Improvements to the Jetty documentation.
Added section about multiple key/certificate entries in a KeyStore. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
This commit is contained in:
Simone Bordet
parent
25467f8904
commit
d3a8817c76
|
|
@ -22,24 +22,26 @@ The following command creates a KeyStore file containing a private key and a sel
|
|||
----
|
||||
keytool
|
||||
-genkeypair <1>
|
||||
-validity 90 <2>
|
||||
-keyalg RSA <3>
|
||||
-keysize 2048 <4>
|
||||
-keystore /path/to/keystore.p12 <5>
|
||||
-storetype pkcs12 <6>
|
||||
-dname "CN=domain.com, OU=Unit, O=Company, L=City, S=State, C=Country" <7>
|
||||
-ext san=dns:www.domain.com,dns:domain.org <8>
|
||||
-v <9>
|
||||
-alias mykey <2>
|
||||
-validity 90 <3>
|
||||
-keyalg RSA <4>
|
||||
-keysize 2048 <5>
|
||||
-keystore /path/to/keystore.p12 <6>
|
||||
-storetype pkcs12 <7>
|
||||
-dname "CN=domain.com, OU=Unit, O=Company, L=City, S=State, C=Country" <8>
|
||||
-ext san=dns:www.domain.com,dns:domain.org <9>
|
||||
-v <10>
|
||||
----
|
||||
<1> the command to generate a key and certificate pair
|
||||
<2> specifies the number of days after which the certificate expires
|
||||
<3> the algorithm _must_ be RSA (the DSA algorithm does not work for web sites)
|
||||
<4> indicates the strength of the key
|
||||
<5> the keyStore file
|
||||
<6> the keyStore type, stick with the standard PKCS12
|
||||
<7> the distinguished name (more below) -- customize it with your values for CN, OU, O, L, S and C
|
||||
<8> the extension with the subject alternative names (more below)
|
||||
<9> verbose output
|
||||
<2> the alias name of the key and certificate pair
|
||||
<3> specifies the number of days after which the certificate expires
|
||||
<4> the algorithm _must_ be RSA (the DSA algorithm does not work for web sites)
|
||||
<5> indicates the strength of the key
|
||||
<6> the KeyStore file
|
||||
<7> the KeyStore type, stick with the standard PKCS12
|
||||
<8> the distinguished name (more below) -- customize it with your values for CN, OU, O, L, S and C
|
||||
<9> the extension with the subject alternative names (more below)
|
||||
<10> verbose output
|
||||
|
||||
The command prompts for the KeyStore password that you must choose to protect the access to the KeyStore.
|
||||
|
||||
|
|
@ -56,3 +58,13 @@ In the example above, `san=dns:www.domain.com,dns:domain.org` specifies `www.dom
|
|||
In rare cases, you may want to specify IP addresses, rather than domains, in the SAN extension.
|
||||
The syntax in such case is `san=ip:127.0.0.1,ip:[::1]`, which specifies as subject alternative names IPv4 `127.0.0.1` and IPv6 `[::1]`.
|
||||
====
|
||||
|
||||
[[og-keystore-create-many]]
|
||||
===== KeyStores with Multiple Entries
|
||||
|
||||
A single KeyStore may contain multiple key/certificate pairs.
|
||||
This is useful when you need to support multiple domains on the same Jetty server (typically accomplished using xref:og-deploy-virtual-hosts[virtual hosts]).
|
||||
|
||||
You can create multiple key/certificate pairs as detailed in the xref:og-keystore-create[previous section], provided that you assign each one to a different alias.
|
||||
|
||||
Compliant TLS clients will send the xref:og-protocols-ssl-sni[TLS SNI extension] when creating new connections, and Jetty will automatically choose the right certificate by matching the SNI name sent by the client with the CN or SAN of certificates present in the KeyStore.
|
||||
|
|
|
|||
Loading…
Reference in New Issue