SSL: HOW TO APPLY SIGNED CERTFICATE TO TGP

Transcription

1 SSL: HOW TO APPLY SIGNED CERTFICATE TO TGP Microsoft Windows [Version (C) Copyright Microsoft Corp. C:\Documents and Settings\trevor>cd\ C:\>cd "Program Files" C:\Program Files>cd "Time Guardian Pro"\jre\bi The system cannot find the path specified. C:\Program Files>cd "Time Guardian Pro\jre\bin" Basically: 1. You ll create a new keystore(.jks) 2. Convert it to a CSR(.cer) 3. it to the CA i. CA will provide 2 or 3 signed certs(root,inter,domain) 4. Make sure the new keystore you made is in TGP\apache\conf 5. Import the 3 signed certs to the keystore 6. Edit ENDPOINT(s) 7. Restart apache service C:\Program Files\Time Guardian Pro\jre\bin>keytool -list -v -keystore "C:\Progra m Files\Time Guardian Pro\apache-tomcat \conf\amanoKeys.jks" Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries This entire command checks the current status of tomcat s SSL entries Alias name: inter Entry type: trustedcertentry Owner: CN=UTN-USERFirst-Hardware, OU= O=The USERTRUST N etwork, L=Salt Lake City, ST=UT, C=US Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTru st AB, C=SE Serial number: a4f37fe a9667ff5d27 Valid from: Tue Jun 07 02:09:10 MDT 2005 until: Sat May 30 04:48:38 MDT 2020 Certificate fingerprints: MD5: 1C:BC:22:07:4D:3A:3A:BB:9D:A4:71:D5:F6:6D:AD:45 SHA1: 86:75:39:A2:6C:81:FA:2D:78:27:7C:3A:DF:DB:30:43:12:53:5E:57 #1: ObjectId: Criticality=true #2: ObjectId: Criticality=true Subject 0000: A1 72 5F 26 1B D D D.r_&.(.C : 4B D2 C3 45 K..E #4: ObjectId: Criticality=false CRLDistributionPoints [ [DistributionPoint: DistributionPoint: #5: ObjectId: Criticality=false CertificatePolicies [ [CertificatePolicyId: [

2 [ #6: ObjectId: Criticality=false Authority 0000: AD BD 98 7A 34 B4 26 F7 FA C EF 03 BD E0...z4.&...&T... Alias name: root Entry type: trustedcertentry Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrus t AB, C=SE Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTru st AB, C=SE Serial number: 1 Valid from: Tue May 30 04:48:38 MDT 2000 until: Sat May 30 04:48:38 MDT 2020 Certificate fingerprints: MD5: 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F SHA1: 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 #1: ObjectId: Criticality=true #2: ObjectId: Criticality=false Subject 0000: AD BD 98 7A 34 B4 26 F7 FA C EF 03 BD E0...z4.&...&T... #4: ObjectId: Criticality=false Authority 0000: AD BD 98 7A 34 B4 26 F7 FA C EF 03 BD E0...z4.&...&T... [CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE SerialNumber: [ 01

3 Alias name: tomcat Entry type: trustedcertentry Owner: CN= OU=Comodo InstantSSL, O=Petland, L=Calgary, ST=Alberta, C=CA Issuer: CN=UTN-USERFirst-Hardware, OU= O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Serial number: e5e4a34bc7f1ae41a0512e7a6c7fadc9 Valid from: Thu Feb 05 17:00:00 MST 2009 until: Thu Feb 06 16:59:59 MST 2014 Certificate fingerprints: MD5: C3:4F:4C:3E:A3:B4:94:58:5D:C0:71:0A:5F:F5:60:7C SHA1: 0F:E7:0E:25:84:B9:CF:D6:2C:EB:E3:8B:AB:F9:32:6A:62:2A:6E:EA #1: ObjectId: Criticality=true DigitalSignature Key_Encipherment #2: ObjectId: Criticality=true CA:false PathLen: undefined Subject 0000: 3A D1 68 8C B0 FD C A 14 2E 9F :.h...$e.q : EE C3 6E BC..n. #4: ObjectId: Criticality=false AuthorityInfoAccess [ [accessmethod: accesslocation: URIName: acc essmethod: accesslocation: URIName: #5: ObjectId: Criticality=false CRLDistributionPoints [ [DistributionPoint: DistributionPoint: #6: ObjectId: Criticality=false CertificatePolicies [ [CertificatePolicyId: [ [PolicyQualifierInfo: [ qualifierid: qualifier: 0000: 16 1D A 2F 2F secure 0010: 2E 63 6F 6D 6F 64 6F 2E 6E F comodo.net/CPS This is wrong

