This release of Apache Geronimo allows you to define your own Certification Authority (CA) and issue certificates in reply to Certificate Signing Requests (CSR). The Certification Authority portlet is avaiable by clicking *Certificate Authority" on the left menu in the Geronimo Administration Console.
Configuring a Certification Authority
The first time you call this porlet the CA is not yet configured so you will see a screen similar to this one.
Click on Setup Certification Authority to configure Geronimo as a CA.
This process is somewhat similar to defining keystores and certificates as covered in the Administering certificates, this is in the sense that you should be prepared to provide similar type of information.
The first step is defining the Certification Authority details as illustrated in the following image. The information entered in this form will be used to create the Certification Authority and respective self-signed key pairs.
This is an "information gathering" step, at this point you are not creating any certificates yet. Click on Review CA Details and then on Setup Certification Authority.
Once created you will see a confirmation message CA Setup is successful! along with the details for the certificate you just created.
Next time you access the Certification Authority portlet you should see the the CA you just created. From this portlet now you can manage CSRs, review and issue certificates.
Signing certificate requests
The Certificate Properties File Realm section cover in great detail how to create a new keystore and certificate and how to create a CSR and then import the CA's reply. In this section we will focus on how the CA manages and signs the client CSR.
We will start from the point where you generate the CSR, here is the example we used for the Certificate Properties File Realm section.
Click on Certificate Authority to access the Certification Authority portlet. If you have restarted the server after you configured the Geronimo's Certification Authority, this feature will not be available and the CA will show up as Locked. If this is the case simple click on Unlock CA, provide the CA password and the click on Unlock Certificaiton Authority.
To process the CSR click on Issue New Certificate, paste the content of the CSR and then click on Process CSR.
In the following step the portlet displays the details of the Certficate Signing Request (CSR) and lets you specify the validity and signature algorithm for the certificate being issued.
The certificate serial number is automatically generated by incrementing the serial number of the last certificate issued. The certificates are stored in the
<geronimo_home>\var\security\ca\certs directory, this directory also holds the
highest-serial-number.txt that contains the highest certificate serial number issued.
Click on Review Client Cert Details and then on Issue Certificate, you should now see a screen similar to this one.
The encoded content of certificate should now be sent to the client. If you look at the <geronimo_home>\var\security\ca\certs directory you will now find the certificate you just issued, in this case
When the client imports this "CA reply" will be able to see details of who issued this certificate. In this case
Issuer: C=CC, ST=State, L=City, O=Apache, OU=Geronimo, CN=Geronimo's CA, we defined Geronimo's CA earlier in the #Configuring a Certification Authority section.