Difference between revisions of "Managing SSL Certificates"

From AgileApps Support Wiki
imported>Aeric
 
(16 intermediate revisions by one other user not shown)
Line 1: Line 1:
===Managing SSL Certificates===
<includeonly>===Managing SSL Certificates===</includeonly>
 
====Obtaining an SSL Certificate====
====Obtaining an SSL Certificate====
The platform provides a default self-signed certificate which is used by the Application Server.
The platform provides a default self-signed certificate which is used by the Application Server.
Line 9: Line 8:


'''To create a Certificate Signing Request (CSR)'''
'''To create a Certificate Signing Request (CSR)'''
#Create a keystore and a private key:
:1. Create a keystore and a private key:
#:<tt>cd {install_dir}/tomcat/conf/RN</tt>
::{|
#:<pre>keytool -genkey -alias tomcat -keyalg RSA -keystore {keystore_filename}</pre>
<pre>cd {install-dir}/profiles/IS_default/configuration/tomcat/conf/RN
#Create a CSR from the keystore
 
#:<pre>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore {keystore_filename}</pre>
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore {keystore_filename}</pre>
#The result is a file: <tt>certreq.csr</tt>, which can be submitted to the CA
|}
 
:2. Create a CSR from the keystore
::{|
<pre>keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr  
        -keystore {keystore_filename}
</pre>
|}
 
:3. Submit the resulting file, <tt>certreq.csr</tt>, to the CA to obtain a certificate.<br>(When the certificate arrives, you are ready for the next step of steps.)
 
'''To Install the Certificate Obtained from the CA'''
 
Once you have obtained a certificate, you need to import it into the keystore.


Once you have obtained a certificate from the CA, in addition to your certificate, the CA might provide an Chain/Root Certificate, which must be installed/imported into the keystore created in the previous section.
But first, in addition to your certificate, the CA might provide a Chain/Root Certificate, which must also be imported. If you have received a chain certificate from the CA, then:
:1. Copy the contents of the chain certificate into a file called <tt>chain</tt>


'''To Install the Certificate'''
:2. Import the chain certificate into your keystore:
::{|
<pre>keytool -import -alias root -keystore {keystore_filename}
        -trustcacerts -file chain
</pre>
|}


*If you have received the chain certificate from the (CA), complete #1 - #3:
When the chain certificate (if any) has been imported, you are ready for the final step:
*If you have NOT received the chain certificate from the (CA), complete #3 only:


#Install/import the chain certificate: Copy the contents of the chain certificate into a file called <tt>chain</tt>
:3. Import the certificate received from the CA:
#Import the chain certificate into your keystore:
::{|
#:<pre>keytool -import -alias root -keystore {keystore_filename} -trustcacerts -file chain</pre>
<pre>keytool -import -alias tomcat -keystore {keystore_filename}  
#Import the certificate received from the CA:
        -trustcacerts -file {certificate_filename}
#:<pre>keytool -import -alias tomcat -keystore {keystore_filename} -trustcacerts -file <certificate filename ></pre>
</pre>
|}


====Replacing the Default SSL Certificate====
{{Note| If you have SSL certificate and private key, follow the below steps:


To replace the certificate:
:1. Convert the private key and certificate to PKCS#12 format using OpenSSL. Assuming you have the private key file in .key format (private.key) and the certificate file in .crt format (VMNX-AALIND22.crt), use the following command:
<pre>openssl pkcs12 -export -inkey <private.key> -in <certificate.crt> -out <keystore.p12> -name <alias>
</pre>
''The default alias is set to 1.''
:2. Replace <alias> with the desired alias for the key entry.
:3. Import the PKCS#12 file into the Java keystore using the keytool command:
<pre>keytool -importkeystore -srckeystore <keystore.p12> -srcstoretype PKCS12 -destkeystore <keystore.jks> -destalias <alias>
</pre>
:4. Replace <alias> with the alias used in the previous step.
5. Enter the appropriate passwords when prompted, including the source keystore password for the PKCS#12 file and the destination keystore password for the Java keystore.
:6. Once you have successfully completed these steps, the certificate and private key should be imported into the Java keystore with the specified alias.
}}


