Creating a private keystore and a trust store with a central self-signed certificate authority

You can enable TLS encryption of communication between a source and target by using a central self-signed certificate authority.

In this case, each server has a certificate that is signed by a company's self-signed certificate authority and each server must trust the company certificate authority. This procedure uses commands that ship with CDC Replication. You can also use third-party tools such as openssl. This procedure uses keytool, which is located under installation_directory/jre64/jre/bin.

Each server needs a private key. You can generate a private key (and a self-signed certificate) by using the keytool -genkeypair command. For example: 

keytool -genkeypair -noprompt -alias self -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=hostname.example.com" -validity 365 -keypass password -keystore privatekey.jks -storepass password -storetype JKS

Each server must make a request to get its private key signed by the certificate authority. You can create a certificate signing request with the keytool -certreq command. For example: 

keytool -certreq -noprompt -alias self -sigalg SHA256withRSA -file hostname.csr -keypass password -keystore privatekey.jks -dname "CN=hostname.example.com" -storepass password -storetype JKS -ext KeyUsage:critical=digitalSignature,keyAgreement,keyEncipherment,nonRepudiation -ext ExtendedKeyUsage:critical=serverAuth,clientAuth

Send the request to the certificate authority, sign it, and receive back the signed certificate and the certificate authority's certificate.

The signed certificate and the certificate authority's certificate must be chained together to create the input for the keytool -importcert command. You can concatenate multiple certificates by using standard operating system commands. For example type hostname.crt ca.crt > hostname.pem on Windows or cat hostname.crt ca.crt > hostname.pem on Linux or UNIX.

Each server's private key must be associated with its signed certificate chain. You can replace the self-signed certificate with the certificate chain by using the keytool -importcert command. For example: 

keytool -importcert -noprompt -alias self -file hostname.pem -keypass password -keystore privatekey.jks -storepass password -storetype JKS

Each server must trust the self-signed certificate authority. You can import a certificate into the trust store with the keytool -importcert command. For example: 

keytool -importcert -noprompt -alias caname -file ca.crt -keypass password -keystore trust.jks -storepass password -storetype JKS
Note: The openssl command-line utility cannot create a PKCS12 trust store that is compatible with CDC Replication. Use keytool instead of openssl. Change the -storetype parameter to PKCS12 to create a PKCS12 trust store.

If you are using a combination of certificates that are signed by your own certificate authority and a public certificate authority, then you need to trust the normal public certificate authorities in addition to your certificate authority. You can import the normal public certificate authorities into a new trust store with the keytool -importkeystore command. For example:

keytool -importkeystore -noprompt -srckeystore installation_directory/jre64/jre/lib/security/cacerts -destkeystore trust.jks -deststoretype JKS -srcstorepass changeit -deststorepass password