Sample generation and registration of a signed cert to Catalog JKS

Document ID : KB000096537
Last Modified Date : 06/03/2019
Show Technical Document Details
Introduction:
This shows one example of generating an SSL signed certificate to enable HTTPS and then registering it to Service Catalog's JKS. This would also work for USS, SDM, or other sites using java keytool.
Environment:

 
Instructions:
  • Please remember that keytool is a java utility and is supported by Oracle. 
  • You can check Catalog's ServiceCatalog.log file for any Java errors when Catalog binds to 8443 (or 443 if you use this port) and loads the JKS. Any errors will be java errors you can google or find information on from Oracle's website. Just search the log file for the port number to check if it loaded properly.
  • All of these commands should be run from the JRE\bin folder that Service Catalog (or whatever application you are doing this for) is using. I used JRE 1.8

NOTE: ALL PASSWORDS SHOULD MATCH OR YOU GET AN UNRECOVERABLE KEY ERROR
  •     I used P7B but the storetype below could be JKS if you like. I suggest using JKS if you do not start with an existing JKS file.
  •     Modern Java matches SAN names with the website as shown below and not the CN. Make sure you have all website names in the SAN list.
  •     The Alias name must be the alias name you specified in vewservice.conf and server.xml

1) Generate self signed cert/private key from the catalog server. Once again, I used PKS in the example below since I will import it into our existing JKS file. If you want to use JKS or don't have an existing JKS file in your Service Catalog folder already then feel free to use JKS.

keytool -genkeypair -v -alias name.ca.com -dname "CN=name.ca.com, OU=support, O=CA, L=Islandia, ST=NY, C=US" -keystore c:\certs\name_fqdn.pfx -keyalg RSA -keysize 2048 -validity 385 -storetype PKCS12 -ext SAN=dns:name.com,dns:secondName,ip:1.1.1.1

2) Generate CSR that you will submit to your certificate authority:

keytool -certreq -v -alias machine_name.ca.com -keystore c:\certs\machine_name-fqdn.PFX -storetype pkcs12 -ext SAN=dns:name.com,dns:secondName,ip:1.1.1.1 -file c:\certs\machine_name-fqdn.csr

3) Open *.p7b file that you got back from your Certificate Authority. (double click it to open it on windows)
4) Right click the individual certs and copy to file, using base64, the individual certificate files. 
5) Import signed certs as shown below:

Important Note: You will likely get back a .p7b file from your certificate authority that contains the full certificate chain. In other words it will contain the website certificate, intermediary certficates, and the root CA certificate. Some utilities let you import this .p7b itself. However, Java's keytool does not seem to like this and this is why we exported the individual .cer files above. So now import the individual certificates like:

keytool -importcert -v -alias rootCA -keystore c:\certs\machine_name-fqdn.PFX -storetype pkcs12 -file c:\certs\root.cer
keytool -importcert -v -alias intermediate -keystore c:\certs\machine_name-fqdn.PFX -storetype pkcs12 -file c:\certs\intermediate.cer
keytool -importcert -v -alias machine_name.ca.com -keystore c:\certs\machine_name-fqdn.PFX -storetype pkcs12 -file c:\certs\machine_name-fqdn.cer

6) Copy c:\certs\machine_name-fqdn.p7b to %USM_HOME%\Service Catalog
7) Convert .pfx to .jks. Or if you do not have an existing JKS or are not trying to preserve anything, then you can just point to your new keystore in viewservice.conf and server.xml. To import it to an existing JKS, run:

keytool -importkeystore -deststorepass changeit -destkeystore machine_name-fqdn.jks -srckeystore machine_name-fqdn.pfx -srcstoretype PKCS12 -srcstorepass changeit

8) Import your root cert into Java's trusted keystore. This is required if you use your own CA or you used a certificate authority java does not recognize out of the box. If you do not do this then you may see a trusted anchor error or a certificate chain error:

keytool -import -trustcacerts -alias root -file c:\certs\rootCert.cer -keystore <JRE-PATH>\lib\security\cacerts


for USS (if needed):

1) Set environment variables:

JAVA_HOME="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre"
PATH=%JAVA_HOME%\bin

2) Update \OSOP\tomcat-7.0.40\bin\wrapper.conf:

wrapper.java.additional.27=-Djavax.net.ssl.trustStore="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\cacerts"
wrapper.java.additional.28=-Djavax.net.ssl.trustStorePassword="changeit"

3) Import the Catalog root certiificate:

C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security>keytool -import -trustcacerts -alias root -file rootCert.cer -keystore cacerts -storepass changeit

4) Use fqdn in data source from the GUI (or whatever the Catalog cert was issued to. It must be in the SAN)