How To Convert Formats (Pem, Jks) For Tls/ssl Clients And Services

Install a CA-signed SSL/TLS certificate with KeyStore Explorer

1. Last updated

2. Relieve as PDF

Overview

Every Code42 server includes a cocky-signed certificate to support secure HTTPS connections. That certificate enables encryption of customer-server communications, but it cannot adequately place your server and protect your clients from counterfeiters. This article describes how to configure a more secure option: using KeyStore Explorer to create an SSL/TLS certificate signed past a trusted certificate authority (CA).

Other articles describe other tools for creating a CA-signed document:

• Linux administrators typically utilise OpenSSL.
• Windows administrators typically use the Coffee keytool.

Server security requires a CA-signed certificate and the TLS protocol
Reliable security of whatever production web server requires an SSL certificate signed by a trusted certificate dominance (CA) and enforced use of the TLS protocol (that is, HTTPS, not HTTP).

Your on-premises Code42 authority server is no exception. A Code42 server that is configured to utilise a signed certificate, strict TLS validation, and strict security headers protects server communications with browsers, your Code42 apps, and other servers.

• By default, your authority server uses a self-signed certificate and TLS. That provides for encrypting customer-server traffic.
• Calculation a CA-signed certificate provides further security by confirming your server's identity to clients. It prevents attackers from acquiring customer data through apocryphal servers and encryption keys.
• Never reconfigure a production server to use HTTP, rather than TLS and HTTPS.
• Configuring Code42 servers and apps to use strict TLS validation further ensures the security of client-server connections.
• Configuring Code42 servers to use an HTTPS Strict Transport Security (HSTS) response header further prevents unencrypted browser admission to Code42 consoles.

Certificates and Java keystore files

The Code42 server accepts certificates bundled together in a Java KeyStore file. The keystore contains:

• The certificate and the public and individual key for the Code42 server
• A certificate from the CA who signed the Code42 server certificate
• Intermediate certificates that establish a chain of trust between the CA and the Code42 server certificate

Create the keystore using a utility such as KeyStore Explorer earlier applying it to the Code42 server from the Code42 console.

Build your keystore on any machine
You can generate keys and build keystores on any secure machine and then import the result, a *.jks file, to your authorization server via the Code42 console. Y'all do not need any farther access to the authority server's host automobile.

Considerations

• For multi-server Code42 environments, we recommend applying this process to all Code42 servers.
• You lot must take the Server Administrator or SYSADMIN role to install an SSL document on your Code42 server.
• This article assumes y'all are familiar with the post-obit:
  • The basic principles of Transport Layer Security (TLS)
  • Configuring SSL certificates

• The command-line utility OpenSSL is required if you are running Linux and want to reuse existing key materials.

Help with creating your keystore
Help with the handling of a certificate signing request (CSR) or creating your keystore is across the scope of Customer Champions. For aid, please contact your Customer Success Manager (CSM) to engage the Professional Services team.

Keystore terminology

• Certificate: An electronic certificate used to show the ownership of a public key.
  • CA-Signed Document: A certificate authority (CA) electronically signs a document to affirm that a public central belongs to the owner named in the document. Someone receiving a signed certificate can verify that the signature does belong to the CA, and determine whether anyone tampered with the document later on the CA signed it.
  • Certificate Chain: One signed certificate affirms that the attached public primal belongs to its owner. A 2d signed certificate affirms the trustworthiness of the get-go signer, a tertiary affirms the second, then on. The pinnacle of the chain is a self-signed but widely trusted root certificate.
  • Root Document: A certificate trusted to finish a certificate chain. Operating systems and web browsers typically have a built-in set of trusted root certificates. When your server sends a chain of certificates and i of them matches 1 of a browser's trusted root certificates, then the browser trusts your server. When the browser encrypts information with your public key, the browser is assured that only your server can read information technology.
  • Cocky-Signed Certificate: A file that contains a public key and identifies who owns that key and its corresponding private central.
• Key: A unique string of characters that provides essential input to a mathematical process for encrypting information.
• Primal Pair: A public encryption fundamental and a private encryption key, in a matched set.
• Keystore: A file that holds a combination of keys and certificates. File formats:
• Java Keystore: A binary file format for use by Coffee applications (like the Code42 server). Typical file names are .keystore and *.jks
• PKCS: A binary file format typically associated with Windows systems. Typical file names are *.pkcs, *.p12, *.p7b, *.pfx
• PEM: An ASCII text file that holds keys, certificates, or both. PEM files are common on Linux systems and Apache. Typical file extensions are *.pem, *.key, *.csr, and *.cert. To identify a PEM file, open information technology with a console or text editor. If you lot run into ASCII text, it'south a PEM file.
• Public Key: Allows a sender (client or server) to encrypt a message for a specific recipient (server or client). When your server sends a browser its public key, the browser tin encrypt messages that just your server tin read, because but your server has the matching private fundamental.

