Sample generation and registration of a signed cert to Catalog JKS

Document ID : KB000096537
Last Modified Date : 19/06/2018
Show Technical Document Details
Introduction:
SSL Cert install question for CA Service Catalog 14.1
Environment:

 
Instructions:
Please remember that keytool is a java utility and is supported by Oracle. 
You can check Catalog's ServiceCatalog.log file for any Java errors when Catalog binds to 8443 and loads the JKS.
Any errors will be java errors you can google or find information on from Oracle's website.

NOTE: ALL PASSWORDS SHOULD MATCH OR YOU GET AN UNRECOVERABLE KEY ERROR
    The storetype below could be JKS if you like..
    Modern Java matches SAN names with the website as shown below and not the CN.
    The Alias name must be the alias name you specified in vewservice.conf and server.xml

1) Generate self signed cert/private key from the catalog server:

keytool -genkeypair -v -alias name.ca.com -dname "CN=name.ca.com, OU=support, O=CA, L=Islandia, ST=NY, C=US" -keystore c:\certs\name_fqdn.pfx -keyalg RSA -keysize 2048 -validity 385 -storetype PKCS12 -ext SAN=dns:name.com,ip:1.1.1.1

2) Generate CSR:

keytool -certreq -v -alias machine_name.ca.com -keystore c:\certs\machine_name-fqdn.PFX -storetype pkcs12 -ext SAN=dns:name.com,ip:1.1.1.1 -file c:\certs\machine_name-fqdn.csr

3) Open *.p7b
4) Copy to file the root certificate in base64 (might need full cert chain)
5) Import signed cert:

NOTE: If you got a single .cer file from your certificate authority which contains the full chain, this will not be recognized by java.
You will need to open this in Windows and export all 3 of the certificates to individual .cer files.

keytool -importcert -v -alias machine_name.ca.com -keystore c:\certs\machine_name-fqdn.PFX -storetype pkcs12 -file c:\certs\machine_name-fqdn.p7b

6) Copy c:\certs\machine_name-fqdn.p7b to ..\Service Catalog
7) Convert .pfx to .jks:

keytool -importkeystore -deststorepass changeit -destkeystore machine_name-fqdn.jks -srckeystore machine_name-fqdn.pfx -srcstoretype PKCS12 -srcstorepass changeit

8) Import root cert:

keytool -import -trustcacerts -alias root -file c:\certs\rootCert.cer -keystore <JRE-PATH>\lib\security\cacerts


-keystore
for USS:

1) Set environment variables:

JAVA_HOME="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre"
PATH=%JAVA_HOME%\bin

2) Update \OSOP\tomcat-7.0.40\bin\wrapper.conf:

wrapper.java.additional.27=-Djavax.net.ssl.trustStore="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\cacerts"
wrapper.java.additional.28=-Djavax.net.ssl.trustStorePassword="changeit"

3) Import the Catalog root certiificate:

C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security>keytool -import -trustcacerts -alias root -file rootCert.cer -keystore cacerts -storepass changeit

4) Use fqdn in data source (or whatever the Catalog cert was issued to)