To resolve this issue, the current certificate must be replaced with a new certificate obtained from a trusted certificate authority that contains a subjectAlternativeName extension. The following are procedures that can be used to make this change on the WCC server.
Generate a Private Key and Self-Signed Certificate
Follow these steps:
- Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows):
UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -delete -alias tomcat \
-keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \
-storepass changeit
Windows:
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -delete -alias tomcat ^
-keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^
-storepass changeit
Note: The default name of the key is tomcat. To access the keystore, you also need the keystore password. The default password is changeit.
The previous key is removed from the keystore.
- Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows):
UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -genkey -alias tomcat \
-keyalg RSA \
-keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \
-storepass changeit \
-keypass changeit \
-keysize 2048 \
-dname "cn=WCC_SERVER_NAME" \
-ext san=dns:WCC_SERVER_NAME \
-validity 14600
Windows:
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -genkey -alias tomcat ^
-keyalg RSA ^
-keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^
-storepass changeit ^
-keypass changeit ^
-keysize 2048 ^
-dname "cn=WCC_SERVER_NAME" ^
-ext san=dns:WCC_SERVER_NAME ^
-validity 14600
Notes:- The keysize argument lets you specify the key size. Typical values are 1024 or 2048.
- WCC_SERVER_NAME is the name of your CA WCC server.
- The validity argument lets you specify the certificate validity period in days.
A new private key and self-signed certificate are generated.
Request a Certificate
To use a certificate from a trusted certificate authority, create a certificate request file and send it to the certificate authority. The certificate authority will send you the certificate.
Follow these steps:
- Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows):
UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -certreq -alias tomcat \
-keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \
-storepass changeit \
-file certreq.csr
Windows:
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -certreq -alias tomcat ^
-keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^
-storepass changeit ^
-file certreq.csr
A certificate request file (certreq.csr) is generated. - Send the certificate request file to the certificate authority. Contact the certificate authority for specific instructions.
Note: CA WCC uses certificates in PEM or DER format. When using the PEM format, the certificate must not contain any information before the BEGIN CERTIFICATE marker or after the END CERTIFICATE marker.
Add the Certificates to the Keystore
Add the certificates to the keystore after you receive your private certificate.
Follow these steps:
- Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to add the certificate of the root certificate authority to the keystore:
UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -alias RootCA \
-file RootCA.cer \
-keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \
-storepass changeit
Windows:
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -importcert -alias RootCA ^
-file RootCA.cer ^
-keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^
-storepass changeit
The certificate of the root certificate authority is added to the keystore. - (Optional) Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to add a certificate of a subordinate authority to the keystore:
UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -alias SubCA \
-file SubCA.cer \
-keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \
-storepass changeit
Windows:
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -importcert -alias SubCA ^
-file SubCA.cer ^
-keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^
-storepass changeit
The certificate of the subordinate authority is added to the keystore. - Repeat Step 2 for each certificate of the subordinate authority you have downloaded.
- Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to add your private certificate to the keystore:
UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -trustcacerts \
-file certificate.cer - alias tomcat \
-keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore \
-storepass changeit
Windows
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -importcert -trustcacerts ^
-file certificate.cer - alias tomcat ^
-keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore ^
-storepass changeit
The private certificate is added to the keystore.
Restart CA WCC Services
After you generate, obtain, or import the key and certificate, restart CA WCC services.
UNIX:
To restart CA WCC services on UNIX, run the following command in a shell window:
unisrvcntr restart CA-wcc-services
Windows:
Follow these steps:
- Open the Services window.
- Select CA-wcc-services and click the Restart button.
The Restart Other Services dialog opens. - Click Yes.
The dialog closes and CA WCC services are restarted.
Note: After you restart CA WCC services, verify that the CA WCC servers have started before you use or perform operations with CA WCC. You display CA WCC server startup status by running the following command:
UNIX:
grep "startup in" $CA_WCC_INSTALL_LOCATION/log/*.log
Windows:
findstr /C:"startup in"
"%CA_WCC_INSTALL_LOCATION%"\log\*.log