Versions Compared

Old Version 1

changes.mady.by.user Bernhard Nestmann

Saved on

compared with

New Version 2

changes.mady.by.user Bernhard Nestmann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Basic information

By default the installation of the custo diagnostic server in Windows already creates a key pair with a self-signed certificate. This already permits an encrypted HTTPs connection with the IP port defined in the installation program. You may test it with your browser:

...

On the other hand: There is already a key pair installed - so no new one needs to be created, which is good from the IT security point of view as you should avoid creating a key pair on another system: Even a certification authority (CA should never get in touch with the private key. The only task of the CA should be the proper signature of the public key of your system. Therefor ethe CA should be trusted by all customer clients and the certificate should have a reasonable validity monitored administratively. 


Signature

The procedure consists of the creation of a certificate signing request (CSR), the signature of it by the CA and the import of the signed public key - the certificate. The CSR creation as well as the import of the certificate can be done either by command line program keytool (part of the the Java Runtime Engine installed with the custo diagnostic server) or via a graphic tool like the Keystore Explorer  (see https://keystore-explorer.org/index.html).

...

By then clicking twice "OK" you get the CSR at the location you have specified above. Send that to the CA for the signature.

Import a PKCS file

With the keytool program:

...

Open the pkcs answer file via the "import CA response" menu and install it:

Import PEM files

You need to install all certificate files one by one. Here an example:

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importcert -alias root -file <root.cert.pem> -keystore keystore.jks -trustcacerts
C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importcert -alias intermediate -file <intermediate.cert.pem> -keystore keystore.jks -trustcacerts
C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importcert -alias intermediat2 -file <intermediat2.cert.pem> -keystore keystore.jks -trustcacerts
C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importcert -alias main -file test.customed.de.pem -keystore keystore.jks -trustcacerts

Finally:

Restart the custo diagnostic service and check with a web browser (use the URL in the custocfg.ini and use https instead of http) if everything works as expected.


Appendix: Import a PFX file:

With the keytool program:

...

Danach ist das neue Keypair im Keystore eingelagert und der diag server kann damit gestartet werden.

Further information: