Scenario - How to Obtain and Import a Trusted Certificate into the Enterprise Management Server

Document ID : KB000048332
Last Modified Date : 14/02/2018
Show Technical Document Details

1.0 Introduction

2.0 How to Obtain and Import a Trusted Certificate into the Enterprise Management Server

2.1 Generate a Key Pair and a Self-Signed Certificate

2.1.1 Generate and Submit a Certificate Signing Request to a Certificate Authority

2.1.2 Import the CA Signed Certificate into the Enterprise Management Server Keystore

2.1.2.1 Import the Signed Certificate in DER Format

2.1.2.2 Import the Signed Certificate in PKCS #12 Format

2.1.2.2.1 Server Startup Fails

2.1.3 Verify the Trusted Certificate

3.0 Copyright

1.0 Introduction

Product: CA ControlMinder

Release: 12.8

OS: All supported operating systems

This scenario helps the CA ControlMinder security administrator to replace Enterprise Management server self-signed certificate with a certificate signed by a trusted Certificate Authority (CA). A trusted certificate ensures a secure connection to the Enterprise Management server.

2.0 How to Obtain and Import a Trusted Certificate into the Enterprise Management Server

As a security administrator, you ensure secured connections to the Enterprise Management server. When you install Enterprise Management server, a self-signed certificate is generated and stored on the server. To strengthen the security, you obtain and replace the self-signed certificate with a certificate signed by a trusted Certificate Authority (CA).

By installing a trusted certificate, you can:

  • Avoid browser security warnings
  • Protect the reputation and trust of an organization

Use this scenario to guide you through the process:

How to Obtain and Import a Trusted Certificate into the Enterprise Management Server

  1. Generate a Key Pair and a Self-Signed Certificate.
  2. Generate and Submit a Certificate Signing Request to a Certificate Authority.
  3. Import the CA Signed Certificate into the Enterprise Management Server Keystore.
  4. Verify the Trusted Certificate.

2.1 Generate a Key Pair and a Self-Signed Certificate

You generate a key pair (public and private keys) and a self-signed certificate and store in the Enterprise Management server keystore using the keytool command. To generate a Certificate Signing Request (CSR), use this keystore.

Follow these steps:

  1. Open a command prompt window in the Enterprise Management server and navigate to the following directory:

    ACServerInstallDir/jdk1.7.0/bin

  2. Type the keytool command in the following format:

    keytool -genkeypair {-v} {-alias alias} {-keyalg keyalg} {-keysize keysize} {-keystore keystore.jks} {-validity valDays}

    • -genkeypair

      Generates a key pair.

    • -alias

      Specifies a character string that uniquely identifies a key pair within a keystore.

    • -keyalg

      Specifies the algorithm for generating a key pair.

      Default: RSA

    • -keysize

      Specifies the size of a key pair.

      Default: 2048 bits

    • -keystore

      Specifies the path and the file name of a keystore to which the keytool command adds a key pair and a self-signed certificate. The default keystore file is ssl.keystore.

    • -Validity

      Specifies the number of days before the self-signed certificate expires.

    The keytool utility starts.

  3. Type the keystore password.

    Note: Type the same password that you provided while creating the keystore. The default password for ssl.keystore is secret.

  4. Provide information for the following questions:
    • What is your first and last name?

      Note: Type the DNS name of the Enterprise Management server.

    • What is the name of your organization unit?
    • What is the name of your organization?
    • What is the name of your city or locality?
    • What is the name of your state or province?
    • What is the two-letter code for this unit?
  5. Type the key password for the alias.

    Note: The keystore and the key alias password must be same.

A key pair and a self-signed certificate are generated and stored in the keystore.

