User Tools

Site Tools


pub:esndfilurlcert

ESNDFILURLCERT

Example to create and change a working directory in Qshell: /home/agavecerts2016

 
Step1: Create client certificate keystore agave.keystore
keytool -genkey -alias agave -keyalg RSA -keystore agave.keystore -keysize 2048
 
(Password is: inform)
Enter keystore password: inform
Re-enter new password: inform
What is your first and last name?
  [Unknown]:  inFORM Decisions
What is the name of your organizational unit?
  [Unknown]:  inFORM Decisions
What is the name of your organization?
  [Unknown]:  inFORM Decisions
What is the name of your City or Locality?
  [Unknown]:  Rancho Santa Margarita
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=inFORM Decisions, OU=inFORM Decisions, O=inFORM Decisions, L=Rancho Santa
Magarita, ST=California, C=US correct?
  [no]:  yes
 
Step 2: Create Certificate Request and send file agave.csr in /home/agavecerts2016 to ADP, 
ask them sign into this file. ADP will send us a .der file, name it to agave.der
keytool -certreq -alias agave -file agave.csr -keystore agave.keystore
 
Step 3: Import certificates into keystore file: Put agave.der (client certificate) and all ADP server CA certificates into folder /home/agavecerts2016. In Qshell, change to this directory as current directory. 
Import CA certificates of ADP into the agave.keystore in proper order: Root CA, Intermediate CA, User CA
Import server certificate: keytool -import –v -trustcacerts -alias serverCA -file serverCA.der -keystore agave.keystore
Import client certificate: keytool -import –v -trustcacerts -alias agave -file agave.der -keystore agave.keystore (if the certificate was there, do not override it, just let it be)
 
Step 4: Import new client-signed (.der file) and server CA certificates into JRE cacerts
keytool -import –v -trustcacerts -alias serverCA -file serverCA.der -keystore <$JAVA_HOME>/lib/security/cacerts -storepass changeit
keytool -import –v -trustcacerts -alias agave -file agave.der -keystore <$JAVA_HOME>/lib/security/cacerts -storepass changeit
 
(password is changeit)
 
Note: Client and server certificates must be imported into both .keystore and cacerts files with same commands
Use command ESNDFILURL with parameters KEYSTORE(‘/home/agavercerts/agave.keystore’) KSPASS(‘inform’) TRUSTSTORE(‘<$JAVA_HOME>/lib/security/cacerts’) TSPASS(‘changeit’) KSALIAS(‘agave’)
Use command ERCVFILURL with parameters KEYSTORE(‘/home/agavercerts/agave.keystore’) KSPASS(‘inform’) TRUSTSTORE(‘<$JAVA_HOME>/lib/security/cacerts’) TSPASS(‘changeit’)
 
Some properties that are used in programs:
com.ifd.sendreceive.ssl.version=TLS -> If not specified, TLS is default value
javax.net.ssl.trustStore -> Point to cacerts file. If specified, it will override the parameter TRUSTSTORE
 
Useful commands:
+ To view alias name in keystore, and ensure that alias agave exists in the list
keytool -list -v -keystore agave.keystore
OR
keytool -list -v -keystore agave.keystore -alias agave
 
+ List Trusted CA Certs: ensure that ADP server certificates must exist in this file
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
 
+ Import New CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.der -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Note: Backup your agave.keystore and ‘<$JAVA_HOME>/lib/security/cacerts files. Next time, we just need to restore these files when you upgrade the system

pub/esndfilurlcert.txt · Last modified: 2018/06/22 16:31 by kkramer