Requesting and assigning certificates

Certificates are required in several cases when configuring Verba. An SSL certificate is required when a trusted HTTPS access have to be configured to the web application. Certificates are used as well when file encryption and integrity protection or the recording announcement is a requirement. Anyway, all certificates can be replaced used between the Verba services to establish a secure connection.

Certificates can be requested from a 3rd party provider, or from the local CA.

Request a new certificate from the local CA using Microsoft Management Console

Step 1 - Right click (or open it in Windows Server 2008 R2) on the Start menu and click on Run. Type mmc.exe and press enter.

Step 2 - Go to the File / Add/Remove Snap-in... menu.

Step 3 - From the list on the left side select Certificates and click on the Add button.

Step 4 - Select Computer Account then click Next. On the next page, select Local Computer then click Finish. In the MMC windows press OK.

Step 5 - Expand the Certificates and right click on the Personal node. Select the All Tasks / Request New Certificate menu.

Step 6 - On the first page click Next. Select a Certificate Enrollment Policy then click Next.

Step 7 - Select a certificate type. On the right side expand the Details then click on the Properties.

Step 8 - Set the properties of the certificate based on the purpose:

Type of CertificateProperties
Certificate for SSL connection for trusted HTTPS accessSubject tab:
  • Under the Subject name section set the Type to Full DN and Add the server FQDN as Value in the following format: CN=servername.yourdomain.comUnder the Alternative name section set the Type to DNS and add the following Values:
    • The IP address of the server where the web application hosted.
    • The hostname of the server where the web application hosted.
    • The FQDN of the server where the web application hosted.
    • (Optional) The loadbalancer hostname and/or FQDN.
    • (Optional) External URL.
Certificate for EncryptionPrivate Key tab:
  • Under the Key options section turn on the 'Make private key exportable' setting.
Certificate for SigningPrivate Key tab:
  • Under the Key options section turn on the 'Make private key exportable' setting
Certificate for the Announcement service
  • Subject tab:
    • Under the Subject name section set the Type to Full DN and Add the trusted application server pool FQDN as Value in the following format: CN=poolfqdn.yourdomain.com
    • Under the Alternative name section set the Type to DNS and add the following Values:
      • The FQDNs of the Announcement servers.
      • The FQDN of the trusted application pool.
  • General tab:
    • Provide a friendly name. This name have to be configured in the Announcement Service configuration.

Step 9 - In the Certificate Properties window click OK, then click Enroll.

Request a new certificate from the local CA for Announcement service using PowerShell

Certificate can be requested by the following command in PowerShell:

Request-CsCertificate -New -Type default -FriendlyName "Announcement service" -CA ca.contoso.com\ContosoCA -ComputerFQDN servername.yourdomain.com

If there is more than one nodes in the Trusted Application pool then an additional parameter required for the other nodes:

Request-CsCertificate -New -Type default -FriendlyName "Announcement service" -CA ca.contoso.com\ContosoCA -ComputerFQDN servername.yourdomain.com -DomainName "server2.yourdomain.com,server3.yourdomain.com"

Description of the parameters:

ParameterDescriptionSample value
-FriendlyNameThe friendly name of the certificate"Announcement Service"
-CA
The address of the local Certificate Authority
ca.contoso.com\ContosoCA
-ComputerFQDN
The FQDN of the Trusted Application pool
servername.yourdomain.com
-DomainName
 The FQDNs of the other Announcement Server nodes"server2.yourdomain.com,server3.yourdomain.com"

Generating a key pair and Certificate Signing Request with Java Keytool, then signing it with the CA and exporting the certificate

When requiesting a certificate from the CA dicetly is not possible, then a custom request have to be created and sign it with the CA. Then it will be possible to create certificate signed with the CA.

Step 1 - Generating a key pair.

Run the following command for generating a new key pair (public and private):

"%JAVA_HOME%\bin\keytool" -genkey -keysize 1024 -keyalg RSA -validity 36500 -keystore verba.jks -alias tomcat -dname "CN=verbaserver-fqdn, OU=IT, O=IT, L=Little Rock, ST=Arkansas, C=US"
Parameter nameDescriptionSample values
-keysizeThe size of the key. The bigger the size, the strongest the encryption.

1024

2048

-keyalgThe algorithm used for the key.RSA
-keypassThe password used for protecting the private key.P@ssw0rd123
-validityThe validity of the keys in days.

365

3650

-keystoreThe store where the keys will be stored. It can be a new keystore (it will be created) or an existing one.

verba.jsk

C:\verba.keystore

-storepassThe password used to protect the keystore. This must be specified if we using an existing keytore which is proteted.P@ssw0rd123
-aliasAn alias for the generated key pair.tomcat
-dnameThe subject of the certificate.

"CN=verbaserver-fqdn"

"CN=verbaserver-fqdn, OU=IT, O=IT, L=Little Rock, ST=Arkansas, C=US"

Step 2 - Generating a Certificate Signing Request (CSR).

Run the following command:

"%JAVA_HOME%\bin\keytool" -certreq -alias tomcat -keyalg RSA -file request.csr -keystore verba.jks
Parameter nameDescriptionSample values
-aliasThe alias for the generated key pair. It has to match to the one provided at the previous step.tomcat
-keyalgThe algorithm used for the key. It has to match to the one provided at the previous step.RSA
-fileThe name of the generated CSR file.

request.csr

C:\temp\request.csr

-keystoreThe store where the keys are stored. It has to match to the one provided at the previous step.

verba.jsk

C:\verba.keystore

Step 3 - Sign the CSR file with the CA.

Step 4 - Add the signed certificate to the keystore.

Run the following command for adding the root CA certificate to the keystore:

"%JAVA_HOME%\bin\keytool" -import -alias root -keystore verba.jks -trustcacerts -file root.cer

(Optional) Run the following command for adding the intermediate CA certificate to the keystore:

"%JAVA_HOME%\bin\keytool" -import -alias inter -keystore verba.jks -trustcacerts -file intermediate.cer
Parameter nameDescriptionSample values
-aliasThe alias for the generated key pair. It has to match to the one provided at the previous step.tomcat
-keystoreThe store where the keys will be stored. It has to match to the one provided at the previous step.

verba.jsk

C:\verba.keystore

-fileThe CA certificate file.
ca-certificate.cer

C:\temp\ca-certificate.cer

Run the following command for adding the signed certificate to the keystore:

"%JAVA_HOME%\bin\keytool" -import -alias tomcat -keystore verba.jks -file signed-certificate.cer
Parameter nameDescriptionSample values
-aliasThe alias for the generated key pair. It has to match to the one provided at the previous step.tomcat
-keystoreThe store where the keys will be stored. It has to match to the one provided at the previous step.

verba.jsk

C:\verba.keystore

-fileThe signed certificate file.
signed-certificate.cer

C:\temp\signed-certificate.cer

Step 5 - Export the signed certificate with the private key.

Run the following command:

"%JAVA_HOME%\bin\keytool" -importkeystore -srckeystore verba.jks -alias tomcat -destkeystore verba.p12 -deststoretype PKCS12
Parameter nameDescriptionSample values
-srckeystoreThe store where the keys are stored. It has to match to the one provided at the previous step.

verba.jsk

C:\verba.keystore

-aliasThe alias for the generated key pair. It has to match to the one provided at the previous step.tomcat
-destkeystore
The name of the certificate file.
verba.p12
-deststoretype
The type of the exported certificate file.
PKCS12

Step 6 (Optional) - Import the certificate to the Windows Certificate Store.

Double click on the exported .p12 file, then click on the Install Certificate... button. Select Local Computer then click Next. On the next page click Next, then Finish.

 

Private Key tab:

  • Under the Key options section turn on the 'Make private key exportable' setting.
  • Subject tab:
    • Under the Subject name section set the Type to Full DN and Add the trusted application server pool FQDN as Value in the following format: CN=poolfqdn.yourdomain.com
    • Under the Alternative name section set the Type to DNS and add the following Values:
      • The FQDNs of the Announcement servers.
      • The FQDN of the trusted application pool.
  • General tab:
    • Provide a friendly name. This name has to be configured in the Announcement Service configuration.