Page History
...
- On the Controller instance's server create the keystore using the
keytool
from your Java JRE or JDK or a third party utility.- For use with a third party utility create a keystore, e.g.
https-keystore.p12
, in PKCS12 format and import:- Controller private key and certificate for Server Authentication
- Root CA certificate
- Intermediate CA certificate(s)
- For use with
keytool
create the keystore with the private key and certificate for Server Authentication from the command line. The examples below show one possible approach for certificate management - however, there are other ways of achieving similar results.Example for creating a private key and CA-signed certificate with PKCS12 keystore:
Code Block language bash title Example how to create and add a private key and CA-signed certificate to a PKCS12 keystore # If the Controller's private key and certificate are to be provided with a .jks keystore (keypair.jks) then temporarily convert the keystore to pkcs12 (keystore.p12) # for later use with openssl, assuming the alias name of the Controller's private key to be "controller-https.example.com" # keytool -importkeystore -srckeystore keypair.jks -srcstoretype JKS -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias controller.example.com # assuming the Controller's private key from a pkcs12 keystore (keystore.p12), store the Controller's private key in a .key file in PEM format (controller-https.key) openssl pkcs12 -in keystore.p12 -nocerts -out controller-https.key # concatenate CA Root certificate and CA Intermediate certificate(s) to a single CA Bundle certificate file (ca-bundle.crt) cat RootCACertificate.crt > ca-bundle.crt cat CACertificate.crt >> ca-bundle.crt # Export the Controller's private key (controller-https.key), Controller's certificate (controller-https.crt) and CA Bundle (ca-bundle.crt) in PEM format to a new keystore (https-keystore.p12) # assuming the fully qualified domain name (FQDN) of the Controller server is "controller.example.com" openssl pkcs12 -export -in controller-https.crt -inkey controller-https.key -chain -CAfile ca-bundle.crt -name controller.example.com -out JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12 # IF you require use of a .jks keystore type then convert the pkcs12 keystore, assuming the alias name of the Controller private key being "controller-https.example.com" # keytool -importkeystore -srckeystore https-keystore.p12 -srcstoretype PKCS12 -destkeystore JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.jks -deststoretype JKS -srcalias controller.example.com
Example for creating private key and self-signed certificate with PKCS12 keystore:
Code Block language bash title Example how to generate a private key and self-signed certificate for import into a PKCS12 keystore collapse true # generate the Controller's private key with alias name "controller.example.com" in a keystore (https-keystore.p12) # use the fully qualified domain name (FQDN) assumed to be "controller.example.com" and name of your organization for the distinguished name # consider that PKCS12 keystores require the use of the same key password and store password keytool -genkey -alias "controller.example.com" -dname "CN=controller.example.com,O=organization" -validity 1461 -keyalg RSA -keysize 2048 -keypass jobscheduler -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12" -storepass jobscheduler -storetype PKCS12
Example for creating a private key and self-signed certificate with JKS keystore:
Code Block language bash title Example how to generate a private key and self-signed certificate for import into a JKS keystore collapse true # generate the Controller's private key with the alias name "controller.example.com" in a keystore (https-keystore.jks) # use the fully qualified domain name (FQDN) assumed to be "controller.example.com" and name of your organization for the distinguished name keytool -genkey -alias "controller.example.com" -dname "CN=controller.example.com,O=organization" -validity 1461 -keyalg RSA -keysize 2048 -keypass jobscheduler -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.jks" -storepass jobscheduler -storetype JKS
Explanation:
- The
-dname
option specifies the certificate issuer, therefore use your own set of CN, O, OU, DC that specify the issuer's Distinguished Name. The O setting is required for the issuer. - The
-keypass
option accepts the password that you will need later on to manage your private key. - The
-keystore
option specifies the location of the keystore file. The keystore file should be in reach of the Controller, it is recommended using theprivate
sub-folder in theJS7_CONTROLLER_CONFIG_DIR
directory. - The
-storepass
option specifies the password for access to the keystore file. - The
-storetype
option is used to specify the PKCS12 or JKS keystore format.
- The
- With the keystore set up, specify the relevant properties with the
JS7_CONTROLLER_CONFIG_DIR
/private/private.conf
configuration file:Example
Code Block language text title Example for private.conf file specifying the Controller keystore js7 { web { # keystore location for https connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password="jobscheduler" store-password="jobscheduler" } } } }
Explanation:js7.web.https.keystore.file
is used for the path to the keystore.js7.web.https.keystore.key-password
is used for access to the private key.js7.web.https.keystore.store-password
is used for access to the keystore.
- For use with a third party utility create a keystore, e.g.
...
Overview
Content Tools