This guide explains the self-signed certificates used for secure communication between Linqra components.
For your convenience, all necessary certificates are pre-generated and available in the Linqra/keys folder. You can use these certificates directly for local development.
Pre-Generated Certificates
The following certificates and keystores are available in the Linqra/keys directory:
keys/
├── # Core Component Certificates
├── client-cert.pem # Client certificate
├── client-keystore.jks # Client keystore
├── client-truststore.jks # Client truststore
│
├── # Gateway Certificates
├── gateway-cert.pem # Gateway certificate (local)
├── gateway-keystore.jks # Gateway keystore (local)
├── gateway-cert-container.pem # Gateway certificate (container)
├── gateway-keystore-container.jks # Gateway keystore (container)
├── gateway-truststore.jks # Gateway truststore
│
├── # Eureka Discovery Certificates
├── eureka-cert.pem # Eureka certificate (local)
├── eureka-keystore.jks # Eureka keystore (local)
├── eureka-cert-container.pem # Eureka certificate (container)
├── eureka-keystore-container.jks # Eureka keystore (container)
├── eureka-truststore.jks # Eureka truststore
│
├── # Service-Specific Certificates
├── inventory-cert-container.pem # Inventory service certificate
├── inventory-keystore-container.jks # Inventory service keystore
├── product-cert-container.pem # Product service certificate
└── product-keystore-container.jks # Product service keystore
All certificates are configured with default password 123456 and are organized into:
- Core client certificates for general use
- Gateway certificates for both local and containerized environments
- Eureka discovery certificates for both local and containerized environments
- Service-specific certificates for containerized microservices
Certificate Generation
If you need to regenerate the certificates or understand how they were created, follow the instructions below.
Client Certificate
Generate a generic client certificate for your microservices:
# Generate client keystore
keytool -genkeypair -alias client-app -keyalg RSA -keysize 2048 \
-keystore client-keystore.jks -validity 3650 -storetype PKCS12 \
-dname "CN=localhost, OU=Software, O=Dipme, L=Richmond, ST=TX, C=US" \
-storepass 123456 -keypass 123456
# Export client certificate
keytool -exportcert -alias client-app -file client-cert.pem \
-keystore client-keystore.jks -storepass 123456
Gateway Certificates
Generate certificates for the API Gateway:
# For local development
keytool -genkeypair -alias gateway-app -keyalg RSA -keysize 2048 \
-keystore gateway-keystore.jks -validity 3650 -storetype PKCS12 \
-dname "CN=localhost, OU=Software, O=Dipme, L=Richmond, ST=TX, C=US" \
-storepass 123456 -keypass 123456
keytool -exportcert -alias gateway-app -file gateway-cert.pem \
-keystore gateway-keystore.jks -storepass 123456
# For containerized environment
keytool -genkeypair -alias gateway-app-container -keyalg RSA -keysize 2048 \
-keystore gateway-keystore-container.jks -validity 3650 -storetype PKCS12 \
-dname "CN=api-gateway-service, OU=Software, O=Dipme, L=Richmond, ST=TX, C=US" \
-storepass 123456 -keypass 123456
keytool -exportcert -alias gateway-app-container -file gateway-cert-container.pem \
-keystore gateway-keystore-container.jks -storepass 123456
Discovery Server Certificates
Generate certificates for the Eureka Discovery Server:
# For local development
keytool -genkeypair -alias eureka-app -keyalg RSA -keysize 2048 \
-keystore eureka-keystore.jks -validity 3650 -storetype PKCS12 \
-dname "CN=localhost, OU=Software, O=Dipme, L=Richmond, ST=TX, C=US" \
-storepass 123456 -keypass 123456
keytool -exportcert -alias eureka-app -file eureka-cert.pem \
-keystore eureka-keystore.jks -storepass 123456
# For containerized environment
keytool -genkeypair -alias eureka-app-container -keyalg RSA -keysize 2048 \
-keystore eureka-keystore-container.jks -validity 3650 -storetype PKCS12 \
-dname "CN=discovery-service, OU=Software, O=Dipme, L=Richmond, ST=TX, C=US" \
-storepass 123456 -keypass 123456
keytool -exportcert -alias eureka-app-container -file eureka-cert-container.pem \
-keystore eureka-keystore-container.jks -storepass 123456
Service-Specific Certificates
For containerized environments, generate certificates for each service:
# Inventory Service
keytool -genkeypair -alias inventory-service-container -keyalg RSA -keysize 2048 \
-keystore inventory-keystore-container.jks -validity 3650 -storetype PKCS12 \
-dname "CN=inventory-service, OU=Software, O=Dipme, L=Richmond, ST=TX, C=US" \
-storepass 123456 -keypass 123456
keytool -exportcert -alias inventory-service-container \
-file inventory-cert-container.pem \
-keystore inventory-keystore-container.jks -storepass 123456
# Product Service
keytool -genkeypair -alias product-service-container -keyalg RSA -keysize 2048 \
-keystore product-keystore-container.jks -validity 3650 -storetype PKCS12 \
-dname "CN=product-service, OU=Software, O=Dipme, L=Richmond, ST=TX, C=US" \
-storepass 123456 -keypass 123456
keytool -exportcert -alias product-service-container \
