Versions Compared

Old Version 5

changes.mady.by.user Bernhard Nestmann

Saved on

compared with

New Version Current

changes.mady.by.user Bernhard Nestmann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

With both tools you access the diagserver keystore stored in the diagserverdata directory: 

Before you modify the keystore always create 2 backups of the original keystore file - one in the same directory and one outsiste of the keystore directory.

To modify it the custo diagnostic service (Apache Tomcat service) must be stopped. The keystore is installed in parallel to the Windows certificate store and the diagserver uses only that one for the web server SSL service.

...

Create a key for the signing request:

In the data directoy of the custo diagnostic server:

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -certreq -alias main -file test.customed.de.csr -keystore keystore.jks -ext san=dns:test.customed.de -dname CN=test.customed.de

The program then asks for a password. The password is: custo1234

...

By then clicking twice "OK" you get the CSR at the location you have specified above. Send that to the CA for the signature.

Import a

...

PKCS#7 file

With the keytool program:

...

With the keystore explorer:

Before you consider using the keystore explorer program for operations with write operations to the keystore file be aware that the file format written by the keystore explorer might not be readable for the used Apache Tomcat version. So always create a backup of the original keystore file before to be able to get one step back.

Open the pkcs answer file via the "import CA response" menu and install it:

Import PEM (in Windows CER or CRT) files

You need to install all certificate files one by one. Here an example:

...

Restart the custo diagnostic service and check with a web browser (use the URL in the custocfg.ini and use https instead of http) if everything works as expected.

Prolongation of the certificate

Each certificate will expire one day. So please carefully monitor the expiration date of the SSL certificate: custo diagnostic will not complain even a second before expiration of the certificate - it will just stop working from the second after the expiration of the certificate on.

It is a good practice to prolong the certificate in time before expiration. To do so stop the custo diagnostic service and create a copy of the keystore file - better save than sorry! Then follow the signature steps above once more: Create a new CSR (signing request), send that to the CA and import that. Afterwards start the custo diagnostic service again.

Appendix: Import a PFX (in Windows called PKCS#12) file:

With the keytool program:

In some cases you will get a whole key pair from the CA. Though this approach is not recommended it is described here:

...

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -importkeystore -srckeystore custo.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -trustcacerts
Entry for alias le-5861b822-6732-46c7-aac1-9b35e2079d26 successfully imported. <<--- The name of the imported alias you have to change later

Some customers may be consulting resistent and want to install a full key pair. However in most cases the private key in it will be marked as not exportable and is secured by a password. In that case you need use the PFX as keystore for the Tomcat server.

For that stop the custo diagnostic service and create a backup of the server.xml and modify the server xml: Make that section a comment:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="250" SSLEnabled="true" scheme="https" secure="true" bindOnInit="false"
               clientAuth="false" sslProtocol="TLS" keystoreFile="C:/diagserverdata/keystore.jks" keystorePass="custo1234"
               keyAlias="main"
               truststoreFile="C:/diagserverdata/keystore.jks" truststorePassword="custo1234" />

... by adding <!-- before that section and → in the line below.

Then copy the key pair file to the diagserverdata directory and add a section like that:


<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="d:/diagserverdata/somefile.pfx"
keystorePass="password_from_your_pfx"
keystoreType="PKCS12"
clientAuth="false"
sslProtocol="TLS"/>


 "d:/diagserverdata/somefile.pfx" is the absolute path and actual name for the PKCS#12 certificate
 "password_from_your_pfx" is the actual password for the PKCS#12 file

Afterwards restart the custo diagnostic server.

Please note that those changes might be gone after a custo diagnostic server upgrade! So save your server.xml config always before an upgrade!

Appendix: Satellite system sync with HTTPs

If you set up a satellite system the Apache Tomcat server on the SAT system will not act as a server, but as a client.

In this case Apache Tomcat can use the server key store (keystore,jks) in the diagserverdata directory, but if it should not contain the CA certificates the use of the local client keystore cacerts (by default stored in (C:\

Now delete the old main key:

...

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -delete -alias main -keystore keystore.jks

Rename the new key pair to the old main key pair:

...

C:\diagserverdata>"c:\Program Files\custo diagnostic server\jre"\bin\keytool -changealias -destalias main -alias le-5861b822-6732-46c7-aac1-9b35e2079d26 -keystore keystore.jks

With this command you can check the keystore content and verify the correct thumprint:

...

Program Files\custo diagnostic server\jre

...

\

...

lib\security) might be an alternative . You can use the same tools as above to open that certificate store - the password is by default empty. Import the root certificate of the SSL certificate installed on the master server.

Now you need to configure Apache Tomcat to use its own keystore and not the one of the Windows operating system. For this open the "Configure custo diagnostic server" app on the SAT server and go to the Java tab. Remove the line "-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT" and restart the custo diagnostic SAT server.

Please note that the config of the local certificate store might be lost after a custo diagnostic server upgrade - so better use a well configured Windows certificate store from the beginning.

Further information:

Finally restart the custo diagnostic service and check with a web browser (use the URL in the custocfg.ini and use https instead of http) if everything works as expected.

With the keystore explorer:

Delete the main key pair in the context menu of it (right click). Then the keystore should be empty. Now import the new key. To do so go to →Import Keypair

Image Removed

Choose the type of key pair. In case of .pem files it is OpenSSL which in this example has been selected as well.

On the following page select the key file for the installation. Encrypted private key can be turned off.

Image Removed

After clicking import you get prompted for the alias. Important: Specify here "main"!

Image Removed

Then you will get prompted for the password. Enter twice "custo1234":

Image Removed

Image Removed

Now the new key pair is in the key store. Save it (CTRL + S), restart the custo diagnostic service and check with a web browser (use the URL in the custocfg.ini and use https instead of http) if everything works as expected.

Danach ist das neue Keypair im Keystore eingelagert und der diag server kann damit gestartet werden.

Further information:

...

See also Tomcat HTTP / SSL Howto: https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

...

https://www.namecheap.com/support/knowledgebase/article.aspx/9441/33/installing-an-ssl-certificate-on-tomcat/

https://www.sslshopper.com/ssl-converter.html