#Add the new certificate to this directory:
====To update a Customer SSL Certificate in AgileApps====
#:<tt>{install_dir}/tomcat/conf/RN</tt>
:1. Stop the Application server.
#Edit <tt>{install_dir}/tomcat/conf/server.xml</tt> file
:2. Update '''keystoreFile''' and '''keystorePass''' values in “com.softwareag.catalina.connector.https.pid-agileappsHttps-8284.properties” file available under
#Replace the following line:
::'''{install-dir}/profiles/IS_default/configuration/com.softwareag.platform.config.propsloader''' folder.
#:<tt>keystoreFile="conf/RN/thirdParty" keystorePass="algrsa"</tt>
{{Note|The '''keystorePass''' value provided by you in plain text is encrypted automatically when you restart the AgileApps application server.}}
#::with:
:3. After updating the properties, place the certificate in the '''{install-dir}/profiles/IS_default/configuration/tomcat/conf''' folder.                               
#::<tt>keystoreFile="conf/RN/your_certficate_file_name"</tt>
:4. Restart the memcached server and start the AgileApps application server.
#::<tt>keystorePass="your_password_for_certificate_store"</tt>
#Save the file
#Restart the application server


The Application Server will now use your certificate file for communication over https.


====Learn More====
====Learn More====
* Certificate Signing Request (CSR) Generation Instructions-Tomcat, at
* Certificate Signing Request (CSR) Generation Instructions-Tomcat, at<br>https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227
{{#if: {{ShowIsvInfo}} |
<noinclude>
<noinclude>


[[Category:Installation]]
[[Category:Installation]]
</noinclude>
</noinclude>
}}

Latest revision as of 10:08, 30 May 2023

Obtaining an SSL Certificate

The platform provides a default self-signed certificate which is used by the Application Server.

To obtain and install your own SSL Certificate, make a request to a Certificate Authority (CA). An SSL certificate authenticates a website to a web browser, part of a security protocol to manage secure data exchange.

The CA will accept your Certificate Signing Request and generate a certificate which identifies your website as a secured website.

To create a Certificate Signing Request (CSR)

1. Create a keystore and a private key:
cd {install-dir}/profiles/IS_default/configuration/tomcat/conf/RN

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore {keystore_filename}
2. Create a CSR from the keystore
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr 
        -keystore {keystore_filename}
3. Submit the resulting file, certreq.csr, to the CA to obtain a certificate.
(When the certificate arrives, you are ready for the next step of steps.)

To Install the Certificate Obtained from the CA

Once you have obtained a certificate, you need to import it into the keystore.

But first, in addition to your certificate, the CA might provide a Chain/Root Certificate, which must also be imported. If you have received a chain certificate from the CA, then:

1. Copy the contents of the chain certificate into a file called chain
2. Import the chain certificate into your keystore:
keytool -import -alias root -keystore {keystore_filename} 
        -trustcacerts -file chain

When the chain certificate (if any) has been imported, you are ready for the final step:

3. Import the certificate received from the CA:
keytool -import -alias tomcat -keystore {keystore_filename} 
        -trustcacerts -file {certificate_filename}

Notepad.png

Note: If you have SSL certificate and private key, follow the below steps:

1. Convert the private key and certificate to PKCS#12 format using OpenSSL. Assuming you have the private key file in .key format (private.key) and the certificate file in .crt format (VMNX-AALIND22.crt), use the following command:
openssl pkcs12 -export -inkey <private.key> -in <certificate.crt> -out <keystore.p12> -name <alias>

The default alias is set to 1.

2. Replace <alias> with the desired alias for the key entry.
3. Import the PKCS#12 file into the Java keystore using the keytool command:
keytool -importkeystore -srckeystore <keystore.p12> -srcstoretype PKCS12 -destkeystore <keystore.jks> -destalias <alias>
4. Replace <alias> with the alias used in the previous step.

5. Enter the appropriate passwords when prompted, including the source keystore password for the PKCS#12 file and the destination keystore password for the Java keystore.

6. Once you have successfully completed these steps, the certificate and private key should be imported into the Java keystore with the specified alias.

To update a Customer SSL Certificate in AgileApps

1. Stop the Application server.
2. Update keystoreFile and keystorePass values in “com.softwareag.catalina.connector.https.pid-agileappsHttps-8284.properties” file available under
{install-dir}/profiles/IS_default/configuration/com.softwareag.platform.config.propsloader folder.

Notepad.png

Note: The keystorePass value provided by you in plain text is encrypted automatically when you restart the AgileApps application server.

3. After updating the properties, place the certificate in the {install-dir}/profiles/IS_default/configuration/tomcat/conf folder.
4. Restart the memcached server and start the AgileApps application server.


Learn More