How to install CA cert to liberty?
I am using RTC 601 which is on liberty. Currently the admin provide me the DigiCertCA.crt mydomainxx.crt and mydomainxx.key.
<div>
I see liberty has a self-signed cert in server.xml as following line show. How can I do to import my cert?
</div>
<div>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;"><keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/></span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;">
<br>
</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;"><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">I tried </span></span><span style="color: rgb(195, 55, 32); font-variant-ligatures: no-common-ligatures;"><b>keytool</b></span><span style="font-variant-ligatures: no-common-ligatures;"> -import -trustcacerts -alias root -file /var/tmp/DigiCertCA.crt -keystore ibm-team-ssl.keystore</span><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;"> </span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">with password ibm-team</span>
</p>
<p style="line-height: normal; margin-bottom: 0px; margin-top: 0px;">
I also want to import mydomainxx.crt with passed ibm-team but fail with msg "<font face="Menlo"><span style="font-size: 11px;">Public keys in reply and keystore don't match</span></font><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">"</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="color: #c33720; font-variant-ligatures: no-common-ligatures;"><b>keytool</b></span><span style="font-variant-ligatures: no-common-ligatures;"> -import -trustcacerts -alias default -file mydomainxx.crt -keystore ibm-team-ssl.keystore</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;">
<br>
</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">I think I should use mydomainxx.key, but how to use it? Or I need to create the new keystore? But how to set the </span>storetype?
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<br>
</p>
<p style="line-height: normal; margin-bottom: 0px; margin-top: 0px;">
Or should I use openssl? If openssl, anyone can provide me the detail steps? Thanks!
</p>
</div>
<div>
I see liberty has a self-signed cert in server.xml as following line show. How can I do to import my cert?
</div>
<div>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;"><keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/></span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;">
<br>
</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;"><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">I tried </span></span><span style="color: rgb(195, 55, 32); font-variant-ligatures: no-common-ligatures;"><b>keytool</b></span><span style="font-variant-ligatures: no-common-ligatures;"> -import -trustcacerts -alias root -file /var/tmp/DigiCertCA.crt -keystore ibm-team-ssl.keystore</span><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;"> </span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">with password ibm-team</span>
</p>
<p style="line-height: normal; margin-bottom: 0px; margin-top: 0px;">
I also want to import mydomainxx.crt with passed ibm-team but fail with msg "<font face="Menlo"><span style="font-size: 11px;">Public keys in reply and keystore don't match</span></font><span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">"</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="color: #c33720; font-variant-ligatures: no-common-ligatures;"><b>keytool</b></span><span style="font-variant-ligatures: no-common-ligatures;"> -import -trustcacerts -alias default -file mydomainxx.crt -keystore ibm-team-ssl.keystore</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-variant-ligatures: no-common-ligatures;">
<br>
</span>
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<span style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px;">I think I should use mydomainxx.key, but how to use it? Or I need to create the new keystore? But how to set the </span>storetype?
</p>
<p style="font-family: Menlo; font-size: 11px; line-height: normal; margin-bottom: 0px; margin-top: 0px;">
<br>
</p>
<p style="line-height: normal; margin-bottom: 0px; margin-top: 0px;">
Or should I use openssl? If openssl, anyone can provide me the detail steps? Thanks!
</p>
</div>
2 answers
The CLM documentation page here http://www.ibm.com/support/knowledgecenter/en/SSYMRC_6.0.1/com.ibm.jazz.install.doc/topics/t_install_server_certificates.html describes the process
You need to understand what you have got in order to import the keys and certificates successfully. The file DigiCertCA.crt is the certificate for the intermediate CA, mydomainxx.crt is the personal certificate for the domain, and mydomainxx.key the private key associated with the personal certificate - the root CA certificate (TrustedRoot.crt) appears to be missing according to the below document. Ask the admin for this missing file.
https://www.digicert.com/ssl-support/pem-ssl-creation.htm
I suggest you use iKeyMan to import these files, as keytool seems not able to import keys. You can find this tool in the IBM JRE bundled with CLM. You would use the below document as reference.
http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm
1. Follow the "Store the root certificate of a CA" instructions to import the root/intermediate CA certificates (TrustedRoot.crt and DigiCertCA.crt).
2. Follow the "Import a key from another database or PKCS12 file" instructions to import the private key from mydomainxx.key - you may need a password for the import, and ask the admin for it if required.
3. Follow the "Receive a CA-signed certificate into a key databas" instructions to import the personal certificate for the domain.
4. Validate the newly imported personal certificate to make sure that the certificate chain is complete.
P.S. All the files should be in PCKS12 format (looks like plain text). If in doubt, ask the admin to confirm.
https://www.digicert.com/ssl-support/pem-ssl-creation.htm
I suggest you use iKeyMan to import these files, as keytool seems not able to import keys. You can find this tool in the IBM JRE bundled with CLM. You would use the below document as reference.
http://www-01.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9atikeyu.htm
1. Follow the "Store the root certificate of a CA" instructions to import the root/intermediate CA certificates (TrustedRoot.crt and DigiCertCA.crt).
2. Follow the "Import a key from another database or PKCS12 file" instructions to import the private key from mydomainxx.key - you may need a password for the import, and ask the admin for it if required.
3. Follow the "Receive a CA-signed certificate into a key databas" instructions to import the personal certificate for the domain.
4. Validate the newly imported personal certificate to make sure that the certificate chain is complete.
P.S. All the files should be in PCKS12 format (looks like plain text). If in doubt, ask the admin to confirm.
Comments
Jia Jia Li
Jul 08 '16, 12:48 a.m.any one can help?
Lily Wang
Jul 07 '16, 3:02 a.m.This is not a CLM issue but a security certificate issue. You did not provide details how you generate your certificate. But you can find many discussion if you google this error on other public forums,