Versions Compared

Old Version 6

changes.mady.by.user Trip Gilman

Saved on

compared with

New Version Current

changes.mady.by.user Trip Gilman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties

arget Target release

Epic

Document status

Status
titleDRAFT

Document owner

Trip Gilman

Designer

Tech lead

Technical writers

QA

...

Queue Adapter is an outlier in that it follows the same process as the core web applications when deployed in AWS but has its own process when deployed on premise. When deployed on premise, Queue Adapter requires the installer to download an unsecured copy of the certificate and apply it to the Windows certificate manager. The installer must then assign the certificate to a specific port using Windows command line. Anyone with administrative access to the server can export the certificate and use it however they want.

Success metrics

Goal

Metric

Assumptions

Requirements

Requirement

User Story

Importance

Jira Issue

Notes

1

Status
colourRed
titleHIGH

2

 

 

 

 

 

User interaction and design

Open Questions

Question

Answer

Date Answered

SSL Run-Book

Convert DER to PEM Format

This step only needs to be performed if the source certificates are in DER format initially. This process must be performed on a machine with OpenSSL installed. File extension might be .cer, .crt, or .der for the source file.

  1. For each certificate file in DER format run the command openssl x509 -in original.cer -inform der -outform pem -out new_name.cer

Convert Individual Certificates into .p7b

This process must be performed on a machine with OpenSSL installed

  1. Ensure certificate files are in PEM format by opening in a text editor. If the file appears to have special characters or does not start with “-----BEGIN CERTIFICATE-----” it is in the DER format and needs converted. See Convert DER to PEM Format before proceeding.

  2. Run the following command including a -certfile mycertfile.cer pair for every certificate file. There should be at least 2-3 certificate files but the number can be more than that.

  3. openssl crl2pkcs7 -nocrl -certfile certificate.cer -certfile intermediate.cer -out certificate.p7b

Convert .p7b and Private Key to .pfx (PKCS12)

This process must be performed on a machine with OpenSSL installed

  1. Convert the .p7b file to a single chained certificate openssl pkcs7 -print_certs -in certificate.p7b -out temp.cer

  2. Create combined .pfx from the certificate chain and the private key openssl pkcs12 -export -in certificate.cer -inkey cert.key -out final.pfx. It will ask for a password for the pfx. If this .pfx file is intended to be imported into a java keystore, such as omis.jks, you want to use the same password for the .pfx file as the target java keystore.

Import .pfx (PKCS12) into Java Keystore

This process must be performed on a machine with the full Java SDK installed. The Java Runtime does NOT have the required utilities. It is highly recommended to create a backup of the keystore prior starting this process

  1. If the certificate being imported is intended to replace an existing certificate, for example in the case the original certificate has expired, the existing certificate must be removed. You can see if the certificate is already present using keytool -list -keystore keystore.jks. The existing certificate can be removed using keytool -delete -alias alias_name -keystore keystore.jks.

  2. Import the .pfx file into the Java keystore using keytool -importkeystore -srckeystore final.pfx -destkeystore keystore.jks. This will import the key chain under the alias ‘1'. Although this will technically work, it makes it difficult to identify which certificate is which.

  3. Change the alias to match the CN of the certificate using keytool -changealias -alias 1 -destalias cn_name_of_cetificate -keystore keystore.jks

  4. Ensure everything is correct using keytool -v -list -keystore keystore.jks

Change Private Key Password

  1. keytool -keypasswd -alias [Alias name for private key] -keystore

Overview and Requirements

...