Instructions for Generating Solr SSL keystores
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

<store password> is the keystore password. The file ${dir.keystore}/ssl-keystore-passwords.properties contains passwords for the SSL keystore,
${dir.keystore}/ssl-truststore-passwords.properties contains passwords for the SSL truststore.

These instructions will create an RSA public/private key pair for Solr with a certificate that has been signed by the Alfresco Certificate Authority (CA).
It will also create a truststore for Solr containing the CA certificate; this will be used to authenticate connections to Solr URLs from the repository.
It assumes the existence of a CA key and certificate to sign the repository certificate; for security reasons these are not generally available.
You can either generate your own CA key and certificate (see instructions below) or use a recognised Certificate Authority such as Verisign. For Alfresco
employees the key and certificate are available in svn.

(i) Generate solr public/private key pair in a keystore.

$ keytool -genkey -alias ssl.repo.client -keyalg RSA -keystore ssl.repo.client.keystore -storetype JCEKS -storepass <store password>
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Alfresco Solr
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  Alfresco Software Ltd.
What is the name of your City or Locality?
  [Unknown]:  Maidenhead
What is the name of your State or Province?
  [Unknown]:  UK
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=Alfresco Solr, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB correct?
  [no]:  yes

Enter key password for <solr>
	(RETURN if same as keystore password): 
	
(ii) Generate a certificate request for the solr key.

$ keytool -keystore solr.keystore -alias ssl.repo.client -certreq -file solr.csr -storetype JCEKS -storepass <store password>
kT9X6oe68tEnter keystore password:  

(iii) Alfresco CA signs the certificate request, creating a certificate that is valid for 365 days

$ openssl x509 -CA ca.crt -CAkey ca.key -CAcreateserial -req -in solr.csr -out solr.crt -days 365	
Signature ok
subject=/C=GB/ST=UK/L=Maidenhead/O=Alfresco Software Ltd./OU=Unknown/CN=Alfresco Solr
Getting CA Private Key
Enter pass phrase for ca.key:

(iv) Import the CA key into the solr keystore

$ keytool -import -alias alfrescoca -file ca.crt -keystore ssl.repo.client.keystore -storetype JCEKS -storepass <store password>
Enter keystore password:  
Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
Serial number: 805ba6dc8f62f8b8
Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021
Certificate fingerprints:
	 MD5:  4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0
	 SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87   05 2B 38 4D 92 70 8E 51  .B@..JP..+8M.p.Q
0010: 4E 38 71 D6                                        N8q.
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87   05 2B 38 4D 92 70 8E 51  .B@..JP..+8M.p.Q
0010: 4E 38 71 D6                                        N8q.
]

[CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB]
SerialNumber: [    805ba6dc 8f62f8b8]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

(v) Import the CA-signed solr certificate into the solr keystore

$ keytool -import -alias ssl.repo.client -file solr.crt -keystore ssl.repo.client.keystore -storetype JCEKS -storepass <store password>

(vi) Create a solr truststore containing the Alfresco CA certificate

$ keytool -import -alias alfresco.ca -file ca.crt -keystore ssl.repo.client.keystore -storetype JCEKS -storepass <store password>
$ keytool -import -alias alfresco.ca -file ca.crt -keystore ssl.repo.client.truststore -storetype JCEKS -storepass <store password>
Enter keystore password:  
Re-enter new password: 
Owner: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
Issuer: CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB
Serial number: 805ba6dc8f62f8b8
Valid from: Fri Aug 12 13:28:58 BST 2011 until: Mon Aug 09 13:28:58 BST 2021
Certificate fingerprints:
	 MD5:  4B:45:94:2D:8E:98:E8:12:04:67:AD:AE:48:3C:F5:A0
	 SHA1: 74:42:22:D0:52:AD:82:7A:FD:37:46:37:91:91:F4:77:89:3A:C9:A3
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87   05 2B 38 4D 92 70 8E 51  .B@..JP..+8M.p.Q
0010: 4E 38 71 D6                                        N8q.
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 08 42 40 DC FE 4A 50 87   05 2B 38 4D 92 70 8E 51  .B@..JP..+8M.p.Q
0010: 4E 38 71 D6                                        N8q.
]

[CN=Alfresco CA, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB]
SerialNumber: [    805ba6dc 8f62f8b8]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

(vii) Copy the keystore and truststore to each Solr core's configuration directory (i.e. to archive-SpacesStore/conf and workspace-SpacesStore/conf)
(viii) Update the SSL properties in each Solr core's solrcore.properties file i.e. properties starting with the prefixes 'alfresco.encryption.ssl.keystore' and 'alfresco.encryption.ssl.truststore'

Instructions for Generating a Certificate Authority (CA) Key and Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

(i) Generate the CA private key

$ openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

(ii) Generate the CA self-signed certificate

$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:UK
Locality Name (eg, city) []:Maidenhead
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alfresco Software Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Alfresco CA
Email Address []: