Creating an authorized SSL certificate
The On-premises Enterprise MeetingSphere Server requires an authorized SSL certificate. This document provides a step-by-step guide for creating such a certificate with “Java Keytool”.
For your MeetingSphere a simple non-wildcard SSL certificate will do.
Any type of SSL certificate will expire after a specific period and need to be reissued.
A. Create a private key-store
Execute the following steps on a computer with Sun (Oracle) Java Development Kit 1.5 or higher. This could be your MeetingSphere Server which requires Sun (Oracle) JDK 1.8 in any case.
1. Call “Keytool“
Execute the following command from the command-line prompt:
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore domainname.kdb
for “domainname.kdb“ substitute your domain name. In the example this is “example.com.kdb“. If Java is installed correctly (Linux path variable: $JAVA_HOME/bin, Windows path variable %JAVA_HOME%\bin) you do not have to specify a path. If required, change directory to the java directory which contains the program “keytool“.
3. (Sub) domain name
When asked “What is your first and last name?” specify the (sub)domain name by which your MeetingSphere is registered in the DNS.
For a simple non-wildcard certificate you have to specify the full domain name (here “example.com”) If, however, the hostname registered in the DNS results in a URL like
https://meetingsphere.example.com
Be aware that every combination of characters to the left of the domain name and separated by a “dot” constitutes a sub domain: “www.example.com” is a sub domain of “example.com” and is not covered by a simple certificate for “example.com”.
,
specify “meetingsphere.example.com” (everything after ”https://”). In this case, use “meetingsphere.example.com” also as the file name of your keystore!
Any discrepancy between (sub) domain name in the keystore and the actual address of your MeetingSphere will cause security alerts in the users’ browsers!
4. Organizational unit / Organization
Specify the name of your department and the complete legal name of your organization. In the example this is “Meeting Management” and “Example Inc”. You may specify your organization name also for “Organizational unit”.
Note the characters allowed for this and the following information are restricted. Characters [! @ # $
% ^ ( ) ~ ? > < & / \ , . " '] are illegal. 5. City, state and country
In the example given above these are “Hamburg” (city), “Hamburg” (state) and “DE” for Germany. The country is specified with its “”2-letter country code” according to ISO 3166-1 alpha 2 which is also used by e.g. NATO. Examples: DE, GB, FR, ES, US, JP.
6. Verify your specification
keytool will display your specification for confirmation. If correct, confirm with “yes“.
7. Password for <tomcat>
keytool prompts you again for a password. Press “enter” to confirm the password given above.
8. Creation and backup of the keystore file
On confirmation of the password for <tomcat>, the specified keystore file (in the example “example.com.kdb“) will be created and stored in the directory from which “keytool” was called. Create a backup of the keystore file.
B. Certificate signing request (CSR)
9. Call Keytool
From the command prompt, call “keytool“:
keytool -certreq -alias tomcat -keystore domainname.kdb -file domainname.csr
substitute the file name you have specified in step 1 above (e.g. “example.com.kdb”) for “domainname.kdb“. Use that name also for the signing-request file. In our example “domainname.csr” should read “example.com.csr”.
When prompted, give the password of the keystore (here: “changeit”).
Keytool: Creating a signing request
Create another backup of the keystore, as step 9 may lead to different results if repeated. 10. Getting the domain and the SSL root certificate
With your web browser go to the homepage of your SSL provider (certificate authority). Follow instructions for creating an SSL certificate. Typically, you will be asked to upload the csr file (in our example “example.com.csr” from the directory from which you have called “keytool”. Alternatively, you may be asked to open the csr file in an editor and paste its content into an input box.
At the end of this procedure you will receive (by download or email) a certificate for your domain and an SSL root certificate of the certificate authority.
C. Finalize the keystore
To finalize the keystore, you must copy the received certificates to the directory from which you have called “keytool” and where the keystore (in our example “example.com.kdb“) and the signing request (in our example “example.com.csr“) reside.
where
- “domainname.kdb“ is your kdb file (in our example “example.com.kdb“) - “root.cer“ is the certificate of your certificate authority
Keytool: Import of the root certificate in the keystore When prompted, give the password as specified in step 1 (Example: “changeit“).
Possibly you will be informed that the root certificate is already included in the system-wide keystore.
In any case, confirm with “yes”!
Note: Simple confirmation with “Enter” would count as “no”!
You want to add the root certificate to your specific SSL keystore!
12. Import the SSL domain certificate into the Keystore
Call “keytool” again:
keytool -import -trustcacerts -keystore domainname.kdb -alias tomcat -file domainname.cer
Where
- “domainname.kdb“ is your keystore file (in our example “example.com.kdb“)
- „domainname.cer” is the domain certificate received from your SSL provider (example: “example.com.cer“).
Your keystore domainname.kdb (in the example: “example.com.kdb“) is now complete and ready for use. Create a backup and store of this file in a safe place!
D. Install the keystore on the MeetingSphere Server
13. Upload the keystore in the server console
Open the application server console > Server administration > SSL keystore control. - Specify “uploaded keystore“.
- Upload the keystore and specify the password.
MeetingSphere Inc
440 Monticello Ave, Suite 1875 Norfolk, VA 23510
United States of America
www.meetingsphere.com T: 1 (703) 348 0725