Merianstraße 30, 44801 Bochum

gb-logo
Popular Search ldapabbyybpmupdatemac
View Categories

Manage SSL/TLS certificates?

4 min read

Table of Contents

We have created a new White Paper on this topic. This report may contain older information.

Requirements #

  • current Genius Server installed on vm
  • administrative permission in environment
    (some tasks may require help of domain administrators)
  • keyStore Explorer

Objective #

  • configure Genius Server to use SSL / TLS when establishing a connection as client (e.g. LDAPS)
  • configure Genius Server to be able to accept SSL / TLS connections (e.g. HTTPS)

Solution #

  • Receive or export a CA certificate
  • Create a trustStore
  • Receive or create a server certificate
  • Create a keyStore
  • configure and test keyStore and trustStore in Genius Server

Example #

(if you are not allowed to install KeyStore Explorer, you can perform all steps with java keytool, located in:c:\Program Files\Genius CDDS Server\jdk\bin\keytool.exe)

Export a CA certificate #

if the CA certificate is already available you can skip this section

  • start KeyStore Explorer
  • File, New, KeyStore Type: JKS
  • Tools, Import Key Pair, PKCS #12 (if you exported in a different format, select this format now)
  • Select the certificate file and enter the password
  • Choose a friendly name (alias) for the certificate, e.g. the hostname
  • A password prompt will appear, this password will secure the certificate inside the keyStore. It has to be identical to the keyStore password
  • Save the keyStore using the same password
  • Press START and enter mmc
  • file, ADD/Remove Snap-in
  • select the Certificates Snap-in and press add, choose computer account
  • select “another cmputer” and enter the LDAP server
  • if your account does not have sufficient permissions this step will fail and you have to contact a system administrator
  • access the folder Trusted Root Certification Authorities
  • select the CA certificate, right click and choose All Tasks, Export
  • use the wizards defult settins to export the certificate, do not choose to export the private key

Create a trustStore #

  • install and start KeyStore Explorer
  • File, New, KeyStore Type: JKS
  • Tools, Import Trusted Certificate
  • Import the CA certificate from previous step
  • save the keyStore file, choose a password and use a file name which indicate that this is a trustStore, e.g. trustStore.jks
  • If the server you would like to connect to is signed by a so called intermediate certificate, importing this intermediate certificate is not enough. You will need the full chain of certificates.

create a server certificate #

the goal of this section is to create a server certificate with exportable private key. If the server certificate is already available you can skip this step

  • Press START and enter cmd, rightclick and run as user who is allowed to manage certificates (most likely domain administrator)
  • start mmc from this command prompt
  • add certificate snap in for Computer account
  • choose Local computer and confirm
  • access personal\certificates
  • right click, All Tasks, Request New Certificate
  • follow the wizard to the Request certificats screen
    Select the computer and expand the details view, click properties
  • in the subject tab enter the certificate like common name (FQDN) and Alternative Names (e.g. DNS Short Names)
  • in the Private Key tab, Key options, check make private key exportable
    this step is important because later the key will be exported and imported into a java keyStore to be accessible by GeniusMFP
  • To finish, click Enroll
  • The Status should show “Succeeded” and you can press finish
  • The new server certificate (a key pair of public and private key) should now be displayed in the personal\certificates folder
  • Right click the certificate, choose All Tasks, Export
  • Follow the wizard and select “Yes, export the private key”
  • Save the certificate using a password. This password has to be identical to the password used in the next section to secure the keyStore.
    Or in other words: Key (certificate) and keyStore have to use the same password
  • Complete the wizard with default options

keyStore #

configure Genius Server #

  • copy keyStore.jks and trustStore.jks to the Genius Server configuration folder, e.g. C:\Program Files\Genius CDDS Server\conf\cdds
  • right click Genius CDDS Server Tools and run it as administrator
  • Access configuration and switch to advanced mode
  • Access Certificate section
  • configure keyStore path and password
  • configure trustStore path and password
  • set KeyStore cert Alias to the Entry Name (Alias) of the server certificate, e.g. gbd-wv-pho2t41.geniusbytesgmbh.local
  • Perform Read Keystore and Read Truststore tests from Tests menu
  • if both tests are successful, save the configuration and restart the configuration tool (this will read key and truststore)

  • The Genius Server will require a service restart to read keyStore and trustStore
Certificate, keystore, SSL, TLS, truststore

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *
Nach oben scrollen