4 #7: ObjectId: Criticality=false ExtendedKeyUsages [ serverauth clientauth #8: ObjectId: Criticality=false NetscapeCertType [ SSL client SSL server #9: ObjectId: Criticality=false Authority 0000: A1 72 5F 26 1B D D D.r_&.(.C : 4B D2 C3 45 K..E S T E P 1 #10: ObjectId: Criticality=false SubjectAlternativeName [ DNSName: DNSName: petlandtimeserver.ca Rename the amanokeys.jks (keystore) from the apache\conf dir before you proceed with the below commands Any keytool commands must be executed in a single line, note the keypass/storepass which will be your password later C:\Program Files\Time Guardian Pro\jre\bin>keytool -genkey -keyalg RSA -keystore "e:\amanokeys.jks" -validity alias tomcat -keypass amano123 -storepass amano123 What is your first and last name? [Unknown: What is the name of your organizational unit? [Unknown: Petland What is the Not name of your important organization? [Unknown: What is the name of your City Locality? [Unknown: What is the name of your State or Province? [Unknown: What is the two-letter country code for this unit? [Unknown: CA Is CN= OU=Petland, O=Unknown, L=Unknown, ST=Unknown, C= CA correct? [no: yes S T E P 2 & 3 C:\Program Files\Time Guardian Pro\jre\bin>keytool -certreq -alias tomcat -file e:\amano.cer -keystore "e:\amanokeys.jks" -storepass amano123 the file to the certificate authority (i.e. verisign, comodo, etc.) This is the CSR.

5 S T E P 4 & 5 When you receive the 2 or 3 signed files from the CA, copy them to where keytool.exe (TGP\jre\bin) is. Also move the new jks file that you previously made to the TGP\apache\conf folder. C:\Program Files\Time Guardian Pro\jre\bin>keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore "C:\Program Files\Time Guardian Pro\apache-tomcat \conf\amanoKeys.jks" Enter keystore password: Certificate already exists in system-wide CA keystore enter your under keypass/storepass alias <addtrustexter here nalca> Do you still want to add it to your own keystore? [no: yes Certificate was added to keystore C:\Program Files\Time Guardian Pro\jre\bin>keytool -import -trustcacerts -alias INTER -file "UTNAddTrustServerCA.crt -keystore "C:\Program Files\Time Guardian P ro\apache-tomcat \conf\amanokeys.jks" keytool error: java.lang.runtimeexception: Usage error, Files\Time is not a lega l command C:\Program Files\Time Guardian Pro\jre\bin>keytool -import -trustcacerts -alias INTER -file UTNAddTrustServerCA.crt -keystore "C:\Program Files\Time Guardian Pr o\apache-tomcat \conf\amanokeys.jks" Enter keystore password: Certificate was added to keystore C:\Program Files\Time Guardian Pro\jre\bin>keytool -import -trustcacerts -alias tomcat -file www_petlandtimeserver_ca.crt -keystore "C:\Program Files\Time Guard ian Pro\apache-tomcat \conf\amanoKeys.jks" Enter keystore password: Certificate reply was installed in keystore C:\Program Files\Time Guardian Pro\jre\bin>keytool -list -v -keystore "C:\Progra m Files\Time Guardian Pro\apache-tomcat \conf\amanoKeys.jks" >newlist.txt Enter keystore password: amano123 C:\Program Files\Time Guardian Pro\jre\bin> S T E P 6 C:\Program Files\Time Guardian Pro\apache-tomcat \webapps\tgpro\WEB- INF\classes\TGProResources.properties the above file must be set to non-ssl with localhost on all ENDPOINTs: CALCENGINE_WS_ENDPOINT= CALCENGINE_WS_CONSUMER_ID=tgpro CALCENGINE_WS_CONSUMER_PASSWORD=a,&^^684849ydyh38fjh28rj3849 # IM web service - TODO: Change for IM IM_WS_ENDPOINT= IM_WS_CONSUMER_ID=tgpro IM_WS_CONSUMER_PASSWORD=a,&^^684849ydyh38fjh28rj3849 # report web service consumer REPORT_WS_ENDPOINT= REPORT_WS_CONSUMER_ID=tgpro REPORT_WS_CONSUMER_PASSWORD=a,&^^684849ydyh38fjh28rj3849 # schedule web service consumer SCHEDULE_WS_ENDPOINT= S T E P 7 Restart the apache tomcat service After running, keytool -list -v -keystore "C:\Program Files\Time Guardian Pro\apachetomcat \conf\amanoKeys.jks" again Keystore type: JKS

6 Keystore provider: SUN Your keystore contains 3 entries Alias name: inter Entry type: trustedcertentry Owner: CN=UTN-USERFirst-Hardware, OU= O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Serial number: a4f37fe a9667ff5d27 Valid from: Tue Jun 07 02:09:10 MDT 2005 until: Sat May 30 04:48:38 MDT 2020 Certificate fingerprints: MD5: 1C:BC:22:07:4D:3A:3A:BB:9D:A4:71:D5:F6:6D:AD:45 SHA1: 86:75:39:A2:6C:81:FA:2D:78:27:7C:3A:DF:DB:30:43:12:53:5E:57 #1: ObjectId: Criticality=true #2: ObjectId: Criticality=true Subject 0000: A1 72 5F 26 1B D D D.r_&.(.C : 4B D2 C3 45 K..E #4: ObjectId: Criticality=false CRLDistributionPoints [ [DistributionPoint: DistributionPoint: #5: ObjectId: Criticality=false CertificatePolicies [ [CertificatePolicyId: [ [ #6: ObjectId: Criticality=false

