730 views

How to add a Trusted Signed Certificate to the keystore file of an Edge Encryption Proxy 

Problem
The Trusted Signed Certificate in the keystore file is not picked by the Edge Encryption Proxy

Symptoms
Navigating to the Edge Encryption Proxy URL shows a certificate error because the certificate is not trusted (self-signed).

 self-signed 

Cause
The Trusted Signed Certificate is not properly generated/added to the Edge Encryption Proxy keystore file.

 


Solution
  1. Back up the current keystore file [KEYSTORE_FILE.jks].

  2. Convert the private key in it to PEM format with OpenSSL.

    In the following code, substitute your information for these variables:

    • [ALIAS_SRC]: yoursite_company
    • [ALIAS_DEST]: NEW_ALIAS_NAME
    • [PATH_TO_FILE]: the folder where the files are located
    keytool -importkeystore -srckeystore [PATH_TO_FILE\KEYSTORE_FILE.jceks] -destkeystore [PATH_TO_FILE\MY_FILE.p12] -srcstoretype JCEKS -deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12] -srcalias [ALIAS_SRC] -destalias [ALIAS_DEST]
  3. Use OpenSSL to extract the actual private key.

    openssl pkcs12 -in [PATH_TO_FILE\MY_FILE.p12] -nocerts -out [PATH_TO_FILE\MY_PRIVATE_KEY.pem]
  4. With OpenSSL, combine the private key and its signed cert.

    openssl pkcs12 -export -out [PATH_TO_FILE\PKEY_AND_SIGNEDCERT.pfx] -inkey [PATH_TO_FILE\MY_PRIVATE_KEY.pem] -in [PATH_TO_FILE\BPN_SIGNED_CERT.cer]
  5. If the original keystore contains both the certificate and its corresponding private key (necessary because this is the proxy presented to the clients) and it is in a format other than JKS (for example, PKCS), convert it to JKS to make it easier to import into the keystore.jceks file.

    For more information, see Create a JKS (Java, Tomcat, ...) from a PKCS12 or a PFX (Windows).

  6. Import into the original keystore (KEYSTORE_FILE.jks) the combined private and signed certificate (PKEY_AND_SIGNEDCERT.pfx).

    keytool -importkeystore -srckeystore [PATH_TO_FILE\PKEY_AND_SIGNEDCERT.pfx] -srcstoretype pkcs12 -destkeystore [PATH_TO_FILE\KEYSTORE_FILE.jceks] -deststoretype JCEKS
  7. Modify the edgeencryption.properties entry edgeencryption.proxy.https.cert.alias to point to [ALIAS_DEST].

  8. Restart the Edge Proxy service.

Note: Do not confuse keystore.jceks with the Java Keystore, which is where the certificates that the proxy trusts are stored. This file, named cacerts with no extension, is usually located in the jre\lib\security folder.

 

Article Information

Last Updated:2018-01-02 07:06:06
Published:2018-01-02