Build the keystore

Building a Java KeyStore is the beginning step in configuring your Code42 server to employ your ain CA-signed SSL certificate. If yous take an existing individual primal and corresponding Ten.509 document (referred to collectively as cardinal materials), you can reuse them. You tin can also start from scratch, creating new fundamental materials equally needed. The steps are dissimilar, depending on what existing cardinal materials you have:

• No existing cardinal materials
• Existing primal materials

Existing materials must include Discipline Alternative Name (SAN)
Certificates and keystores built to an older standard may lack the Subject Alternative Proper noun (SAN) extension. Most browsers now distrust such certificates. If your existing certificates and keystores don't have the SAN extension, offset over with a new certificate signing request.

Option 1: Build a keystore without existing cardinal materials

Keypass and storepass parameters
You lot must use the same countersign for the keystore and the individual fundamental. You lot can use any cord you want for these parameters, but they must both be gear up to the same value.

Follow the steps below if you lot take no individual keys or certificates from a CA and need to create them from scratch.

Stride one: Create a keystore and key pair

1. Kickoff KeyStore Explorer.
2. Choose Create a new KeyStore.
3. From New KeyStore Type, cull JKS.
4. Click OK.
   
5. Generate a key pair:
   1. Select Tools > Generate Key Pair.
   2. In Generate Cardinal Pair, choose the post-obit algorithm pick options:
      • RSA
      • Key Size: 4096
        
   3. Click OK.
      Generating Primal Pair dialog appears, then disappears afterwards a key is generated.
   4. From Generate Key Pair Certificate, click the Edit proper noun icon .
   5. Complete the Na me fields:
      • For the Common Name (CN) use the Fully Qualified Domain Proper noun (FQDN) of your server.
        
   6. Click OK.
   7. Specify the domain name of your server equally an alternative proper name. ClickAdd together Extensions, click the + icon, and select Subject Culling Name.
   8. In the Subject Culling Name Extension dialog, click the + icon, select DNSName, and in General Name Valuetype the domain proper noun of your server.
   9. Click OK until you render to the Generate Key Pair Certificate dialog.
   10. In Generate Central Pair Certificate, click OK.
   11. In New Key Pair Entry Alias, enter an alias for the key pair.
       The allonym is pre-set to the CN set in the Proper noun dialog.
   12. Click OK.
   13. In New Central Pair Entry Countersign, enter a password, and click OK.
       The Generate Primal Pair dialog displays "Primal Pair Generation Successful".

Fundamental pair entry password
Save this password, and use it every bit the password for the unabridged keystore in pace 7 below.

6. Click OK.
   The new key pair is displayed in the KeyStore Explorer window.
   
7. Salvage the keystore:
   1. From the KeyStore Explorer menu, select File > Save.
      The Set KeyStore Password dialog appears.
   2. Enter a password for the keystore. This password must be the same equally the countersign for the key pair generated in step 5 above.
   3. Click OK.
      The Save KeyStore Every bit dialog appears.
   4. Enter the name of the keystore.
      This format is suggested for easy identification of your keystores: fqdn_domain_com.jks
   5. Click Salvage.
      Your keystore file is saved to your computer.

Pace two: Generate and send certificate signature request

1. Right-click the key pair entry.
2. Choose Generate CSR.
   The Generate CSR dialog appears.
   
3. (Optional) Enter additional values.
4. Click OK.
   The CSR Generation Successful dialog appears.
5. Click OK.
6. Send the generated CSR file to your document authority.

Stride 3: Import signed certificates to your keystore

1. When the document dominance returns your signed certificate and key, place them in a directory attainable by Keystore Explorer.
2. In Keystore Explorer, right-click the same key pair entry used to generate the CSR and choose Import CA Reply > From File.
3. Select the signed certificate from your certificate authority, and click Import.
   The signed document is added to the key pair entry equally the server-level certificate.
4. To verify the document chain, correct-click the fundamental pair entry, and choose View Details > Certificate Chain Details.
5. If you demand to import intermediate and root-level certificates, right-click the central pair entry, and choose Edit Certificate Concatenation > Append Certificate to append the intermediate and root-level certificates. See Append certificates to an existing keystore, below.
6. From the menu bar, selectFile > Save to salvage the imported certificate to your keystore.

Your keystore file is complete and prepare to be imported into your Code42 server.

