CA Gateway requires a digital certificate for securing communications between the CA Gateway and authorized clients. See below to generate this certificate for a production environment.
The certificate must contain the server's fully qualified domain name (FQDN) as a DNS type Subject Alternative Name (subjectAltName) extension.
Generating the server key pair
To generate the server key pair, run the following command.
keytool -genkeypair -alias <ALIAS> -dname <DN> -keyalg <KEYALG> -keysize <KEYSIZE> -sigalg sha256WithRSA -ext san=dns:<DNS> -keystore <KEYSTORE> [-keypass <KEYPASS>] [-storepass <STOREPASS>]See the following table for a description of each flag.
Flag | Value |
|---|---|
-alias | An alias for the key pair. |
-dname | The DN for the key pair (and later, the certificate). Use the DN format expected by the CA that will issue the certificate. |
-keyalg | The algorithm for the key pair (for example, RSA). |
-keysize | The Key size. Select a secure key size (for example, 2048). |
-ext | The DNS-type value of the Subject Alternative Name (subjectAltName) extension. |
-keystore | The full path of the keystore file. If the keystore does not exist, the keytool utility will create it. |
-keypass | The password of the private key. When you omit this option, the tool prompts for a password. |
-storepass | The password for the keystore. When you omit this option, the tool prompts for a password. |
Obtaining the key pair CSR
Create a Certificate Signing Request (CSR) by entering the following command:
keytool -certreq -alias <ALIAS> -file <FILE> -storetype pkcs12 -keystore <KEYSTORE> [-storepass <STOREPASS>]For example:
> keytool -genkeypair -alias example_alias -dname "cn=CA Gateway,ou=CA Entry,o=Example,c=US" -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -ext san=dns:domain.example.com -keystore /CAGW/config/keystore.ks> keytool -certreq -alias example_alias -file /tmp/cagw/cagw_csr.txt -keystore /CAGW/config/keystore.ksSee the following table for a description of each option.
Option | Value |
|---|---|
-alias | The alias previously specified when Generating the server's key pair. |
-file | The full path of the CSR file. |
-keystore | The full path of the keystore file. |
-storepass | The password of the keystore. When you omit this option, the tool prompts for a password. |
Obtaining the server certificate
Issue the certificate with either:
- Your Security Manager CA.
- A trusted certificate provider such as the Entrust Certificate Services at store.entrust.com.
Importing the server certificate into the keystore
Import the certificate into the keystore:
keytool -importcert -alias <ALIAS> -file <FILE> -keystore <KEYSTORE>For example:
keytool -importcert -alias example_alias -file /tmp/cagw/cagw_cert.p7b-keystore /home/myuser/cagw/config/keystore.ksSee the following table for a description of each option.
Option | Value |
|---|---|
-alias | The alias previously specified when Generating the server's key pair. |
-file | The full path of the PKCS #7 file containing the certificate and the certificate chain. |
-keystore | The full path of the keystore file. |
Importing CA certificates into a truststore
For each managed Certificate Authority, CA Gateway requires the following certificates.
CA type | Required certificates |
|---|---|
Root | The self-signed root CA certificate. |
Subordinate | The complete CA certificate chain, from the subordinate CA certificate up to the root CA certificate. |
Import these certificates in either:
- The Truststore used when Importing the server certificate into the keystore.
- A new Truststore.
To import a CA certificate into a truststore using the Java keytool utility, run the following command.
keytool -importcert -trustcacerts -alias <ALIAS> -file <FILE> -keystore <KEYSTORE> [-storepass <STOREPASS>]For example:
keytool -import -trustcacerts -alias managed_ca1 -file /tmp/cagw/managed_ca1.cer -keystore /home/myuser/cagw/config/keystore.ksSee the following table for a description of each parameter.
Option | Value |
|---|---|
-alias | The alias of the CA certificate. |
-file | The full path of the CA certificate file. |
-keystore | The full path of the Java keystore file. If not present, the keystore is created. |
-storepass | The password of the Java keystore. When you omit this option, the tool prompts for a password. |
Reusing the PKI Hub TLS certificate
As TLS certificate for CA Gateway, you can use the same TLS server certificate described in Replacing the default TLS certificate