Requesting and assigning certificates
- Kiss, Mate
- Gabor Moczar (Unlicensed)
Certificates are required in several cases when configuring Verba. An SSL certificate is required when a trusted HTTPS access have to be configured to the web application. Certificates are used as well when file encryption and integrity protection or the recording announcement is a requirement. Anyway, all certificates can be replaced used between the Verba services to establish a secure connection.
Certificates can be requested from a 3rd party provider, or from the local CA.
Request a new certificate from the local CA using Microsoft Management Console
Step 1 - Right click (or open it in Windows Server 2008 R2) on the Start menu and click on Run. Type mmc.exe and press enter.
Step 2 - Go to the File / Add/Remove Snap-in... menu.
Step 3 - From the list on the left side select Certificates and click on the Add button.
Step 4 - Select Computer Account then click Next. On the next page, select Local Computer then click Finish. In the MMC windows press OK.
Step 5 - Expand the Certificates and right click on the Personal node. Select the All Tasks / Request New Certificate menu.
Step 6 - On the first page click Next. Select a Certificate Enrollment Policy then click Next.
Step 7 - Select a certificate type. On the right side expand the Details then click on the Properties.
Step 8 - Set the properties of the certificate based on the purpose:
| Type of Certificate | Properties |
|---|---|
| Certificate for SSL connection for trusted HTTPS access | Subject tab:
|
| Certificate for Encryption | Private Key tab:
|
| Certificate for Signing | Private Key tab:
|
| Certificate for the Announcement service |
|
Step 9 - In the Certificate Properties window click OK, then click Enroll.
Request a new certificate from the local CA for Announcement service using PowerShell
Certificate can be requested by the following command in PowerShell:
Request-CsCertificate -New -Type default -FriendlyName "Announcement service" -CA ca.contoso.com\ContosoCA -ComputerFQDN servername.yourdomain.com
If there is more than one nodes in the Trusted Application pool then an additional parameter required for the other nodes:
Request-CsCertificate -New -Type default -FriendlyName "Announcement service" -CA ca.contoso.com\ContosoCA -ComputerFQDN servername.yourdomain.com -DomainName "server2.yourdomain.com,server3.yourdomain.com"
Description of the parameters:
| Parameter | Description | Sample value |
|---|---|---|
| -FriendlyName | The friendly name of the certificate | "Announcement Service" |
-CA | The address of the local Certificate Authority | ca.contoso.com\ContosoCA |
-ComputerFQDN | The FQDN of the Trusted Application pool | servername.yourdomain.com |
-DomainName | The FQDNs of the other Announcement Server nodes | "server2.yourdomain.com,server3.yourdomain.com" |
Generating a key pair and Certificate Signing Request with Java Keytool, then signing it with the CA and exporting the certificate
When requiesting a certificate from the CA dicetly is not possible, then a custom request have to be created and sign it with the CA. Then it will be possible to create certificate signed with the CA.
Step 1 - Generating a key pair.
Run the following command for generating a new key pair (public and private):
"%JAVA_HOME%\bin\keytool" -genkey -keysize 1024 -keyalg RSA -validity 36500 -keystore verba.jks -alias tomcat -dname "CN=verbaserver-fqdn, OU=IT, O=IT, L=Little Rock, ST=Arkansas, C=US"
| Parameter name | Description | Sample values |
|---|---|---|
| -keysize | The size of the key. The bigger the size, the strongest the encryption. | 1024 2048 |
| -keyalg | The algorithm used for the key. | RSA |
| -keypass | The password used for protecting the private key. | P@ssw0rd123 |
| -validity | The validity of the keys in days. | 365 3650 |
| -keystore | The store where the keys will be stored. It can be a new keystore (it will be created) or an existing one. | verba.jsk C:\verba.keystore |
| -storepass | The password used to protect the keystore. This must be specified if we using an existing keytore which is proteted. | P@ssw0rd123 |
| -alias | An alias for the generated key pair. | tomcat |
| -dname | The subject of the certificate. | "CN=verbaserver-fqdn" "CN=verbaserver-fqdn, OU=IT, O=IT, L=Little Rock, ST=Arkansas, C=US" |
Step 2 - Generating a Certificate Signing Request (CSR).
Run the following command:
"%JAVA_HOME%\bin\keytool" -certreq -alias tomcat -keyalg RSA -file request.csr -keystore verba.jks
| Parameter name | Description | Sample values |
|---|---|---|
| -alias | The alias for the generated key pair. It has to match to the one provided at the previous step. | tomcat |
| -keyalg | The algorithm used for the key. It has to match to the one provided at the previous step. | RSA |
| -file | The name of the generated CSR file. | request.csr C:\temp\request.csr |
| -keystore | The store where the keys are stored. It has to match to the one provided at the previous step. | verba.jsk C:\verba.keystore |
Step 3 - Sign the CSR file with the CA.
Step 4 - Add the signed certificate to the keystore.
Run the following command for adding the root CA certificate to the keystore:
"%JAVA_HOME%\bin\keytool" -import -alias root -keystore verba.jks -trustcacerts -file root.cer
(Optional) Run the following command for adding the intermediate CA certificate to the keystore:
"%JAVA_HOME%\bin\keytool" -import -alias inter -keystore verba.jks -trustcacerts -file intermediate.cer
| Parameter name | Description | Sample values |
|---|---|---|
| -alias | The alias for the generated key pair. It has to match to the one provided at the previous step. | tomcat |
| -keystore | The store where the keys will be stored. It has to match to the one provided at the previous step. | verba.jsk C:\verba.keystore |
| -file | The CA certificate file. | ca-certificate.cer C:\temp\ca-certificate.cer |
Run the following command for adding the signed certificate to the keystore:
"%JAVA_HOME%\bin\keytool" -import -alias tomcat -keystore verba.jks -file signed-certificate.cer
| Parameter name | Description | Sample values |
|---|---|---|
| -alias | The alias for the generated key pair. It has to match to the one provided at the previous step. | tomcat |
| -keystore | The store where the keys will be stored. It has to match to the one provided at the previous step. | verba.jsk C:\verba.keystore |
| -file | The signed certificate file. | signed-certificate.cer C:\temp\signed-certificate.cer |
Step 5 - Export the signed certificate with the private key.
Run the following command:
"%JAVA_HOME%\bin\keytool" -importkeystore -srckeystore verba.jks -alias tomcat -destkeystore verba.p12 -deststoretype PKCS12
| Parameter name | Description | Sample values |
|---|---|---|
| -srckeystore | The store where the keys are stored. It has to match to the one provided at the previous step. | verba.jsk C:\verba.keystore |
| -alias | The alias for the generated key pair. It has to match to the one provided at the previous step. | tomcat |
-destkeystore | The name of the certificate file. | verba.p12 |
-deststoretype | The type of the exported certificate file. | PKCS12 |
Step 6 (Optional) - Import the certificate to the Windows Certificate Store.
Double click on the exported .p12 file, then click on the Install Certificate... button. Select Local Computer then click Next. On the next page click Next, then Finish.
Private Key tab:
- Under the Key options section turn on the 'Make private key exportable' setting.
- Subject tab:
- Under the Subject name section set the Type to Full DN and Add the trusted application server pool FQDN as Value in the following format: CN=poolfqdn.yourdomain.com
- Under the Alternative name section set the Type to DNS and add the following Values:
- The FQDNs of the Announcement servers.
- The FQDN of the trusted application pool.
- General tab:
- Provide a friendly name. This name has to be configured in the Announcement Service configuration.