PrinterOn KB Powered By ePRINTit USA

How to use Keystore Explorer to generate a keystore and import chain certificates into it - c06706647

Some of our components only support a Java keystore to enable SSL/TLS. This applies to PDS, PDG and PDH.

If a customer is requesting that you assist with the keystore creation process, you can use the KeyStore Explorer tool. The basic steps to create the keystore, CSR and then how to import your signed certificates into the keystore are:

Build the keystore

Building a Java KeyStore is the first step in configuring your Code42 server to use your own CA-signed SSL certificate. If you have an existing private key and corresponding X.509 certificate (referred to collectively as key materials), you can reuse them. You can also start from scratch, creating new key materials as needed. The steps are different, depending on what existing key materials you have:

You must use the same password for the keystore and the private key.

You can use any string you want for these parameters, but they must both be set to the same value. Follow the steps below if you have no private keys or certificates from a CA and need to create them from scratch.

This is the most straightforward option.

Step 1: Create a keystore, key pair, and certificate

  1. Start KeyStore Explorer.
  2. Choose Create a new KeyStore .
  3. From New KeyStore Type , choose JKS .
  4. Click OK .
  5. KeyStore Explorer New KeyStore Type dialog
  6. Generate a key pair:
    1. Select Tools > Generate Key Pair .
    2. In Generate Key Pair , choose the following algorithm selection options:
      • RSA
      • Key Size: 4096
    3. Click OK . [Generating Key Pair dialog appears, then disappears after key is generated.]
    4. From Generate Key Pair Certificate , click the Edit name icon
    5. Complete the Name fields:
      For the Common Name (CN) use the Fully Qualified Domain Name (FQDN) of your server.
    6. Click OK .
    7. Specify the domain name of your server as an alternative name. Click Add Extensions , click the + icon, and select Subject Alternative Name .
    8. In the Subject Alternative Name Extension dialog, click the + icon, select DNS Name , and in General Name Value type the domain name of your server.
    9. Click OK until you return to the Generate Key Pair Certificate dialog.
    10. In Generate Key Pair Certificate , click OK .
    11. In New Key Pair Entry Alias , enter an alias for the key pair. [The alias is pre-set to the CN set in the Name dialog.]
    12. Click OK .
    13. In New Key Pair Entry Password, enter a password, and click OK. [The Generate Key Pair dialog displays "Key Pair Generation Successful".]
  7. Key pair entry password - Save this password, and use it as the password for the entire keystore in step 9 below.
  8. Click OK . [The new key pair is displayed in the KeyStore Explorer window.]
  9. Save the keystore:
    1. From the KeyStore Explorer menu, select File > Save .
    2. The Set KeyStore Password dialog appears.
    3. Enter a password for the keystore. This password must be the same as the password for the key pair generated in step 6 above.
    4. Click OK . [The Save KeyStore As dialog appears.]
    5. Enter the name of the keystore. [This format is suggested for easy identification of your keystores: fqdn_domain_com.jks]
    6. Click Save . [Your keystore file is saved to your computer.]

Step 2: Generate and send certificate signature request

  1. Right-click the key pair entry.
  2. Choose Generate CSR . [The Generate CSR dialog appears.]
  3. (Optional) Enter additional values.
  4. Click OK . [The CSR Generation Successful dialog appears.]
  5. Click OK .
  6. Submit the generated CSR file to your certificate authority to obtain your signed certificates and root chain.

Step 3: Import signed certificates to your keystore

  1. Select Tools > Import Trusted Certificate. [The Import Trusted Certificate dialog appears.]
  2. Import your certificates starting with the root then followed by the intermediate(s).
    1. Select a certificate.
    2. Click Import . [The Import Trusted Certificate dialog appears.]
    3. Click OK . [The Certificate Details for File 'root.crt' dialog appears.]
    4. Confirm the details of your certificate, then click OK . [The Import Trusted Certificate dialog appears.]
    5. When prompted "Do you want to accept the certificate as trusted?", click Yes .
    6. In Trusted Certificate Entry Alias , enter an alias for the certificate, then click OK . [The Trusted Certificate Import Successful message appears.]
    7. Click OK .
    8. Repeat these steps for the remaining intermediate certificates.
  3. Right-click the key pair in your keystore, and choose Import CA Reply .
  4. From Import CA Reply , select the signed server certificate in X.509 format, and click Import. [The X.509 certificates often have the file extension crt, cer, or der.]
  5. From the menu bar, select File > Save to save the imported certificates to your keystore.

This content above is originally from this link and applies to the current version of KeyStore Explorer (5.3.2): https://support.code42.com/Administrator/5/Configuring/Create_a_signed_keystore_with_the_KeyStore_Explorer#Step_1:_Create_a_keystore.2C_key_pair.2C_and_certificate