7 Authority 0000: AD BD 98 7A 34 B4 26 F7 FA C EF 03 BD E0...z4.&...&T... Alias name: root Entry type: trustedcertentry Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Serial number: 1 Valid from: Tue May 30 04:48:38 MDT 2000 until: Sat May 30 04:48:38 MDT 2020 Certificate fingerprints: MD5: 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F SHA1: 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 #1: ObjectId: Criticality=true #2: ObjectId: Criticality=false Subject 0000: AD BD 98 7A 34 B4 26 F7 FA C EF 03 BD E0...z4.&...&T... #4: ObjectId: Criticality=false Authority 0000: AD BD 98 7A 34 B4 26 F7 FA C EF 03 BD E0...z4.&...&T...

8 [CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE SerialNumber: [ 01 Alias name: tomcat Entry type: PrivateKeyEntry Certificate chain length: 3 This is correct Certificate[1: Owner: CN= OU=Comodo InstantSSL, O=Petland, L=Calgary, ST=Alberta, C=CA Issuer: CN=UTN-USERFirst-Hardware, OU= O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Serial number: 1d99c44e647d63bb4a90c83b66fbadb5 Valid from: Thu Feb 05 17:00:00 MST 2009 until: Thu Feb 06 16:59:59 MST 2014 Certificate fingerprints: MD5: C4:AA:71:0E:A7:CC:D8:70:A6:33:C1:99:E3:CD:02:2C SHA1: 08:22:4B:1C:6D:22:14:63:99:33:EF:CF:69:66:FC:94:A3:C1:34:61 #1: ObjectId: Criticality=true DigitalSignature Key_Encipherment #2: ObjectId: Criticality=true CA:false PathLen: undefined Subject 0000: 8D B6 76 2E BF 23 EB D2 5B 3D CE F7 B4 AD 58 BD..v..#..[=...X. 0010: 9A F8 1C 40...@ #4: ObjectId: Criticality=false AuthorityInfoAccess [ [accessmethod: accesslocation: URIName: accessmethod: accesslocation: URIName: #5: ObjectId: Criticality=false CRLDistributionPoints [ [DistributionPoint: DistributionPoint: #6: ObjectId: Criticality=false CertificatePolicies [

9 [CertificatePolicyId: [ [PolicyQualifierInfo: [ qualifierid: qualifier: 0000: 16 1D A 2F 2F : 2E 63 6F 6D 6F 64 6F 2E 6E F comodo.net/CPS #7: ObjectId: Criticality=false ExtendedKeyUsages [ serverauth clientauth #8: ObjectId: Criticality=false NetscapeCertType [ SSL client SSL server #9: ObjectId: Criticality=false Authority 0000: A1 72 5F 26 1B D D D.r_&.(.C : 4B D2 C3 45 K..E #10: ObjectId: Criticality=false SubjectAlternativeName [ DNSName: DNSName: petlandtimeserver.ca Certificate[2: Owner: CN=UTN-USERFirst-Hardware, OU= O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Serial number: a4f37fe a9667ff5d27 Valid from: Tue Jun 07 02:09:10 MDT 2005 until: Sat May 30 04:48:38 MDT 2020 Certificate fingerprints: MD5: 1C:BC:22:07:4D:3A:3A:BB:9D:A4:71:D5:F6:6D:AD:45 SHA1: 86:75:39:A2:6C:81:FA:2D:78:27:7C:3A:DF:DB:30:43:12:53:5E:57 #1: ObjectId: Criticality=true #2: ObjectId: Criticality=true Subject 0000: A1 72 5F 26 1B D D D.r_&.(.C : 4B D2 C3 45 K..E #4: ObjectId: Criticality=false CRLDistributionPoints [

10 [DistributionPoint: DistributionPoint: #5: ObjectId: Criticality=false CertificatePolicies [ [CertificatePolicyId: [ [ #6: ObjectId: Criticality=false Authority 0000: AD BD 98 7A 34 B4 26 F7 FA C EF 03 BD E0...z4.&...&T... Certificate[3: Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Serial number: 1 Valid from: Tue May 30 04:48:38 MDT 2000 until: Sat May 30 04:48:38 MDT 2020 Certificate fingerprints: MD5: 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F SHA1: 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 #1: ObjectId: Criticality=true #2: ObjectId: Criticality=false Subject 0000: AD BD 98 7A 34 B4 26 F7 FA C EF 03 BD E0...z4.&...&T... #4: ObjectId: Criticality=false Authority 0000: AD BD 98 7A 34 B4 26 F7 FA C EF 03 BD E0...z4.&...&T... [CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE SerialNumber: [ 01