Wildcard Certificates Overview: When importing a wildcard certificate into the Java Keystore that was generated on another server, the private key must also be included. The process includes exporting the certificate and its trusted certificates along with the private key in a PKCS#12 format. Personal Information Exchange (PKCS #12) The Personal Information Exchange format (PFX, also called PKCS #12) supports secure storage of certificates, private keys, and all certificates in a certification path. The PKCS #12 file format is the only file format that can be used to export a certificate and its private key. Note: In public key encryption, two different keys are used to encrypt and decrypt information. The private key is a key that is known only to its owner, while the public key can be made known and available to other entities on the network. HOW IT WORKS! If the certificate reply was created in the Windows certificate store, then the certificate chain and private key may be exported. 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 1
Important: a password is required to protect the key. If requesting the file from a staff member it s important to obtain the password. To import seamlessly with GoPrint, it s recommended to request a password of trustno1 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 2
Step 1 obtain the private key and trusted chain in a PKCS#12 file format along with password. 1. Save the file under the GS4\certs subdirectory. Step 2- create a new Keystore using the exported PKCS#12 file 1. Create new a Keystore called gtx.keystore 2. Generate a Keystore password of: trustno1 3. Save the new Keystore under the GS4\certs subdirectory Important: the new Keystore password MUST match the password of the PKC#12 file Java Keytool GoPrint incorporates Oracle Java version 1.6.0_35 and higher, which unlike earlier versions now supports importing a PKCS#12 file. This change allows the keytool command to treat the file just like another type of keystore. The trick is to set the "storetype" option to "pkcs12", as follows: Issue the command: 1. Open a Windows command prompt 2. Navigate to the GS4\JRE\Bin directory (this is where the Java Keytool utility lives) 3. Issue the following command: keytool -importkeystore -destkeystore c:\gs4\certs\gtx.keystore -deststorepass trustno1 -srckeystore c:\gs4\certs\wildcard.pfx -srcstoretype PKCS12 -srcstorepass trustno1 The PKCS#12 was successfully imported and the new gtx.keystore created!!! Entry for alias le-72d11884-bbab-4d4d-a79f-b5f3072a715e successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 3
Step 3 - change the default Alias to goprintservercert The Goprint system requires a Keystore alias name of goprintservercert and by default the importkeystore command generates a generic alias, as highlighted below: Entry for alias le-72d11884-bbab-4d4d-a79f-b5f3072a715e successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Issue the command: keytool -changealias -alias le-72d11884-bbab-4d4d-a79f-b5f3072a715e -destalias goprintservercert - keystore c:\gs4\certs\gtx.keystore Step 4 - view the contents of the Keystore to confirm the alias change Issue command: C:\GS4\jre\bin>keytool -v -list -keystore c:\gs4\certs\gtx.keystore Enter keystore password: 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 4
Step 5 - backup the current gtx.keystore The current gtx.keystore is found under the GS4\ root directory: 1. Rename the current gtx.keystore to gtx.keystore_old Step 6 replace with the new Keystore 1. Copy and paste the new gtx.keystore to the GS4 directory 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 5
Step 7 restart the GoPrint GS-4 Services Step 8 ensure web client profiles reflect the DNS name specified in the CA Reply If the Web Client popup was installed using the hostname of the GTX server then in order to apply the SSL certificate the Web Client preference setting must be updated. Step 9 make a backup of your new gtx.keystore file and certificate files and save in a secure place from the server! 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 6
Control Center SSL Certificate Tool In addition to importing the wildcard certificate using the Java Keytool, GoPrint provides the built-in SSL certificate tool to generate certificate requests and import CA Replies. Video tutorial available at: http://www.screencast.com/t/dfaw39qffkv Note: The SSL certificate tool does not support importing the entire certificate chain using a PKCS#12 file and it must be broken up into two files; PKCS#7 and PKCS#8. The easiest process to perform this task is to use the KeyStore Explorer Tool which can be downloaded from: http://keystore-explorer.sourceforge.net/ Step 1 - Open the PKCS#12 file in KeyStore Explorer 1. Select Open an existing KeyStore 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 7
2. When prompt enter the password Hint: this is the password that was generated when the certificate was exported from the store. 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 8
Step 2 - Export the Private Key 1. Right-click the certificate to view the drop down menu 2. Select Export Export Private Key 3. Select PKCS #8 4. Export file to: GS4\certs Important: do not select Encrypt! 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 9
Step 3 Export the Certificate Chain 1. From the drop down menu select, Export Certificate Chain 2. Export Length: Entire Chain 3. Export Format: PKCS #7 4. Save under GS4\certs 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 10
Step 4 Navigate to System SSL Certificates 1. Scroll down to Wildcard SSL Certificates 2. Click link Wildcard SSL Certificates 3. Certificate File: Browse to the PKCS #7 file representing the certificate chain 4. Private Key File: browse to the PKCS #8 file representing the private key. 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 11
Your import wildcard certificate now appears!!! Step 5 Restart the GoPrint GS-4 Services 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 12
Troubleshooting Issue: The keystore password is different than the private key password. Navigate to the GS4\logs subdirectory and open the current RUN.log in Notepad. Look for the follow lines: INFO [Node launcher.gtxlauncher ] Starting GoPrint GTX version 4.1.13 INFO [Node rickslaptop:db.sqldrivermanager Registered JDBC driver: org.postgresql.driver WARN [NC rickslaptop:component.abstractlifecycle ] FAILED org.eclipse.jetty.http.ssl.sslcontextfactory@d6d835f#failed: java.security.unrecoverablekeyexception: Cannot recover keyjava.security.unrecoverablekeyexception: Cannot recover key a sun.security.provider.keyprotector.recover(keyprotector.java:311) Issue: An attempt was made to import the PKCS #12 file which is currently not supported Issue: PEM file format was checked during export 2013 GoPrint Systems, Inc. All rights reserved. Wildcard SSL Certificates 13