This section will explain how to download and renew a client certificate via BackOffice.
Enterprise – Manage Certificates
Purpose: To create / download a new certificate.
Note:
Make sure Java variables are properly configured in Environment Variables -> System variables.
- Add new variable 'JAVA_HOME' and point it to your JRE directory. e.g. JAVA_HOME = C:\Program Files\Java\jre1.6.0_18
- Edit variable 'Path' and append '%JAVA_HOME%\bin'.
Procedure: Mouse over Enterprise and Click on Manage Certificates.
On the opened page, click on New Certificate
Click on the New Certificate button, Input all the relevant data and click on the bottom panel once completed.
Download the Certificates and Save into your local environment
Perform the following in Keytool:
Open a new command line window and navigate to the folder where the certificate has been saved.
Run the following command to import issued certificate into the keystore:
keytool -import -trustcacerts -noprompt -alias keyalias -file xxxx-xxx-xxx-xxx.p7b -keystore keystore.jks -storepass passwd
Note: replace the 'xxxx-xxx-xxx-xxx.p7b' with the actual issued certificate file name.
Now download the root and intermediate certificates from BackOffice (download links are located at the bottom of “Retrieve Certificate” page).
- Root certificate: londonium.brittania.dev_iVeri DEV Root CA(11).crt
- Intermediate certificate: elastic.dev64.brittania.dev_iVeri Dev64 CA 1(7).crt
Then run the following commands to add these two certificates into JRE keystore “cacerts”:
keytool -import -trustcacerts -noprompt -alias keyalias -file londonium.brittania.dev_iVeri DEV Root CA(11).crt -keystore “C:\Program Files\Java\jre1.6.0\lib\security\ cacerts” -storepass changeit
keytool -import -trustcacerts -noprompt -alias keyalias -file elastic.dev64.brittania.dev_iVeri Dev64 CA 1(7).crt -keystore “C:\Program Files\Java\jre1.6.0\lib\security\ cacerts” -storepass changeit
Note: Since the 'cacerts' file is in a different directory, you need to specify the full path to that file. And the default keystore password for cacerts is “changeit” upon installing Java.
You can always view certificates in the keystore by running the following command:
keytool -list -v -alias keyalias -keystore keystore.jks -storepass passwd
If you do not specify the alias, the entire keystore will be listed. -v is used for detailed information.
Renewing a Certificate
Purpose: To renew a certificate once it has expired.
Procedure: Mouse over Enterprise and Manage Certificates
In the Certificate (Manage Certificates) page locate the certificate that has been issued. The certificates displayed in the grid can be sorted by selecting the column headings.
When the issued certificate has been located click on the Renew button for that certificate. The Certificate (Renew Certificate) page will load.
Follow the same process as per Manage Certificates above.
Then do the following in Keytool:
Copy (clone) the original key entry using the following command:
keytool -keyclone -alias keyalias -dest newalias -keypass passwd -new new_passwd -keystore keystore.jks -storepass passwd
Generate a Certificate Signing Request (-certreq) for the cloned entry (use newalias), and import the reply certificate or certificate chain ( -import ).
Delete the original (now obsolete) entry from JRE keystore 'cacerts' with the following command:
keytool -delete -alias keyalias -keystore keystore,jks -storepass passwd