Versions Compared

Old Version 2

changes.mady.by.user Bernhard Nestmann

Saved on

compared with

New Version 3

changes.mady.by.user Bernhard Nestmann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

By default the installation of the custo diagnostic server in Windows already creates a key pair with a self-signed certificate. This already permits an encrypted HTTPs connection with the IP port defined in the installation program. You may test it with your browser:

Image RemovedImage Added

However neither the common name stored in the certificate probably matches with the client name nor the trust to this certificate is given. The custo diagnostic client expects both. Beyond that the certificate validity must be within the time range specified in the certificate and this is by default only a one year period.

...

With both tools you access the diagserver keystore stored in the diagserverdata directory: 

Image RemovedImage Added

To modify it the custo diagnostic service (Apache Tomcat service) must be stopped. The keystore is installed in parallel to the Windows certificate store and the diagserver uses only that one for the web server SSL service.

...

Create a key for the signing request:

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -certreq -alias main -file test.customed.de.csr -keystore keystore.jks -ext san=dns:test.customed.de

The program then asks for a password. The password is: custo1234

...

Open the keystore in the diagserverdata directory called keystore.jks:

Image RemovedImage Added

The keystore password is here as well "custo1234".

There should be only one entry called "main":

Image RemovedImage Added


Right click on "main" and create a CSR request;

...

With the keytool program:

In our example use:

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importcert -alias main -file test.customed.de.pkcs -keystore keystore.jks -trustcacerts

The password of the keystore should still be custo1234.

...

You need to install all certificate files one by one. Here an example:

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importcert -alias root -file <root.cert.pem> -keystore keystore.jks -trustcacerts
C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importcert -alias intermediate -file <intermediate.cert.pem> -keystore keystore.jks -trustcacerts
C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importcert -alias intermediat2 -file <intermediat2.cert.pem> -keystore keystore.jks -trustcacerts
C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importcert -alias main -file test.customed.de.pem -keystore keystore.jks -trustcacerts

Finally:

Restart the custo diagnostic service and check with a web browser (use the URL in the custocfg.ini and use https instead of http) if everything works as expected.

...

In some cases you will get a whole key pair from the CA. Though this approach is not recommended it is described here:

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importkeystore -srckeystore custo.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -trustcacerts
Entry for alias le-5861b822-6732-46c7-aac1-9b35e2079d26 successfully imported. <<--- The name of the imported alias you have to change later

Now delete the old main key:

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -delete -alias main -keystore keystore.jks

Rename the new key pair to the old main key pair:

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -changealias -destalias main -alias le-5861b822-6732-46c7-aac1-9b35e2079d26 -keystore keystore.jks

With this command you can check the keystore content and verify the correct thumprint:

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -list -keystore keystore.jks -v

Finally restart the custo diagnostic service and check with a web browser (use the URL in the custocfg.ini and use https instead of http) if everything works as expected.

...