cer -storepass iMCV500R001 -keypass iMCV500R001 -validity 3650Īlternatively if you have a certificate chain, instead of the above, import the chain into the keystore: Keytool -import -alias imc -keystore newks -file. Import the certificate into the keystore: Optionally if you have a PKI hierarchy you will want to download the entire certificate chain instead (in which case, you don't need to download the certificate separately, as it's in the chain).ĩ. This will generate the signed certificate, which you can download as Base 64 encoded. and then paste the contents you copied in step 7 with Certificate Template type Web Server. Upload your certificate request (CSR) on the /certsrv interface (CA Web Enrollment page) via Request a certificate -> Advanced certificate request -> Submit a certificate request by using a base-64. In this example, I'll provide the steps for Microsoft's CA. Get the signed certificate generated by your CA. ![]() ![]() Open the CSR file that was generated with a text editor and copy it to clipboard.Ĩ. Replace with the name of the CSR file that will be created, while and are the same values as in step 5. csr -keystore newks -storepass iMCV500R001 -keypass iMCV500R001 -validity 3650 -ext san=dns:,ip: Keytool -certreq -keyalg RSA -alias imc -file. Once done you should have a new keystore called newks in the iMC\client\security folder (move it there if needed).Ħ. Set the "What is your first and last name" to the hostname or IP of your IMC server. The -storepass and -keypass passwords may be changed, but must always be identical.įill out the data when prompted to do so. Replace and with the appropriate values and add additional dns: or ip: values as needed. Keytool -genkeypair -v -alias imc -keyalg RSA -keystore newks -storepass iMCV500R001 -keypass iMCV500R001 -validity 3650 -ext san=dns:,ip: Generate the keypair with a new keystore called 'newks' (you should be in iMC\client\security context): Make a backup copy of the newks keystore in the iMC\client\security folder and delete the original.ĥ. For example with latest IMC version - adjust the actual path according to where the keytool.exe file is located: Set PATH="C:\Program Files\iMC\common\jre\bin"Ĥ. Open Windows CMD and navigate to iMC\client\security folder.ģ. If you're on an older version, either update IMC first, or install the latest JRE on your IMC server separately, as the keytool included in earlier IMC versions was an old one that did not support the X.509 extensions (ie. If you're running IMC 7.3 E0705 or later, then the built-in keytool included in IMC under IMC\common\jre folder will work. The second with Linux and OpenSSL creating a new keystore that will be imported with IMC.ġ. The first using Windows and Keytool, using IMC's keystore newks under iMC\client\security. ![]() Then just restart iMC when the upload is complete, and make sure to clear your browser cache too - and you should see it using your new certificate.Īs it can be a fairly challenging process, I'll provide two examples. Once that's done, just open the Web GUI and go to System Configuration > HTTPS Access Settings, select your keystore file for upload (Server-side Authentication) and enter the password you used for it. iMC expects the same password for both, and not using matching passwords will cause the HTTPS access to fail when you apply it. Make sure the private key password you set matches the keystore password when you export the certificate. The rest of the details in there are not really important. Purpose should include Server Authentication. your system's hostname, and any number of SANs for other IPs and DNS aliases of the system (like the FQDN). The format can be PKCS12 or JKS, or possibly other formats would work too, though I've only tested with those two.Īs for the certificate itself, it should include a CN, ie. You want to get a keystore file for import into IMC, which includes both its cert / cert chain and private key - or at least it is the easiest way to do it.
0 Comments
Leave a Reply. |