Choice 2: Build a keystore with existing fundamental materials

If you lot want to use existing primal materials to build a keystore, yous can choose to:

• Suspend document to an existing keystore
• Reuse existing key materials (Linux)
• Reuse existing fundamental materials (Windows)

Suspend certificates to an existing keystore

If you already have a keystore that contains certificates, you lot tin can suspend new certificates.
If you don't have existing key materials, you tin can import certificates to the keystore.

1. Start KeyStore Explorer.
2. Choose Open an existing KeyStore.
3. Select the keystore JKS file, click Open, provide the password, and click OK.
4. In the primary KeyStore Explorer window, right-click the fundamental pair entry.
5. Select Edit Certificate Chain > Append Document.
   

Reuse existing central materials from another awarding (Linux)

Follow these steps to reuse an existing private fundamental/certificate combination from some other application if you are running on Linux. These instructions assume that both your individual key and certificate are PEM-formatted.

The following steps require the use of the command-line utility OpenSSL.

1. Convert the PEM-formatted private central into a PKCS8-formatted central with the following command:

   openssl pkcs8 -topk8 -nocrypt -outform DER -in mykey.pem -out mykey.pkcs8                      

2. Start the KeyStore Explorer awarding.
3. Choose Create a new KeyStore from the quick start menu.
4. From New KeyStore Type, choose JKS.
5. Click OK.
   
6. From the carte bar, select Tools > Import Cardinal Pair.
   
7. From Import Cardinal Pair Type, select PKCS #8.
   
8. From Import PKCS #8 Key Pair, import the key pair equally follows:
   
   1. If the private key file is encrypted, enter the decryption password in Decryption Password.
   2. In PKCS #8 Private Key File, enter the path to the individual key file in PKCS # 8 format, or click Scan to navigate to the file.
   3. In Certificate(south) File, enter the path to the 10.509 certificate file in PEM or DER format, or click Browse to navigate to the file.
   4. Click Import.
   5. In New Cardinal Pair Entry Alias, enter an alias for the key pair.
   6. Click OK.
   7. In New Key Pair Entry, enter a password for the key pair.
      The Key Pair Import Successful dialog appears.
   8. Click OK.
   9. Select File > Save from the menu bar.
   10. In Set KeyStore Password, enter a keystore countersign, and click OK.
   11. In Save KeyStore Every bit, enter the name of your new keystore file. Give the file the . jks file extension.
   12. Click Save.

Your keystore file is complete and ready to exist imported into your Code42 server.

Reuse existing key materials from some other application (Windows)

Follow these steps to reuse an existing individual fundamental/certificate combination from another application if you are running on Windows. Key materials on Windows platforms are typically stored in a PKCS12 keystore file. The KeyStore Explorer can convert a PKCS12 keystore file to a JKS file using the steps below.

1. Offset the KeyStore Explorer application.
2. Select File > Open from the menu bar.
3. Navigate to and select the PKCS12 file that you want to catechumen.
4. Click Open up.
5. In Unlock KeyStore, enter the password for the keystore file and click OK.
   
6. Select File > Save As from the menu bar.
7. Enter a proper name with the .jks file extension for the new keystore.
8. Click Relieve.
9. Select Tools > Change Type > JKS from the menu bar.
   
10. From Change KeyStore Type, click OK.
    The Modify KeyStore Type dialog displays "Modify KeyStore blazon Successful".
11. Click OK.
12. Select File > Save.
    The keystore file is saved in JKS format.

Your keystore file is complete and ready to exist imported into your Code42 server.

Configure the Code42 server to use the keystore

Troubleshooting

• If your test Code42 server fails to start subsequently installing the new keystore, uninstall and reinstall the server.
• If your production Code42 server fails to get-go later on installing the new keystore, run into Recover your Code42 server to a previous land.
• Most problems with SSL certificates are related to central creation, signing, and conversion. We recommend that you:
  • Advisedly repeat the procedure described above.
  • Check that your document and keystore files include the Subject Alternative Name (SAN) extension.
    Catechumen your keystore or document to text, as described below. Look for
    X509v3 Bailiwick Alternative Name
  • Consult with your CA to make sure you have the right intermediate certificates.
  • Consult documentation for the tool you're using:
    • OpenSSL
    • Java keytool
    • KeyStore Explorer
• For additional help, contact your Customer Success Manager (CSM).

Automatically-generated self-signed certificates

Keys are kept in a keystore. Your authority servers or storage servers utilise the keys in the keystore to securely process transactions.

