Wildcard Certificates

(1)

Wildcard Certificates

Overview:

When importing a wildcard certificate into the Java Keystore that was generated on another server, the private key must also be included. The process includes exporting the certificate and its trusted certificates along with the private key in a PKCS#12 format.

Personal Information Exchange (PKCS #12)

The Personal Information Exchange format (PFX, also called PKCS #12) supports secure storage of certificates, private keys, and all certificates in a certification path.

The PKCS #12 file format is the only file format that can be used to export a certificate and its private key.

Note:

In public key encryption, two different keys are used to encrypt and decrypt information. The private key is

a key that is known only to its owner, while the public key can be made known and available to other entities on

the network.

H

OW IT WORKS

!

If the certificate reply was created in the Windows certificate store, then the certificate chain and private key may be exported.

(2)

Important:

a password is required to protect the key. If requesting the file from a staff member it’s

important to obtain the password. To import seamlessly with GoPrint, it’s recommended to request a password of

“

trustno1”

(3)

Step 1 – obtain the private key and trusted chain in a PKCS#12 file format along

with password.

1. Save the file under the GS4\certs subdirectory.

Step 2- create a new Keystore using the exported PKCS#12 file

1. Create new a Keystore called gtx.keystore

2. Generate a Keystore password of: trustno1

3. Save the new Keystore under the GS4\certs subdirectory

Important:

the new Keystore password MUST match the password of the PKC#12 file

Java Keytool

GoPrint incorporates Oracle Java version 1.6.0_35 and higher, which unlike earlier versions now supports importing a PKCS#12 file. This change allows the keytool command to treat the file just like another type of keystore. The trick is to set the "storetype" option to "pkcs12", as follows:

Issue the command:

1. Open a Windows command prompt

2. Navigate to the GS4\JRE\Bin directory (this is where the Java Keytool utility lives)

3. Issue the following command:

keytool -importkeystore -destkeystore c:\gs4\certs\gtx.keystore -deststorepass trustno1 -srckeystore c:\gs4\certs\wildcard.pfx -srcstoretype PKCS12 -srcstorepass trustno1

The PKCS#12 was successfully imported and the new gtx.keystore created!!!

Entry for alias le-72d11884-bbab-4d4d-a79f-b5f3072a715e successfully imported. Import command

completed: 1 entries successfully imported, 0 entries failed or cancelled

(4)

Step 3 - change the default Alias to goprintservercert

The Goprint system requires a Keystore alias name of ‘goprintservercert’ and by default the importkeystore command generates a generic alias, as highlighted below:

Entry for

alias le-72d11884-bbab-4d4d-a79f-b5f3072a715e

successfully imported. Import command

completed: 1 entries successfully imported, 0 entries failed or cancelled

Issue the command:

keytool changealias alias le72d11884bbab4d4da79fb5f3072a715e destalias goprintservercert -keystore c:\gs4\certs\gtx.-keystore

Step 4 - view the contents of the Keystore to confirm the alias change

Issue command:

C:\GS4\jre\bin>keytool -v -list -keystore c:\gs4\certs\gtx.keystore Enter keystore password:

(5)

Step 5 - backup the current gtx.keystore

The current gtx.keystore is found under the GS4\ root directory:

1. Rename the current gtx.keystore to gtx.keystore_old

Step 6 – replace with the new Keystore

(6)

Step 7 – restart the GoPrint GS-4 Services

Step 8 – ensure web client profiles reflect the DNS name specified in the CA Reply

If the Web Client popup was installed using the hostname of the GTX server then in order to apply the SSL certificate the Web Client preference setting must be updated.

Step 9 – make a backup of your new gtx.keystore file and certificate files and save

in a secure place from the server!

(7)

Control Center SSL Certificate Tool

In addition to importing the wildcard certificate using the Java Keytool, GoPrint provides the built-in SSL certificate tool to generate certificate requests and import CA Replies.

Video tutorial available at: http://www.screencast.com/t/dfaW39qffKv

Note: The SSL certificate tool does not support importing the entire certificate chain using a PKCS#12 file and it

must be broken up into two files; PKCS#7 and PKCS#8.

The easiest process to perform this task is to use the KeyStore Explorer Tool which can be downloaded from: http://keystore-explorer.sourceforge.net/

Step 1 - Open the PKCS#12 file in KeyStore Explorer

1. Select Open an existing KeyStore

(8)

Hint: this is the password that was generated when the certificate was exported from the store.

(9)

Step 2 - Export the Private Key

1. Right-click the certificate to view the

drop down menu

2. Select Export – Export Private Key

3. Select PKCS #8

4. Export file to: GS4\certs

(10)

Step 3 – Export the Certificate Chain

1. From the drop down menu select, Export Certificate Chain

2. Export Length: Entire Chain 3. Export Format: PKCS #7 4. Save under GS4\certs

(11)

Step 4 – Navigate to System – SSL Certificates

1. Scroll down to Wildcard SSL Certificates 2. Click link Wildcard SSL Certificates

3. Certificate File: Browse to the PKCS #7 file representing the certificate chain 4. Private Key File: browse to the PKCS #8 file representing the private key.

(12)

Your import wildcard certificate now appears!!!

(13)

Troubleshooting

Issue: The keystore password is different than the private key password.

Navigate to the GS4\logs subdirectory and open the current RUN.log in Notepad. Look for the follow lines:

INFO [Node launcher.GTXLauncher ] Starting GoPrint GTX version 4.1.13

INFO [Node rickslaptop:db.SQLDriverManager Registered JDBC driver: org.postgresql.Driver

WARN [NC rickslaptop:component.AbstractLifeCycle ] FAILED org.eclipse.jetty.http.ssl.SslContextFactory@d6d835f#FAILED: java.security.UnrecoverableKeyException: Cannot recover keyjava.security.UnrecoverableKeyException: Cannot recover key a sun.security.provider.KeyProtector.recover(KeyProtector.java:311)

Issue: An attempt was made to import the PKCS #12 file which is currently not supported