How can I use DXcertgen to create client certificates, and store them in the JXplorer keystores?

Document ID : KB000054076
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

You can use dxcertgen to create users certificates at the same time as generating the DSA certificates.
By specifying the location and passwords to the java keystores, dxcertgen can automatically
add the newly created CA and user certificates into the cakeystore and the clientkeystore.

Solution

Assumptions

The DSA that you will be using to authenticate will have a prefix of:

"o=Democorp,c=au"

The LDIF containing the user entries will be located in the root of C Drive (C:\).

Procedure

In order to create user certificates using Dxcertgen, you need to have the following already prepared:

  •             An LDIF file that contains the list of DN's that you want to use.
  •             Java environment variables setup.
  •             The location of the JXplorer keystores and their respective password.

Create the LDIF file

The LDIF file can be a full LDIF dump of the selected users.
Make note of where you save this file as it's fully qualified path will be used when generating the certificates.

In the LDIF file below, the following user certificates will be created:

  •             cn=Joe Bloggs,ou=Information,ou=Corporate,o=Democorp,c=au
  •             cn=Marjorie SIMPER,ou=Information,ou=Corporate,o=Democorp,c=au
version: 1
dn: cn=Joe Bloggs,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Joe Bloggssn: BLOGS

dn: cn=Marjorie SIMPER,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Marjorie SIMPERsn: SIMPER

Java Environment Variables Configured

In order to run the dxcertgen tool and have it access the keystores, you will need to define several environment variables.

  • Set the environment variable JAVA_HOME to the JRE path, for example:
  • C:\Program Files\Java\jre1.6.0_07

  • Ensure that the environment variable PATH includes the Java bin folder, for example:
  • C:\Program Files\Java\jre1.6.0_07\bin

  • To verify, run the following command:

keytool

The output of the keytool will begin with the following output:

C:\>keytoolkeytool usage: -certreq     [-v] [-protected]             [-alias <alias>] [-sigalg <sigalg>]
[-file <csr_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg> ]] ... [-providerpath <pathlist> ]

Note: The keytool utility is a Java utility and is documented on the java keytool web page on the Java web site http://java.sun.com.

Location of keystores

The location of the keystores for the open source version of Jxplorer can be found in the following
folder (assuming that the default installation location was used):

C:\Program Files\JXplorer\security

The keystores and their default passwords are listed below:

Figure 1

Running the Dxcertgen command

The dxcertgen command below will perform several tasks. They are:

  1. Create a new CA keypair and certificate.
  2. Create a new DSA keypair for each DSA in the DXHOME/config/knowledge folder.
  3. Sign each DSA certificate using the CA created in step 1.
  4. Create and sign each user certificate as it parses the LDIF file specified.
  5. Store the CA certificate and the user certificates in the respective keystores.
dxcertgen -u "C:\users.ldif" -c "C:\Program
Files\JXplorer\security\clientcerts" -C passphrase -s
"C:\Program Files\JXplorer\security\cacerts" -S changeit certs

The output for the Dxcertgen command will look like the following:

Setting root certificate and public/private keys for signing...Exporting certificate 'dxcertgen' from C:\Program Files\JXplorer\security\cacerts...alias 'dxcertgen' not foundGenerating public and private key pair...Generating key pair for 'dxcertgen' in C:\Program Files\JXplorer\security\cacerts...Exporting certificate 'dxcertgen' from C:\Program Files\JXplorer\security\cacerts...Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Importing certificate 'dxcertgen' into C:\Program Files\JXplorer\security\cacerts...Importing certificate 'dxcertgen' into C:\Program Files\JXplorer\security\clientcerts...Writing root certificate to trusted.pem...

Generating DXserver personalities from server files...Generating a new personality certificate for lang...Generating a 1024-bit RSA public/private key pair..............++++++............++++++Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Writing personality certificate to C:\Program
Files\CA\Directory\dxserver\config\ssld\personalities\ lang.pem...Generating a new personality certificate for democorp...Generating a 1024-bit RSA public/private key pair.......................................................++++++...............++++++Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Writing personality certificate to C:\Program
files\CA\Directory\dxserver\config\ssld\personalities\ democorp.pem...

Generating user certificates...

Generating a new user certificate for Joe_Bloggs...Generating public and private key pair...Generating key pair for 'Joe_Bloggs' in C:\Program Files\JXplorer\security\clientcerts...Exporting certificate 'Joe_Bloggs' from C:\Program Files\JXplorer\security\clientcerts...Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Importing certificate 'Joe_Bloggs' into C:\Program
Files\JXplorer\security\clientcerts...Generating a new user certificate for Marjorie_SIMPER...Generating public and private key pair...Generating key pair for 'Marjorie_SIMPER' in C:\Program
Files\JXplorer\security\clientcerts...Exporting certificate 'Marjorie_SIMPER' from C:\Program
Files\JXplorer\security\clientcerts...Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Importing certificate 'Marjorie_SIMPER' into C:\Program
Files\JXplorer\security\clientcerts...

Done.

Verification

Once the command is complete, you should see the following certificates in the Java Keystores that Jxplorer accesses:

Figure 2

Figure 3

Connecting to CA Directory using your newly added keys

In order for you to be able to use your new CA and user certificates to connect to a DSA, the following must be in place:

  1. User entries must exist in the CA Directory DSA that matches the DN of the user certificates.
    1. To perform this simply load the LDIF file below into your DSA that has a prefix of:
      "o=Democorp,c=au".
    2. version: 1

      dn: ou=Corporate,o=Democorp,c=auobjectClass: organizationalUnit

      dn: ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: organizationalUnit

      dn: cn=Joe Bloggs,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Joe Bloggssn: BLOGGS

      dn: cn=Marjorie SIMPER,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Marjorie SIMPERsn: SIMPER
    3. To load the LDIF file into the DSA use the following command:
    4. dxmodify -a -c -h {hostName} -p {DSA Port} -f {LDIFFileName}
  2. An SSLD Daemon must exist.
    1. To create an SSL Daemon that sources the default trusted.pem CA certificate file and DSA personality certificates, use the following command:
      ssld install ssldservice -ca config/ssld/trusted.pem -certs
      config/ssld/personalities
    2. Once the SSL Daemon has been installed, it needs to be started. You can do this by issuing the following command:
      ssld start ssldservice
  3. The DSA's must be recycled in order to refresh their configuration.
    dxserver stop {dsaName}

    Then you need to restart the DSA

    dxserver start {dsaName}
  4. Using JXplorer, you then need to make a connection using the authentication level of: "SSL+SASL+Keystore Password"

Figure 4

Once connected you should see the DIT structure of the Directory:

Figure 5