Creating a private keystore with a public certificate authority
You can use CDC Replication commands to enable TLS encryption of source-target communication with a public certificate authority.
In this case, each server has a certificate that is signed by a public certificate authority. The default trust store can be used so there is no need to create a trust store. This procedure uses keytool, which is located under installation_directory/jre64/jre/bin.
Each server needs a private key. You can generate a private key (and a self-signed certificate) by using the keytool -genkeypair command. For example:
keytool -genkeypair -noprompt -alias self -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=hostname.example.com" -validity 365 -keypass password -keystore privatekey.jks -storepass password -storetype JKS
Each server must make a request to get its private key signed by the certificate authority. You can create a certificate signing request with the keytool -certreq command. For example:
keytool -certreq -noprompt -alias self -sigalg SHA256withRSA -file hostname.csr -keypass password -keystore privatekey.jks -dname "CN=hostname.example.com" -storepass password -storetype JKS
Send the request to the certificate authority, sign it, and receive back the signed certificate, the certificate authority's certificate, and any intermediate certificates.
The signed certificate and the certificate authority's certificate must be chained together to
create the input for the keytool -importcert command. You can concatenate multiple
certificates using standard operating system commands. For example type hostname.crt ca.crt
> hostname.pem
on Windows or cat hostname.crt ca.crt > hostname.pem
on
Linux and UNIX.
Each server's private key must be associated with its signed certificate chain. You can replace the self-signed certificate with the certificate chain by using the keytool -importcert command. For example:
keytool -importcert -noprompt -alias self -file hostname.pem -keypass password -keystore privatekey.jks -storepass password -storetype JKS
You can also use third-party tools such as openssl to create a private keystore with public certificate authority.