Importing Server Certificates from Another Machine Accept the default settings on the next page, and Save the file with an extension of. Right-click on in and select Export, then "Export Certificate Chain". Locate the appliance certificate, which should be called "swivel" if you have created it using the CMI. When asked for a password, it is "lockbox". Click on "Open an existing KeyStore", and locate the keystore you have just downloaded. Install it, if you have not already done so, and run it. To extract the certificate, you will need Keystore Explorer, mentioned above. The file you need to retrieve is /home/swivel/.keystore. If you use WinSCP, use the same credentials as you normally do to connect to the Appliance console. For this, you can either use Webmin, or an application such as WinSCP. It is generally simpler to take a copy of the Appliance certificate store to your local machine and work on it there. This may be required where the certificate is site certificate and is to be used elsewhere. DNS name for the Swivel instance, usually the public IP addressĮxporting the Certificate from the Appliance.The one we recommend is Keystore Explorer. Some of the solutions below require a tool to manipulate Java keystores.Importing certificates from another machineįurther information on SSL certificates with appliances can be found in the SSL Certificate PINsafe Appliance How to Guide, and for non appliance installations see Tomcat 6 SSL.This document discusses problems people have when using HTTPS and SSL certificates within Swivel: 6.1 Wildcard certificate import problem checks.4.4.5 Copy the keystore on to the Swivel Appliance.4.4.4 An alternative method of importing PFX files.4.4.3 Convert the keystore into a JKS keystore.4.4.2 Import the PFX into KeyStore Explorer.4.3.3 Install the PFX file as the new certificate.4.3.2 Transfer the PFX file to the appliance.4 Importing Server Certificates from Another Machine.3 Exporting the Certificate from the Appliance.You’d rarely need to do what I’ve shown above, but in case you have to, I hope the hints above were useful. Of course, if you have to do very specific or odd stuff, you’ll have to revert to the command line, but for most operation,s the UI is sufficient (unless you have to automate it, in which case, obviously, use the CLI). It is a great tool that makes working with keys and keystores easy and predictable, as opposed to command-line tools like keytool and OpenSSL, which I’m sure nobody is able to use without googling every single command. You’ve noticed my preference for keytool-explorer. This is straightforward through the keystore-explorer UI, and much less easily through the command line. For example, when it comes to timestamping, the extension file looks like this: extendedKeyUsage=critical,timeStampingĪfter that, “simply” create a new keystore and import the private key and the newly generated certificate. The extfile.cnf is optional and is used if you want to specify extensions. So, you need to use OpenSSL: x509 -req -days 3650 -in req.csr -signkey private.key -sha256 -extfile extfile.cnf -out result.crt And you can’t remove the certificate and generate a new one. If you try to sign the request with your existing keystore keypair, the current certificate is used as the root of the chain (and you don’t want that). The last two steps seem to be not straightforward with keytool or keystore explorer. Import the certificate in the store to replace the old (expired) one.Sign the request with the private key (i.e.Make a certificate signing request ( with keytool or through the keystore-explorer UI).Export the private key ( with keytool & openssl or through the keystore-explorer UI, which is much simpler). In order to reuse the private key to have a new, longer certificate, you need to do the following: Even with my favorite tool, keystore explorer, it’s not immediately possible. This sounds like something that should be easy to do, but it turns it isn’t that easy with keytool. However, you can have a new certificate with the same private key and a longer period. This is useful mostly for testing and internal systems but is still worth mentioning.Įxtending certificates is generally not possible – once they expire, they’re done. And after the certificate in initially generated JKS file expires, you have few options – either generate an entirely new keypair or somehow “extend” the existing certificate. Sometimes, you don’t have a PKI in place but you still need a key and a corresponding certificate to sign stuff (outside of the TLS context).
0 Comments
Leave a Reply. |