Generate TLS
Generate TLS
This guide provides step-by-step instructions to generate the required TLS assets for Zilla Platform Gateways.
- Create a Certificate Authority (CA).
- Generate and sign a server certificate.
- Build a client truststore to validate server identity.
Environment Setup
Before running the commands, export the following environment variables. These variables define the certificate names, passwords, and SAN configuration for your certificates.
export SERVER_CA_ALIAS=serverca
export SERVER_CA_PASS=generated
export SERVER_CERT_ALIAS=staging.platform.net
export SERVER_CERT_PASS=generated
export SERVER_CERT_SAN="dns:*.staging.platform.net"
export CLIENT_TRUST_PASS=generatedEach variable serves a specific purpose:
| Variable | Description |
|---|---|
SERVER_CA_ALIAS | Alias for the server Certificate Authority (CA) entry |
SERVER_CA_PASS | Password used to protect the server CA keystore |
SERVER_CERT_ALIAS | Alias for the server certificate (e.g., staging host) |
SERVER_CERT_PASS | Password for the server keystore |
SERVER_CERT_SAN | Subject Alternative Name for the server certificate |
CLIENT_TRUST_PASS | Password for the client truststore |
Generate Server CA and Keys
The server CA is a local certificate authority used to sign server certificates.
Create Server Signer (CA)
mkdir -p server
keytool -genkeypair \
-keystore server/signers \
-storepass ${SERVER_CA_PASS} \
-keypass ${SERVER_CA_PASS} \
-alias ${SERVER_CA_ALIAS} \
-dname "C=US, ST=California, O=MyOrg, OU=DevOps, CN=${SERVER_CA_ALIAS}" \
-validity 3650 \
-keyalg RSA \
-ext bc:c
keytool -keystore server/signers \
-storepass ${SERVER_CA_PASS} \
-alias ${SERVER_CA_ALIAS} \
-exportcert -rfc > server/${SERVER_CA_ALIAS}.crtCreate Server Keypair and CSR
Generate a new keypair for the gateway’s server certificate and create a Certificate Signing Request (CSR).
keytool -genkeypair \
-keystore server/keys \
-storepass ${SERVER_CERT_PASS} \
-keypass ${SERVER_CERT_PASS} \
-alias ${SERVER_CERT_ALIAS} \
-dname "C=US, ST=California, O=MyOrg, OU=DevOps, CN=${SERVER_CERT_ALIAS}" \
-validity 3650 \
-keyalg RSA
keytool -keystore server/keys \
-storepass ${SERVER_CERT_PASS} \
-alias ${SERVER_CERT_ALIAS} \
-certreq -rfc > server/${SERVER_CERT_ALIAS}.csrSign Server Certificate
Use the CA to sign the server’s CSR and generate a trusted certificate.
keytool -keystore server/signers \
-storepass ${SERVER_CA_PASS} \
-keypass ${SERVER_CA_PASS} \
-gencert \
-alias ${SERVER_CA_ALIAS} \
-ext ku:c=dig,keyenc \
-ext SAN="${SERVER_CERT_SAN}" \
-rfc \
-validity 1800 < server/${SERVER_CERT_ALIAS}.csr > server/${SERVER_CERT_ALIAS}.crtInfo
The -ext SAN flag ensures that your certificate is valid for multiple hostnames (for example, wildcard environments). The -validity option defines the lifetime of the issued certificate in days.
Import Signed Certificate into Server Keystore
Import both the CA and signed certificate into the server’s keystore to complete the trust chain.
keytool -keystore server/keys \
-storepass ${SERVER_CERT_PASS} \
-keypass ${SERVER_CERT_PASS} \
-importcert -alias ${SERVER_CA_ALIAS} -rfc -noprompt < server/${SERVER_CA_ALIAS}.crt
keytool -keystore server/keys \
-storepass ${SERVER_CERT_PASS} \
-keypass ${SERVER_CERT_PASS} \
-importcert -alias ${SERVER_CERT_ALIAS} -rfc < server/${SERVER_CERT_ALIAS}.crt
keytool -keystore server/keys \
-storepass ${SERVER_CERT_PASS} \
-keypass ${SERVER_CERT_PASS} \
-delete -alias ${SERVER_CA_ALIAS} -nopromptClient Trust
The client truststore contains the CA certificate, allowing clients to validate the server’s identity during TLS handshake.
mkdir -p client
keytool -keystore client/trust \
-storepass ${CLIENT_TRUST_PASS} \
-keypass ${CLIENT_TRUST_PASS} \
-importcert -alias ${SERVER_CA_ALIAS} -rfc -noprompt < server/${SERVER_CA_ALIAS}.crtVerification
Validate the integrity and correctness of generated certificates and stores before deployment.
Verify Server Keystore
keytool -list -v -keystore server/keys -storepass ${SERVER_CERT_PASS}Verify Client Truststore
keytool -list -v -keystore client/trust -storepass ${CLIENT_TRUST_PASS}