...
By default the installation of the custo diagnostic server in Windows already creates a key pair with a self-signed certificate. This already permits an encrypted HTTPs connection with the IP port defined in the installation program. You may test it with your browser:
However neither the common name stored in the certificate probably matches with the client name nor the trust to this certificate is given. The custo diagnostic client expects both. Beyond that the certificate validity must be within the time range specified in the certificate and this is by default only a one year period.
...
With both tools you access the diagserver keystore stored in the diagserverdata directory:
To modify it the custo diagnostic service (Apache Tomcat service) must be stopped. The keystore is installed in parallel to the Windows certificate store and the diagserver uses only that one for the web server SSL service.
...
Create a key for the signing request:
|
The program then asks for a password. The password is: custo1234
...
Open the keystore in the diagserverdata directory called keystore.jks:
The keystore password is here as well "custo1234".
There should be only one entry called "main":
Right click on "main" and create a CSR request;
...
With the keytool program:
In our example use:
|
The password of the keystore should still be custo1234.
...
You need to install all certificate files one by one. Here an example:
|
Finally:
Restart the custo diagnostic service and check with a web browser (use the URL in the custocfg.ini and use https instead of http) if everything works as expected.
...
In some cases you will get a whole key pair from the CA. Though this approach is not recommended it is described here:
|
Now delete the old main key:
|
Rename the new key pair to the old main key pair:
|
With this command you can check the keystore content and verify the correct thumprint:
|
Finally restart the custo diagnostic service and check with a web browser (use the URL in the custocfg.ini and use https instead of http) if everything works as expected.
...