How can i use my own CA signed certificates to setup Secure Communication.

Document ID : KB000016157
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How can i use my own CA signed certificates in the Secure communications  procedure .

The steps only explain how to use self signed certificates .

Answer:

When you are using certificates from a Certificate authority the first steps needs to be adjusted ,instead of generating the self signed certificates

in a JKS keystore  you need to import the certificate from the your CA in a jks key-store . 

A few requirements for this certificate are:

• It needs to be enabled for code signing , if this is not possible you need a separate certificate which you use in a separate keystore to sign the trustore.jar.  

• The certificate needs to have the whole chain of authority or you need all certificates for the root CA and intermediate CA which needs to be imported in the right sequence in the JKS keystore . 

• The CN in the certificate needs to match the RA server name. 

•It should have the public and private key . 

•It should contain the whole chain of trust ( e.a. The Cert for the ROOT authority and any INTERMEDIATE authority who signed the certificate ) .

 

The exact command and steps depends on the provided certificate format from your CA.

To verify the content of the p12 file you can use openssl or a tool like keystore explore.

openssl pkcs12 -info -in filename.p12

If you have a different format certificate and private key you have  convert it  to p12 format first.

Basically you have to replace step 1 and 2  in the Secure UI Communication  procedure for the following:

 

Create JKS file using keytool command from p12 cert file 

keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore conf/custom-keystore.jks -deststoretype JKS 

 

List the keystore to see the default alias name ( Default is 1 or the Cert CN ) 

keytool -list -v -keystore conf/custom-keystore.jks 

 

Change the password of private key file in the keystore. Certificate password needs to be the same as the store password, by default it gets the PKCS12 cert password 

keytool -keypasswd -alias [Alias name for private key] -keystore [path to key store] 

keytool -keypasswd -alias 1 -keystore conf/custom-keystore.jks 

 

Change the alias name of the private key entry ( to ra-ms ) 

keytool -changealias -keystore [path to key store] -alias [current alias] 

keytool -changealias -keystore conf/custom-keystore.jks -alias 1 

 

keytool -exportcert -alias ra-ms -file ms.crt -keystore conf/custom-keystore.jks -v 

keytool -importcert -alias ra-ms -file ms.crt -keystore conf/custom-truststore.jks -v -rfc 

 

Make sure you also import the root cert and any intermediate cert in the custom-truststore.jks if they are not part of the default JAVA keystore 

keytool -importcert -alias root -file root.crt -keystore conf/custom-truststore.jks -v -rfc

keytool -importcert -alias intermediate -file intermediate.crt -keystore conf/custom-truststore.jks -v -rfc 

 

Verify content of the custom-truststore.jks.

keytool -list -v -keystore conf/custom-truststore.jks  

 

The remaining steps from step 3 are the same as in the manual .

If you have a separate code signing certificate you need to create another jks file containing the code signing cert ,this one can then be used in step 5 to sign the JAR file . 

If you have the certificate in a cer format you can create the p12 file with :

openssl pkcs12 -export -out testkeystore.p12 -inkey privateKey.key -in Nolio.cer -certfile Nolio.cer 

 

A tool like keystore explorer could be handy  to check the content of the keystore and correct the chain of trust  if needed .