Search <book_title>...

Veritas Access Software-Defined Storage (SDS) Management Platform Solutions Guide

Last Published: 2018-07-24

Product(s): Access (7.4)

Platform: Linux

Generating and installing a new certificate

You can generate certificates in many different ways. Veritas recommends using the KeyStore Explorer, a graphical UI for the Java Keytool. You can also use the Java Keytool.

Using KeyStore Explorer to generate a new certificate

You can generate and install a new certificate in the SDS Management Platform using the KeyStore Explorer.

To generate and install a new certificate with the KeyStore Explorer

Open the KeyStore Explorer.
You are prompted to select the type of the new KeyStore. Select JKS. Click OK.
Generate a new key pair. Right-click > Generate Key Pair.
It is recommended to use RSA with a size of 2048 bits.
Configure the certificate settings.
- It is recommended to use SHA256 with RSA (or stronger) as the signature algorithm. Modern browsers do not support MD5 or SHA-1 RC4.
- Choose a suitable validity period.
- A serial number is generated automatically.
- Give a suitable name. Click on the address book icon to add name entities.
Add Subject Alternative Names (SANs).
As mentioned in RFC 2818, the use of CN to match the host's identity is deprecated and SAN should be used instead. To do this, click on Add Extensions in the certificate settings dialog, add an extension with the plus icon and choose Subject Alternative Name as the extension type. In the dialog, add at least one DNS entry that matches the host name to access the SDS Management Platform.
Enter the alias.
Veritas recommends using jetty as the alias though this is not strictly required. You can externally configure the actual alias that is used by the web server.
Enter the key pair password.
Note:
The password of the keystore and the key need to be the same
Check the certificate details. Double-click on the key pair in the list to see its properties. Also check that the Subject Alternative Names are visible in the extensions.
Generate CSR. Right-click on the certificate -> Generate CSR.
Send the CSR to a certificate authority and let it be signed.
Import the CSR response. Right-click on the certificate-> Import CA Reply > From File.
Note:
If your CA is not globally trusted (for example, if you see an error message such as, Could not establish trust while importing the CA reply), you need to import the CA certificate as a trusted certificate. Right-click > Import trusted certificate.
Save the keystore (for example, mykeystore) and use the same password that you used for the key.
Once the keystore is created, it can be activated as follows:
- Place the keystore into the etc folder of the installation (example, etc/mykeystore).
- Adjust the config.prop settings.
```
httpKeyStore=etc/mykeystore
httpKeyStorePassword=fluidops
```

The key for the RMI communication can be generated and installed accordingly. The key (or the CA) has to be part of the corresponding trust store to establish the SSL trust.

Using the Java Keytool to generate a new certificate

The Java Keytool is a command-line tool for certificate management that is bundled with the JDK. The SDS Management Platform bundles a JRE in the installation folder.

Generate keys.
This creates a new key pair in a new or existing Java Keystore, which can be used to create a CSR, and obtain an SSL certificate from a Certificate Authority (CA). The following command generates a 2048-bit RSA key pair, under the specified alias (domain), in the specified keystore file (keystore.jks):
```
keytool -genkeypair -alias <domain> -keyalg RSA -keystore keystore
```
If the specified keystore does not already exist, it is created after the requested information is supplied. You are prompted for the keystore password (new or existing), followed by a Distinguished Name prompt (for the private key), then the desired private key password.
If you want your certificate to not only accept the given common name but rather additional names or IPs, you can use the keytool's SAN (Subject Alternative Names) extension.
```
keytool -genkeypair -alias <domain> -keyalg RSA -keystore keystore 
-ext SAN=dns:example.com,dns:localhost,ip:127.0.0.1
```
Generate CSR for existing private key.
Use this method if you want to generate a CSR that you can send to a CA to request the issue of a CA-signed SSL certificate. It requires that the keystore and alias already exist. You can use the previous command to ensure this. You can use the following command to create a CSR (domain.csr) signed by the private key identified by the alias (domain) in the (keystore.jks) keystore:
```
keytool -certreq -alias <domain> -file <domain.csr> -keystore keystore
```
After you enter the keystore's password, the CSR is generated.
Import signed or root certificate.
Use this method if you want to import a signed certificate, for example, a certificate signed by a CA, into your keystore; it should match the private key that exists in the specified alias. You may also use this same command to import root or intermediate certificates that your CA may require to complete a chain of trust. Specify a unique alias, such as root instead of domain, and the certificate that you want to import. You can use the following command to import the certificate (domain.crt) into the keystore (keystore), under the specified alias (domain). If you import a signed certificate, it should correspond to the private key in the specified alias.
```
keytool -importcert -trustcacerts -file <domain.crt> -alias <domain> 
-keystore keystore
```
You are prompted for the keystore password, and for a confirmation of the import action.
Make sure that the original certificate used to create the CSR is removed from the keystore, otherwise it will be confused with the imported signed certificate. You may also use the command to import a CA's certificates into your Java truststore, which is typically located in $JAVA_HOME/jre/lib/security/cacerts assuming $JAVA_HOME is where your JRE or JDK is installed. If you want to import root and intermediate certificates, they have to be imported in one go. If they are located in several files, their content has to be merged into a single file before they can then be imported.
Generate a self-signed certificate in a new or existing keystore.
Use this command if you want to generate a self-signed certificate for your Java applications. This is the same command that is used to create a new key pair, but with the validity lifetime specified in days. The following command generates a 2048-bit RSA key pair, which is valid for 365 days, under the specified alias (domain), in the specified keystore file (keystore):
```
keytool -genkey -alias <domain> -keyalg RSA -validity 365 -keystore 
keystore
```
If the specified keystore does not already exist, it is created after the requested information is supplied. You are prompted for the keystore password (new or existing), followed by a Distinguished Name prompt (for the private key), then the desired private key password.
Convert a certificate in pfx format to pem and import it to the keystore.
You can convert a certificate and import it to the keystore using the keytool.
```
keytool -importkeystore -srckeystore ECMTEST_BAP.pfx -srcstoretype 
pkcs12 -destkeystore clientcert.jks -deststoretype JKS
```

List the contents of a keystore.

To list the keystore contents, use the following command:

keytool -list keystore keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

jetty, Feb 4, 2009, PrivateKeyEntry,
Certificate fingerprint (SHA1): 5B:4D.....

You can import another certificate using either of the following commands:

keytool -keystore keystore -import -alias jetty -file YOURCERTIFICATE 
-trustcacerts


keytool -importkeystore -srckeystore YOURKEYSTORE -srcstoretype PKCS12 
-destkeystore keystore