Creating a private keystore and a trust store with self-signed certificates

You can enable TLS encryption of communication between a source and target by using self-signed certificates.

In this case, there is no central certificate authority so each server must trust the other server's certificates. This procedure uses commands that ship with CDC Replication. You can also use third-party tools such as openssl. This procedure uses keytool, which is located under installation_directory/jre64/jre/bin.

Each server needs a private key and a self-signed certificate. You can generate a private key and a self-signed certificate by using the keytool -genkeypair command. For example: 

keytool -genkeypair -noprompt -alias self -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA -dname "CN=hostname.example.com" -validity 365 -keystore privatekey.p12 -storepass password -storetype PKCS12

Each server's self-signed certificate must be trusted by the other servers. The certificate must be exported from each server and imported on the other server. You can export the self-signed certificate by using the keytool -exportcert command. For example: 

keytool -exportcert -noprompt -rfc -alias self -file hostname.crt -keystore privatekey.p12 -storepass password -storetype PKCS12

Each server must trust its own self-signed certificate and the certificates of other servers. You can import a self-signed certificate into the trust store with the keytool -importcert command. For example: 

keytool -importcert -noprompt -alias hostname -file hostname.crt -keystore trust.p12 -storepass password -storetype PKCS12
Note: The openssl command-line utility cannot create a PKCS12 trust store that is compatible with CDC Replication unless using openssl 3.2 or higher with -jdktrust anyExtendedKeyUsage. For earlier openssl versions, use keytool instead of openssl.

If you are using a combination of both self-signed certificates and certificates that are signed by a public certificate authority, then you need to trust the normal public certificate authorities in addition to the self-signed certificates. You can import the normal public certificate authorities into a new trust store with the keytool -importkeystore command. For example: 

keytool -importkeystore -noprompt -srckeystore installdir/jre64/jre/lib/security/cacerts -destkeystore trust.p12 -deststoretype PKCS12 -srcstorepass changeit -deststorepass password