How to create new Certificates for Liferay Portal IntegrationPermanent link for this heading

Last update: 8 March 2018

SummaryPermanent link for this heading

This how-to describes what must be done to renew your Liferay Portal Certificates.

SolutionPermanent link for this heading

PrerequisitesPermanent link for this heading

  • openssl
  • keytool (Java)

PreparationPermanent link for this heading

  • Open "/etc/fabasoft/web/ssl.conf"
  • Note path of following 3 lines:

       SSLCertificateFile /var/opt/fabasoft/instances/WebService_103/servercert.pem

SSLCertificateKeyFile /var/opt/fabasoft/instances/WebService_103/serverkeynodes.pem

SSLCACertificateFile /var/opt/fabasoft/instances/WebService_103/cacert.pem

    

This is the path where the certificates for the eServices are stored. The new certificates have to be placed in this folders.

CA & CA - CertificatePermanent link for this heading

Following statements are necessary to create a Certificate Authority, the dedicated keys, requests and certificates.

Generate Key and RequestsPermanent link for this heading

       openssl req -config  -new -keyout .pem -out .pem -passout "pass:" -batch

    

Generate CA - CertificatePermanent link for this heading

       openssl ca -config  -subj "" -out .pem -days  -batch -keyfile .pem -selfsign -passin "pass:" -infiles .pem

    

subj could possibly look like this: "/C=AT/ST=Upper Austria/L=Linz/O=Fabasoft AG/CN=Fabasoft Local eService CA"

Export the CA - Certificate in a *.p12 - FilePermanent link for this heading

       openssl pkcs12 -export -in .pem -inkey .pem -out .p12 -name "CaCertificate" -passin "pass:" -passout "pass:"

    

Export the CA - Certificate in a *.cer - FilePermanent link for this heading

       openssl x509 -in .pem -out .cer -outform DER

    

Server CertificatePermanent link for this heading

This certificate has to be available on the webservice.

Generate Key and RequestsPermanent link for this heading

       openssl req -config  -new -keyout .pem -out .pem -subj "" -passout "pass:" -days  -batch

    

subj could possibly look like this: "/CN=servicedesktest.support.fabasoft.local"

Generate Server CertificatePermanent link for this heading

       openssl ca -config  -policy policy_anything -out .pem -batch -infiles .pem

    

Generate KeynodesPermanent link for this heading

       openssl rsa -in .pem -out .pem

    

Use Created CertificatesPermanent link for this heading

Stop all Fabasoft Folio WebServices. In order to use the created certificates copy them to the right file system locations (noted at the beginnning). Make sure all certificates and keys have the same permissions as the originals had.

Liferay Service CertificatePermanent link for this heading

Important: It is necessary that the CN of the liferay certificate is a loginstring of the Liferay Service User in the Fabasoft Folio installation.

Generate Key and RequestsPermanent link for this heading

       openssl req -config  -new -keyout .pem -out .pem -subj "" -passout "pass:" -days  -batch

    

subj could possibly look like this: "/CN=liferaysvc"

Generate Server CertificatePermanent link for this heading

       openssl ca -config  -policy policy_anything -out .pem -batch -infiles .pem

    

Generate KeynodesPermanent link for this heading

       openssl rsa -in .pem -out .pem

    

Export the CA - Certificate in a *.p12 - FilePermanent link for this heading

       openssl pkcs12 -export -in .pem -inkey .pem -out keystore.p12 -name "CaCertificate" -passin "pass:" -passout "pass:"

    

Import the CA - Certificate in the TruststorePermanent link for this heading

       keytool -import -trustcacerts -alias "" -file cacert.cer -keystore truststore.jks -noprompt -storepass

    

alias could possibly look like this: "Fabasoft Local eService CA"

Exchange Liferay CertificatePermanent link for this heading

To exchange the truststore and the liferay service user certificate two files have to be edited and the generated files have to be copied to the tomcat directory (webapps/ROOT/WEB-INF/certs).

In the following two files the passwords for the truststore and the keystore have to be edited:

  • webapps/ROOT/WEB-INF/classes/portal-ext.properties
  • webapps/fscportlet/WEB-INF/portlet.xml

Starting LiferayPermanent link for this heading

Liferay can now be started. In order to get fully functionally portlets these portlets have to be instanced newly, so that the new certificates are choosen.

Applies toPermanent link for this heading

  • Fabasoft Folio (Linux)
  • Fabasoft eGov-Suite (Linux)
  • Liferay

Download PDF

Download PDF