Creating a private keystore and a trust store with self-signed certificates

You can enable TLS encryption of communication between a source and target by using self-signed certificates.

In this case, there is no central certificate authority so each server must trust the other server's certificates. This procedure uses commands that ship with CDC Replication. You can also use third-party tools such as openssl. This procedure uses keytool, which is located under installation_directory/jre32/jre/bin.

Each server needs a private key and a self-signed certificate. You can generate a private key and a self-signed certificate by using the keytool -genkeypair command. For example:

keytool -genkeypair -noprompt -alias self -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=hostname.example.com" -validity 365 -keypass password -keystore privatekey.jks -storepass password -storetype JKS

Each server's self-signed certificate must be trusted by the other servers. The certificate must be exported from each server and imported on the other server. You can export the self-signed certificate by using the keytool -exportcert command. For example:

keytool -exportcert -noprompt -rfc -alias self -file hostname.crt -keystore privatekey.jks -storepass password -storetype JKS

Each server must trust its own self-signed certificate and the certificates of other servers. You can import a self-signed certificate into the trust store with the keytool -importcert command. For example:

keytool -importcert -noprompt -alias hostname -file hostname.crt -keypass password -keystore trust.jks -storepass password -storetype JKS
Note: The openssl command-line utility cannot create a PKCS12 trust store that is compatible with CDC Replication. Use keytool instead of openssl. Change the -storetype parameter to PKCS12 to create a PKCS12 trust store.

If you are using a combination of both self-signed certificates and certificates that are signed by a public certificate authority, then you need to trust the normal public certificate authorities in addition to the self-signed certificates. You can import the normal public certificate authorities into a new trust store with the keytool -importkeystore command. For example:

keytool -importkeystore -noprompt -srckeystore installdir/jre64/jre/lib/security/cacerts -destkeystore trust.jks -deststoretype JKS -srcstorepass changeit -deststorepass password