhost ssl]$ /apps/java11_64/bin/keytool -list -keystore keystore.jks 
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

root, Dec 25, 2020, trustedCertEntry, 
Certificate fingerprint (SHA-256): B9:CE:10:5C:7C:9D:D9:6B:DF:DC:62:25:DF:FE:86:E2:EF:A0:58:A0:C3:EC:7A:51:93:8E:CC:4D:5E:09:AE:E2
weblogic, Dec 25, 2020, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): B9:CE:10:5C:7C:9D:D9:6B:DF:DC:62:25:DF:FE:86:E2:EF:A0:58:A0:C3:EC:7A:51:93:8E:CC:4D:5E:09:AE:E2
[wlsuser@localhost ssl]$

If we dont import same cert as trust certificate then the server will start but cannot able to load the page .

After successful SSL configuration we can see new certificate in Weblogic console .

How to know the validity of a certificate installed on the server

 

There are multiple ways to get the validity of the certificate installed on the server .

1.If we have access to server login and open the keystore and verify using keytool

keytool -details -alias mycert -keystore abc.jks -password **** -v

2.use one of the client to browse the URL using https://ip:port:/ that will present the certificate in the browser after successful connection .

3.Use openssl to get the certificate and verify the validity .

openssl s_client -connect ip:port 2>/dev/null |openssl x509 -noout -dates