It's all about the answers!

Ask a question

How to install CA cert to liberty?


Jia Jia Li (8057137190) | asked Jul 06 '16, 5:59 a.m.
I am using RTC 601 which is on liberty. Currently the admin provide me the DigiCertCA.crt mydomainxx.crt and mydomainxx.key. 
<div>
I see liberty has a self-signed cert in server.xml as following line show. How can I do to import my cert?
</div>
<div>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;">&lt;keyStore id=&quot;defaultKeyStore&quot; location=&quot;ibm-team-ssl.keystore&quot; type=&quot;JCEKS&quot; password=&quot;{xor}Nj0ycis6PjI=&quot;/&gt;</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;">
<br>
</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;"><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">I tried&nbsp;</span></span><span style="color: rgb(195, 55, 32); font-variant-ligatures: no-common-ligatures;"><b>keytool</b></span><span style="font-variant-ligatures: no-common-ligatures;"> -import -trustcacerts -alias root -file /var/tmp/DigiCertCA.crt -keystore ibm-team-ssl.keystore</span><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">&nbsp;</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">with password ibm-team</span>
</p>
<p style="line-height: normal; margin-bottom: 0px; margin-top: 0px;">
I also want to import mydomainxx.crt with&nbsp;passed ibm-team but fail with msg &quot;<font face="Menlo"><span style="font-size: 11px;">Public keys in reply and keystore don't match</span></font><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">&quot;</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="color: #c33720; font-variant-ligatures: no-common-ligatures;"><b>keytool</b></span><span style="font-variant-ligatures: no-common-ligatures;"> -import -trustcacerts -alias default -file mydomainxx.crt -keystore ibm-team-ssl.keystore</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;">
<br>
</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">I think I should use mydomainxx.key, but how to use it? Or I need to create the new keystore? But how to set the&nbsp;</span>storetype?
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<br>
</p>
<p style="line-height: normal; margin-bottom: 0px; margin-top: 0px;">
Or should I use openssl? If openssl, anyone can provide me the detail steps? Thanks!
</p>
</div>


Comments
Jia Jia Li commented Jul 06 '16, 11:06 p.m. | edited Jul 08 '16, 12:48 a.m.

any one can help?


Lily Wang commented Jul 07 '16, 3:02 a.m.

This is not a CLM issue but a security certificate issue. You did not provide details how you generate your certificate. But you can find many discussion if you google this error on other public forums,

2 answers



permanent link
Alan Sampson (93729) | answered Jul 06 '16, 11:37 p.m.
JAZZ DEVELOPER

Comments
Jia Jia Li commented Jul 07 '16, 2:05 a.m. | edited Jul 08 '16, 12:48 a.m.

Thanks Alan, I read this link yesterday. But there is no detail instruction of how to run keytool to add CA cert. I tried to use keytool to add mydomain cert, but fail. Could you help more for that?


Geoffrey Clemm commented Jul 08 '16, 12:49 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Jia Jia Li:  Please remember to post your comments as "comments" rather than "answers".


permanent link
Donald Nong (14.4k314) | answered Jul 13 '16, 12:58 a.m.
You need to understand what you have got in order to import the keys and certificates successfully. The file DigiCertCA.crt is the certificate for the intermediate CA, mydomainxx.crt is the personal certificate for the domain, and mydomainxx.key the private key associated with the personal certificate - the root CA certificate (TrustedRoot.crt) appears to be missing according to the below document. Ask the admin for this missing file.
https://www.digicert.com/ssl-support/pem-ssl-creation.htm

I suggest you use iKeyMan to import these files, as keytool seems not able to import keys. You can find this tool in the IBM JRE bundled with CLM. You would use the below document as reference.
http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm

1. Follow the "Store the root certificate of a CA" instructions to import the root/intermediate CA certificates (TrustedRoot.crt and DigiCertCA.crt).
2. Follow the "Import a key from another database or PKCS12 file" instructions to import the private key from mydomainxx.key - you may need a password for the import, and ask the admin for it if required.
3. Follow the "Receive a CA-signed certificate into a key databas" instructions to import the personal certificate for the domain.
4. Validate the newly imported personal certificate to make sure that the certificate chain is complete.

P.S. All the files should be in PCKS12 format (looks like plain text). If in doubt, ask the admin to confirm.

Your answer


Register or to post your answer.