An Example to Generate a Key Pair and a Self-Signed Certificate:

The following keytool command generates a key pair using the RSA key generation algorithm. Each key is 2048 bits and is stored in the ssl.keystore with alias name keys. A self-signed certificate is also created, and valid for 180 days and stored in the ssl.keystore.

keytool -genkeypair -alias keys -keyalg RSA -keysize 2048 -keystore ssl.keystore.jks -validity 180

    2.1.1 Generate and Submit a Certificate Signing Request to a Certificate Authority

    Generate a Certificate Signing Request (CSR) file using the keytool command and submit to a trusted CA. The CA uses the CSR to generate a signed certificate identifying your server as secure.

    Follow these steps:

    1. Open a command prompt window in the Enterprise Management server and navigate to the following directory:

      ACServerInstallDir/jdk1.7.0/bin

    2. Type the keytool command in the following format:

      Keytool -v -certreq {-alias alias} {-keystore keystore.jks} {-file filename.csr}

      • -certreq

        Generates a CSR file using the PKCS #10 format.

      • -alias

        Specifies a character string that uniquely identifies a key pair within a keystore.

        Note: Use the same alias name that you provided while generating a key pair.

      • -keystore

        Specifies the keystore containing the key pair and the self-signed certificate.

      • -file

        Specifies the file name where the CSR file is stored.

      A CSR file is generated.

    3. Submit the CSR file to a trusted CA.

    Example to Generate a CSR:

    The following keytool command generates a new CSR for the ssl.keystore and stores the CSR in the newcert_request file.

    Keytool -v -certreq -alias keys -keystore ssl.keystore.jks -file newcert_request.csr

    2.1.2 Import the CA Signed Certificate into the Enterprise Management Server Keystore

    After you receive the signed certificate from a CA, import the certificate into the Enterprise Management server keystore.

    Note: Import the signed certificate into the Enterprise Management server keystore even though you used a different keystore for generating the CSR.

    The procedure to import the signed certificate varies depending on the format of the certificate received from the CA.

    When you generate a CSR with the server keystore, use either Procedure1 or Procedure2 to import a signed certificate.

    When you generate a CSR with a keystore other than server keystore, use only Procedure2 to import a signed certificate.

    2.1.2.1 Import the Signed Certificate in DER Format

    Import the CA signed certificate that you received in the Distinguished Encoded Rules (DER) format into the server keystore. Before you import, ensure that the signed certificate file contains the following certificates:

    • Root Certificate
    • [Optional] Intermediate Certificate
    • Signed Server Certificate

    Follow these steps:

    1. Open a command prompt window in the Enterprise Management server and navigate to the following directory:

      ACServerInstallDir/jdk1.7.0/bin

    2. Import the root certificate as a trusted certificate using the keytool command in the following format:

      keytool -importcert {-v} {-alias alias} -trustcacerts {-file filename.cer} {-keystore keystore}

      • -importcert

        Import the root certificate into a keystore.

      • -alias

        Specifies a character string that uniquely identifies a root certificate in the keystore.

      • -trustcacerts

        Specifies that the root certificate must be imported as a trusted certificate into a keystore.

      • -file

        Specifies the file name of the root certificate.

      • -keystore

        Specifies the keystore where you import the root certificate.

    3. [Optional] Import an intermediate certificate as a trusted certificate using the keytool command in the following format:

      keytool -importcert {-v} {-alias alias} -trustcacerts {-file filename.cer} {-keystore keystore}

      • -importcert

        Import the intermediate certificate into a keystore.

      • -alias

        Specifies a character string that uniquely identifies an intermediate certificate in the keystore.

      • -trustcacerts

        Specifies that the intermediate certificate must be imported as a trusted certificate into a keystore.

      • -file

        Specifies the file name of the intermediate certificate.

      • -keystore

        Specifies the keystore where you import the intermediate certificate.

    4. Import CA signed server certificate as a trusted certificate using the keytool command in the following format:

      keytool -import {-v} {-alias alias} -trustcacerts {-file filename.cer} {-keystore keystore}

      • -import

        Import the server certificate into a keystore.