If a Code42 server cannot find keys, information technology searches for keystores with the following precedence:

1. The keystore in the database, uploaded in the Code42 console or by API. (To upload the keys in the Code42 panel, navigate toAssistants > Settings > Security > Keys.)
2. The keystore location on the server as configured past thec42.https.keystore.default system property. To verify the location, enter the following prop.show command in the Code42 console control-line interface (CLI): prop.bear witness c42.https.keystore.default

If for some reason your Code42 servers cannot locate the keys in these locations, they generate a self-signed certificate to ensure uninterrupted operation of your Code42 environment. The automatically-generated self-signed certificate should but be used temporarily while you troubleshoot keystore problems. Code42 strongly recommends using a CA-signed certificate for product environments.

Convert certificates and keystores to text files

Document and keystore files are in binary or base64 formats. Yous can brand them easier to read by converting files to PEM format and so converting PEM files to text, equally follows:

• Java keystore to PKCS

  keytool -importkeystore -srckeystore <filename>.jks -destkeystore <filename>.p12 -srcstoretype jks -deststoretype pkcs12

• PKCS to PEM

  openssl pkcs12 -in <filename>.p12 -out <filename>.crt

• PEM certificate to text

  openssl x509 -text -in <filename>.crt > <filename>.crt.txt

• PEM CSR to text (certificate signing request)

  openssl req -text -noout -in <filename>.csr > <filename>.csr.txt                      

A document in readable text

Certificate:     Information:         Version: 3 (0x2)         Serial Number: 4096 (0x1000)     Signature Algorithm: sha256WithRSAEncryption         Issuer: C = United states, ST = MN, O = CAsOrg, OU = CAsUnit, CN = CAsName                      The issuer is the CA who signed the certificate.                      Validity             Not Earlier: Aug 15 13:l:25 2018 GMT             Not After : Aug fifteen 13:50:25 2019 GMT                      This certificate's expiration date.                      Subject field: C = US, ST = MN, L = YourTown, O = YourOrg, OU = YourUnit, CN = yourdomain.tld,             emailAddress = you lot@yourcompany.tld                      Subject: You and the website this document validates.                      Subject Public Key Info:                      Your public central. Clients use it to encrypt messages.                      Public Key Algorithm: rsaEncryption                  Public-Key: (2048 bit)                 Modulus:                     00:aa:a4:de:e3:e3:d4:b9:f3:3d:1c:1e:b7:1b:69:                     4f:5b:22:08:4b:75:81:54:91:8f:63:57:a8:0e:bd:                     ...                     ab:a3:21:3f:c4:28:1c:9a:4e:e4:f0:81:a2:ab:73:                     b3:83                 Exponent: 65537 (0x10001)         X509v3 extensions:             X509v3 Subject Culling Proper noun:                      About browsers require the SAN extension.                      DNS:yourdomain.tld             X509v3 Basic Constraints:                 CA:Simulated             Netscape Cert Type:                 SSL Server             Netscape Comment:                 OpenSSL Generated Server Certificate             X509v3 Subject Central Identifier:                 12:E8:E1:E5:65:57:BB:2A:1C:CC:E3:61:E8:5C:79:34:CF:DD:E3:B1             X509v3 Authority Key Identifier:                 keyid:F3:16:90:68:9A:B2:85:xl:A8:1D:F3:second:78:B2:6D:4E:82:0C:B0:32                 DirName:/CN=Vera/OU=Vera/O=VeraCA/L=Roseville/ST=MN/C=US                 series:ten:00             X509v3 Primal Usage: critical                 Digital Signature, Central Encipherment             X509v3 Extended Key Usage:                 TLS Web Server Authentication     Signature Algorithm: sha256WithRSAEncryption          29:52:6f:5a:de:26:44:fifty:ad:e3:33:7b:8d:ba:2e:b5:cb:d9:          35:21:75:0c:6b:ea:e0:f4:d0:e3:72:8e:5d:9e:3b:02:bf:8f:          ...          81:45:8f:1f:71:45:xiii:0a:ec:f1:0c:70:30:f2:6f:73:cd:5c:          55:41:b6:b6:0a:fc:fb:c9 -----BEGIN Document----- MIIFpTCCA42gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx CzAJBgNVBAgMAk1OMRUwEwYDVQQKDAxQaGlsTm9yY3Jvc3MxDTALBgNVBAsMBFZl ... BeWBceJRAcqt2XtY/6HteHUxpxCbSPVcEZWw6dkrM4FFjx9xRRMK7PEMcDDyb3PN XFVBtrYK/PvJ -----Cease Document-----                    

How To Convert Formats (Pem, Jks) For Tls/ssl Clients And Services,

Source: https://support.code42.com/CP/Admin/On-premises/6/Configuring/Install_a_CA_signed_SSL_TLS_certificate_with_KeyStore_Explorer

Posted by: prescottcapproper.blogspot.com

Share this post