Answer by Dariusz K. ·
Depending on how you obtained the certificate and the private key, please follow the procedure below.
If you're about to create the key and certificate key to get it signed - please start from beginning, if you're expecting to get certificate(s) and the key from your team please start from 4 - in this case please also make sure that the key is saved in RSA format.
RSA private key should contain the following string in it:
-----BEGIN RSA PRIVATE KEY-----
So, here's the meat:
1. Create key (if you haven't received they key and cert from issuer and you will be generating key and cert request):
keytool -genkeypair -keyalg rsa -keystore [keystorename].jks -storepass [keystorepassword] -alias [alias]
2. Create cert request using names defined in previous step:
keytool -certreq -alias [alias] -keystore [keystorename].jks -storepass [keystorepassword] -file my_new_cert.csr -validity[number of days]
3. Send certificate request file (my_new_cert.csr in this example) out to sign
4. Make sure your certificate is in Base64 X509 format, if not - make proper conversion:
(a) In case you received your signed cert from root CA:
(b) In case you received your signed cert from non-root CA:
If the certificate was not issued by a trusted CA, the connecting device will then check to see if the certificate of the issuing CA was issued by a trusted CA,
and so on until either a trusted CA is found. In case the trusted CA is not found - warning message is being displayed. Chain file provides correct certificate path.
In our example following command will create the chain:
type signed_cert.cer intermediate.cer root.cer > chain.txt
5. Convert exported PKCS12 binary file to PEM format (or convert from whatever format you got it from your issuer if you got it along with certificate)
openssl.exe pkcs12 -in [path.to]pkey.p12 -nodes -nocerts -out [path.to]pkey.pem"
6. Configure the following settings in the common.properties file:
Point connector.ssl.SSLCertificateFile to the signed certificate file converted to X509 (signed_cert.cer)
Point connector.ssl.SSLCertificateKeyFile to the key you generated using the keytool, for example pkey.pem.
Point connector.ssl.SSLCertificateChainFile to the chain of certificates, that is chain.txt you created by joining the contents of cer files.
7. Set the key password.
I hope this will clarify the SSL certificate installation a bit.
Answer by Adam P. ·
Do you mean:
Answer by Vlad S. ·
Need your help here. I've done the same procedurer for CAS as described here but faced with the error java.lang.exception: cannot create new ssl.
Basically TCP443 is open,
What I've not done is the step #5. Which certificate should I convert to PEM and why its needed, if common.properties file contains link only to CER, chain and private key
Looking forward for your help
Thanks in advance
Answer by Ulf T. ·
And don't forget you need to tighten up the other components also:
12.4 upgrade questions from 12.3.2 5 Answers
Network Tiers failures 9 Answers
Citrix as Front End Tier 1 Answer