Creating a private keystore and a trust store with a central self-signed certificate authority

You can enable TLS encryption of communication between a source and target by using a central self-signed certificate authority.

In this case, each server has a certificate that is signed by a company's self-signed certificate authority and each server must trust the company certificate authority. This procedure uses commands that ship with CDC Replication. You can also use third-party tools such as openssl. This procedure uses keytool, which is located under installation_directory/jre64/jre/bin.

Each server needs a private key. You can generate a private key (and a self-signed certificate) by using the keytool -genkeypair command. For example: 

keytool -genkeypair -noprompt -alias self -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA -dname "CN=hostname.example.com" -validity 365 -keystore privatekey.p12 -storepass password -storetype PKCS12

Each server must make a request to get its private key signed by the certificate authority. You can create a certificate signing request with the keytool -certreq command. For example: 

keytool -certreq -noprompt -alias self -sigalg SHA256withECDSA -file hostname.csr -keystore privatekey.p12 -dname "CN=hostname.example.com" -storepass password -storetype PKCS12 -ext KeyUsage:critical=digitalSignature -ext ExtendedKeyUsage:critical=serverAuth,clientAuth

Send the request to the certificate authority, sign it, and receive back the signed certificate and the certificate authority's certificate.

The signed certificate and the certificate authority's certificate must be chained together to create the input for the keytool -importcert command. You can concatenate multiple certificates by using standard operating system commands. For example type hostname.crt ca.crt > hostname.pem on Windows or cat hostname.crt ca.crt > hostname.pem on Linux or UNIX.

Each server's private key must be associated with its signed certificate chain. You can replace the self-signed certificate with the certificate chain by using the keytool -importcert command. For example: 

keytool -importcert -noprompt -alias self -file hostname.pem -keystore privatekey.p12 -storepass password -storetype PKCS12

Each server must trust the self-signed certificate authority. You can import a certificate into the trust store with the keytool -importcert command. For example: 

keytool -importcert -noprompt -alias caname -file ca.crt -keystore trust.p12 -storepass password -storetype PKCS12
Note: The openssl command-line utility cannot create a PKCS12 trust store that is compatible with CDC Replication unless using openssl 3.2 or higher with -jdktrust anyExtendedKeyUsage. For earlier openssl versions, use keytool instead of openssl.

If you are using a combination of certificates that are signed by your own certificate authority and a public certificate authority, then you need to trust the normal public certificate authorities in addition to your certificate authority. You can import the normal public certificate authorities into a new trust store with the keytool -importkeystore command. For example:

keytool -importkeystore -noprompt -srckeystore installation_directory/jre64/jre/lib/security/cacerts -destkeystore trust.p12 -deststoretype PKCS12 -srcstorepass changeit -deststorepass password