      • -alias

        Specifies a character string that uniquely identifies a key pair in the keystore.

        Note: Use the same alias name that you provided while generating a key pair.

      • -trustcacerts

        Specifies that the server certificate must be imported as a trusted certificate into a keystore.

      • -file

        Specifies the file name of the server certificate.

      • -keystore

        Specifies the keystore where you import the server certificate.

    The trusted certificates in DER format are imported into a keystore.

    Example to Import a Root Certificate:

    The following command imports CARootCer.cer certificate with alias root as a trusted certificate into the ssl.keystore.

    keytool -importcert -alias root -trustcacerts -file CARootCer.cer -keystore ssl.keystore

    Example to Import a Server Certificate:

    The following command imports CASerCer.cer certificate with alias keys as a trusted certificate into the ssl.keystore.

    keytool -import -alias keys -trustcacerts -file CASerCer.cer -keystore ssl.keystore

    2.1.2.2 Import the Signed Certificate in PKCS #12 Format

    Import the CA signed certificate that you received in the Public Key Cryptography Standards (PKCS #12) format into the server keystore. Before you import, ensure that the signed certificate keystore (PKCS #12) file contains the following certificates and a key:

    • Root Certificate
    • [Optional] Intermediate Certificate
    • Signed Server Certificate
    • Private Key

    Follow these steps:

    1. Open a command prompt window in the Enterprise Management server and navigate to the following directory:

      ACServerInstallDir/jdk1.7.0/bin

    2. Import the PKCS #12 file into the keystore using the keytool command in the following format:

      keytool -importkeystore {-srckeystore file.p12} {-destkeystore keystore.jks} {-srcstoretype pkcs12} {-deststoretype jks} {-alias original_alias} {-destalias new_alias} {-deststorepass password} {-destkeypass same_password}

      • -importkeystore

        Import the PKCS #12 file into a keystore.

      • -srckeystore

        Specifies the name of the source keystore (PKCS #12) file that contains the CA signed certificates and a key.

      • -destkeystore

        Specifies the name of the destination keystore (JKS) file where you import the source keystore file.

      • -srcstoretype

        Specifies the file type of the source keystore.

      • desstoretype

        Specifies the file type of the destination keystore.

      • -alias

        Specifies a character string that uniquely identifies the signed server certificate in the source keystore.

      • -destalias

        Specifies a character string that uniquely identifies a key pair within a destination keystore.

      • -deststorepass

        Specifies the password that protects the destination keystore.

      • -destkeypass

        Specifies the password that protects the key pair in the destination keystore.

      Note: The deststorepass and the destkeypass must be same, otherwise, Server Startup Fails.

      The keytool utility starts.

    3. Type the source keystore password.

    A source (PKCS #12) file is imported into a destination keystore.

    Example to Import a Signed Server Certificate:

    The following command imports pkcs.p12 with alias servercert into the ssl.keystore.

    keytool -importkeystore -srckeystore pkcs.p12 -destkeystore ssl.keystore.jks -srcstoretype pkcs12 -deststoretype jks -alias servercert -destalias keys -deststorepass secret -destkeypass secret

    2.1.2.2.1 Server Startup Fails

    Symptoms:

    When you start the Enterprise Management server after importing the trusted certificate in PKCS #12 format, the following error message appears:

    Cannot recover key at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394).

    Solution:

    Ensure that the destination key password (destkeypass) and the destination keystore password (deststorepass) are the same.

    2.1.3 Verify the Trusted Certificate

    After you import the trusted certificate into the server keystore, access Enterprise Management though a browser. You do not receive any certification error on successful import of the trusted certificate.

    3.0 Copyright

    This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the "Documentation") is for your informational purposes only and is subject to change or withdrawal by CA at any time.

    This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA.

    Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.

    The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

    TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

    The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice.

    The manufacturer of this Documentation is CA.

    Provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

    Copyright © 2014 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.