Working with Portecle to update / create a Java Keystore. Backup your stoneware.keystore file before starting. Download Portecle from http://sourceforge.net/projects/portecle/ Unzip the files and double click on portecle.jar or type java jar portecle.jar To update an existing working keystore with a new SSL Certificate. Choose file Open Keystore, choose your stoneware.keystore file and enter in your password (same as RelayUser)
There should only be one key pair, represented by the double key icon. There may be other supporting certificates depending on your type of certificate. Right click on you re keypair, in this example it is called server and choose Generate Certificate Request. Enter your keystore password and save the file to your computer. This is the file that you send to your Certificate Authority company (godaddy, Verisign, Comodo, RapidSSL, etc ) Importing the certificate sent back to you from the CA Company. If your CA sent you one or more intermediate or root certificates then those will need to be imported. Click on Tools, and then Import Trusted Certificate. Select you re Intermediate / Root certificates that you were sent or told to download. If you get any errors then it may be easier to import the ssl certificates into Internet Explorer and then export them from Internet Explorer and then import them into the keystore. **note - If you are obtaining a certificate from DigiCert, you will need to make sure you have their proper Intermediate Certificate in IE. The easiest method for this is to use their Certificate Management Tool: https://www.digicert.com/util/ With this tool, you can easily import the correct Intermediate certificate, which is necessary to build the proper certificate chain. Take the certificate you were sent, open Internet Explorer and go to : Tool Internet Options Content Certificates Import Select the certificate you were sent from your CA. Once imported, find the certificate usually located under the Other People tab. Right click on it and choose Export, select Cryptographic Message Syntax Standard PKCS #7 option.
Select Include all certificates in the certification path if possible. Save this file so you can import it into Keystore. Back in the Portecle tool, right click on your keypair and choose Import CA Reply. Select the P7B file that you just exported from Internet Explorer. You may get a message that says: Click OK, Verify the information about the SSL Certificate and click OK. Click Yes when it asks if you want to accept the CA Reply. You should see a message that the CA Reply Import Successful. Click File, Save to save your changes. You are now done; you can take the newly updated keystore and copy it to all of your stoneware servers. To create a brand new Keystore. Load Portecle Choose File, New Keystore Choose JKS Click Tools, Generate Keypair Choose SHA256withRSA for the Key Algorithm (or whatever your CA vendor requests it to be) See the picture below for examples of what to fill in for the certificate. This information is based off of your specific company information.
Click OK and it will ask for an Alias, it will use the Common Name by default. This name is fine. Click OK. Enter a Password for the Keypair. This password MUST be the same as the relayuser account for the portal.
Once done you will see your new Keypair listed. Choose File, Save Keystore and re enter the password. Again, this must match the RelayUser and the password used for the Keypair. The keystore now has a working Self Signed certificate. This certificate will work but browsers will not trust it and each user will be prompted each time they come to the portal. Self Signed certificates are usually used during initial setup and for testing. Once you are ready to go into production, this should be upgraded to a real trusted certificate. The process for doing this is located at the top of this document.