When you are using certificates from a Certificate authority the first steps needs to be adjusted ,instead of generating the self signed certificates
in a JKS keystore you need to import the certificate from the your CA in a jks key-store .
A few requirements for this certificate are:
• It needs to be enabled for code signing , if this is not possible you need a separate certificate which you use in a separate keystore to sign the trustore.jar.
• The certificate needs to have the whole chain of authority or you need all certificates for the root CA and intermediate CA which needs to be imported in the right sequence in the JKS keystore .
• The CN in the certificate needs to match the RA server name.
•It should have the public and private key .
•It should contain the whole chain of trust ( e.a. The Cert for the ROOT authority and any INTERMEDIATE authority who signed the certificate ) .
The exact command and steps depends on the provided certificate format from your CA.
To verify the content of the p12 file you can use openssl or a tool like keystore explore.
openssl pkcs12 -info -in filename.p12
If you have a different format certificate and private key you have convert it to p12 format first.
Basically you have to replace step 1 and 2 in the Secure UI Communication procedure for the following:
Create JKS file using keytool command from p12 cert file
keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore conf/custom-keystore.jks -deststoretype JKS
List the keystore to see the default alias name ( Default is 1 or the Cert CN )
keytool -list -v -keystore conf/custom-keystore.jks
Change the password of private key file in the keystore. Certificate password needs to be the same as the store password, by default it gets the PKCS12 cert password
keytool -keypasswd -alias [Alias name for private key] -keystore [path to key store]
keytool -keypasswd -alias 1 -keystore conf/custom-keystore.jks
Change the alias name of the private key entry ( to ra-ms )
keytool -changealias -keystore [path to key store] -alias [current alias]
keytool -changealias -keystore conf/custom-keystore.jks -alias 1
keytool -exportcert -alias ra-ms -file ms.crt -keystore conf/custom-keystore.jks -v
keytool -importcert -alias ra-ms -file ms.crt -keystore conf/custom-truststore.jks -v -rfc
Make sure you also import the root cert and any intermediate cert in the custom-truststore.jks if they are not part of the default JAVA keystore
keytool -importcert -alias root -file root.crt -keystore conf/custom-truststore.jks -v -rfc
keytool -importcert -alias intermediate -file intermediate.crt -keystore conf/custom-truststore.jks -v -rfc
Verify content of the custom-truststore.jks.
keytool -list -v -keystore conf/custom-truststore.jks
The remaining steps from step 3 are the same as in the manual .
If you have a separate code signing certificate you need to create another jks file containing the code signing cert ,this one can then be used in step 5 to sign the JAR file .
If you have the certificate in a cer format you can create the p12 file with :
openssl pkcs12 -export -out testkeystore.p12 -inkey privateKey.key -in Nolio.cer -certfile Nolio.cer
A tool like keystore explorer could be handy to check the content of the keystore and correct the chain of trust if needed .