Example to create and change a working directory in Qshell: /home/agavecerts2016
Step1: Create client certificate keystore agave.keystore keytool -genkey -alias agave -keyalg RSA -keystore agave.keystore -keysize 2048 (Password is: inform) Enter keystore password: inform Re-enter new password: inform What is your first and last name? [Unknown]: inFORM Decisions What is the name of your organizational unit? [Unknown]: inFORM Decisions What is the name of your organization? [Unknown]: inFORM Decisions What is the name of your City or Locality? [Unknown]: Rancho Santa Margarita What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is CN=inFORM Decisions, OU=inFORM Decisions, O=inFORM Decisions, L=Rancho Santa Magarita, ST=California, C=US correct? [no]: yes Step 2: Create Certificate Request and send file agave.csr in /home/agavecerts2016 to ADP, ask them sign into this file. ADP will send us a .der file, name it to agave.der keytool -certreq -alias agave -file agave.csr -keystore agave.keystore Step 3: Import certificates into keystore file: Put agave.der (client certificate) and all ADP server CA certificates into folder /home/agavecerts2016. In Qshell, change to this directory as current directory. Import CA certificates of ADP into the agave.keystore in proper order: Root CA, Intermediate CA, User CA Import server certificate: keytool -import –v -trustcacerts -alias serverCA -file serverCA.der -keystore agave.keystore Import client certificate: keytool -import –v -trustcacerts -alias agave -file agave.der -keystore agave.keystore (if the certificate was there, do not override it, just let it be) Step 4: Import new client-signed (.der file) and server CA certificates into JRE cacerts keytool -import –v -trustcacerts -alias serverCA -file serverCA.der -keystore <$JAVA_HOME>/lib/security/cacerts -storepass changeit keytool -import –v -trustcacerts -alias agave -file agave.der -keystore <$JAVA_HOME>/lib/security/cacerts -storepass changeit (password is changeit) Note: Client and server certificates must be imported into both .keystore and cacerts files with same commands Use command ESNDFILURL with parameters KEYSTORE(‘/home/agavercerts/agave.keystore’) KSPASS(‘inform’) TRUSTSTORE(‘<$JAVA_HOME>/lib/security/cacerts’) TSPASS(‘changeit’) KSALIAS(‘agave’) Use command ERCVFILURL with parameters KEYSTORE(‘/home/agavercerts/agave.keystore’) KSPASS(‘inform’) TRUSTSTORE(‘<$JAVA_HOME>/lib/security/cacerts’) TSPASS(‘changeit’) Some properties that are used in programs: com.ifd.sendreceive.ssl.version=TLS -> If not specified, TLS is default value javax.net.ssl.trustStore -> Point to cacerts file. If specified, it will override the parameter TRUSTSTORE Useful commands: + To view alias name in keystore, and ensure that alias agave exists in the list keytool -list -v -keystore agave.keystore OR keytool -list -v -keystore agave.keystore -alias agave + List Trusted CA Certs: ensure that ADP server certificates must exist in this file keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts + Import New CA into Trusted Certs keytool -import -trustcacerts -file /path/to/ca/ca.der -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts
Note: Backup your agave.keystore and ‘<$JAVA_HOME>/lib/security/cacerts files. Next time, we just need to restore these files when you upgrade the system