How to Import a "Wildcard" Certificate in the OneClick cacerts Keystore File

Document ID : KB000015100
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Our corporate standard is to setup our Web Servers with SSL using our approved "Wildcard" certificate.

How do we get the OneClick Web Server configured with SSL using a "Wildcard" certificate?

Answer:

IMPORTANT: Make a copy of your $SPECROOT/custom/keystore/cacserts before attempting to import the “wildcard” certificates into the cacerts file.

Converting Wildcard SSL Certificate files to the Java Keystore format:

 

  1. Copy everything you need to a folder of your choice. To simplify things, I recommend making this a subdirectory of $SPECROOT/Java or $SPECROOT/Java/bin. For example, Wildcard_mydomain_com.

 

Make sure this folder contains all the certificate files you received from the Certificate Authority and the original Private key file used to generate your “wildcard” CSR (certificate signing request). 

 

 If you received your certificate from Comodo in "other" format you will have a bunch of files, which will need to be assembled in the correct order.

 

 

  1. Open a terminal window (command line, or “bash -login shell for Windows) and go to your directory. Concatenate these file:

cat [Wildcard_PrivateKey.crt] [Wildcard_SignedCert.crt] [Intermediate_Cert.crt] [CA_Root_Cert.crt] > ca_bundle.pem

 

They are all now nicely bundled in a single file (ca_bundle.pem)

 

 

  1. Run the following to convert your SSL bundle into PKCS12 format:

openssl pkcs12 -export -name <alias.domain.com> -in <ca_bundle.pem> -inkey <domain.com.key> -out <keystore.p12>

 

Where:

 -name <alias.domain.com> is the domain you are going to be using the key on. This will also be the alias name in Step 4.

Do not use *.domain.com address as the name.

Use something like alias.domain.com, somename.domain.com, hostname.domain.com, etc.

- in <ca_bundle.pem>is the bundled Certificate Authority files containing your signed certificate.

- inkey <domain.com.key>is the Wildcard Private key file from the server that generated your “wildcard” CSR (certificate signing request).

- out <keystore.p12>is just the output file that you pick. This can be anything you choose. I used keystore.p12 as an example.

You will be asked to generate a password. To keep things simple, use the cacerts keystore password.

 

 

  1. Now run the following command to generate your JKS:

keytool -importkeystore -destkeystore <path/cacerts> -srckeystore <keystore.p12> -srcstoretype pkcs12 -alias <alias.domain.com>

 

 Where:

-destkeystore <path/cacerts> is the name of the destination keystore file you want the files imported to.

-srckeystore <keystore.p12> is the PCKS12 keystore file you created in step 3.

-alias <alias.domain.com> is the name specified in step 3

IMPORTANT – the alias must match the name given in Step 3.

 You will be asked to enter the password again. Use your cacerts password.

 

 

  1. Verify the cacerts keystore file has been updated and now contains your "wildcard" certificates.

keytool -list -v -alias <alias.domain.com> -keystore <path/cacerts>

 

 

If you have already generated a "self-signed" certificate for your OneClick Web Server, you will need to remove the "self-signed" certificate from the cacerts keystore file, otherwise the "self-signed" certificate will take precedence over your "wildcard" certificate.

 

The command to remove a certificate from the cacerts file is:

keytool -delete -alias <alias.domain.com> -keystore <path/cacerts>

 

 

Additional Information:

For more information on how to setup the OneClick Server for SSL see the "OneClick Server Communications and Network Configuration" Guide - "Configure OneClick for Secure Sockets Layer"

(https://docops.ca.com/ca-spectrum/10-2-1/en/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/configure-oneclick-for-secure-sockets-layer)