-file product-cert-container.pem \
-keystore product-keystore-container.jks -storepass 123456
Truststore Configuration
Gateway Truststore
Import all certificates into the gateway truststore:
keytool -importcert -file gateway-cert.pem -alias gateway-app \
-keystore gateway-truststore.jks -storepass 123456
keytool -importcert -file gateway-cert-container.pem -alias gateway-app-container \
-keystore gateway-truststore.jks -storepass 123456
keytool -importcert -file client-cert.pem -alias client-app \
-keystore gateway-truststore.jks -storepass 123456
keytool -importcert -file inventory-cert-container.pem -alias inventory-service-container \
-keystore gateway-truststore.jks -storepass 123456
keytool -importcert -file product-cert-container.pem -alias product-service-container \
-keystore gateway-truststore.jks -storepass 123456
keytool -importcert -file eureka-cert.pem -alias eureka-app \
-keystore gateway-truststore.jks -storepass 123456
keytool -importcert -file eureka-cert-container.pem -alias eureka-app-container \
-keystore gateway-truststore.jks -storepass 123456
Client Truststore
Import all certificates into the client truststore:
keytool -importcert -file client-cert.pem -alias client-app \
-keystore client-truststore.jks -storepass 123456
keytool -importcert -file inventory-cert-container.pem -alias inventory-service-container \
-keystore client-truststore.jks -storepass 123456
keytool -importcert -file product-cert-container.pem -alias product-service-container \
-keystore client-truststore.jks -storepass 123456
keytool -importcert -file gateway-cert.pem -alias gateway-app \
-keystore client-truststore.jks -storepass 123456
keytool -importcert -file gateway-cert-container.pem -alias gateway-app-container \
-keystore client-truststore.jks -storepass 123456
keytool -importcert -file eureka-cert.pem -alias eureka-app \
-keystore client-truststore.jks -storepass 123456
keytool -importcert -file eureka-cert-container.pem -alias eureka-app-container \
-keystore client-truststore.jks -storepass 123456
Eureka Truststore
Import all certificates into the Eureka truststore:
keytool -importcert -file gateway-cert.pem -alias gateway-app \
-keystore eureka-truststore.jks -storepass 123456
keytool -importcert -file client-cert.pem -alias client-app \
-keystore eureka-truststore.jks -storepass 123456
keytool -importcert -file inventory-cert-container.pem -alias inventory-service-container \
-keystore eureka-truststore.jks -storepass 123456
keytool -importcert -file product-cert-container.pem -alias product-service-container \
-keystore eureka-truststore.jks -storepass 123456
keytool -importcert -file gateway-cert-container.pem -alias gateway-app-container \
-keystore eureka-truststore.jks -storepass 123456
Verification
To verify the contents of any truststore:
keytool -list -v -keystore <truststore-name>.jks -storepass 123456
Replace <truststore-name> with either gateway-truststore, client-truststore, or eureka-truststore.
Edge Service SSL Configuration
For secure local development of the Edge Service, you’ll need to set up additional SSL certificates. These certificates enable HTTPS access through https://localhost:3000.
Generate Edge Service Certificate
Navigate to the keys directory and generate the required certificate:
# Navigate to keys directory
cd keys
# Generate certificate and private key
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout edge-private.key \
-out edge-certificate.crt \
-subj "/C=US/ST=Texas/L=Houston/O=Development/OU=IT/CN=localhost"
Trust the Certificate
sudo security add-trusted-cert -d -r trustRoot \
-k /Library/Keychains/System.keychain edge-certificate.crt
sudo security add-trusted-cert -d -r trustRoot \
-k /Library/Keychains/System.keychain edge-certificate.crt
- Double click the
edge-certificate.crt file
- Select “Install Certificate”
- Choose “Local Machine”
- Place certificate in “Trusted Root Certification Authorities”
- Click “Finish”
sudo cp edge-certificate.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Security Best Practices
Never commit private keys or certificates to version control. These files should be generated locally and kept secure.
Add the following to your .gitignore file:
# SSL/TLS Certificates
keys/*.key
keys/*.crt
The generated certificates are valid for 365 days. For production environments, always use proper CA-signed certificates.
Certificate Details
The Edge Service certificate is configured with the following properties:
- Validity: 365 days
- Key Type: RSA 2048-bit
- Common Name (CN): localhost
- Organization Unit (OU): IT
- Organization (O): Development
- Location (L): Houston
- State (ST): Texas
- Country (C): US
Directory Structure
After generating the Edge Service certificates, your keys directory will include:
keys/
├── # Existing certificates ...
├── edge-certificate.crt # Edge Service certificate
└── edge-private.key # Edge Service private key
Ensure proper file permissions are set on the private key:
- Linux/macOS:
chmod 600 edge-private.key
- Windows: Restrict access through file properties
