Generate Certificates and Keystore

A new CA SOI system requires a server certificate and keystore for UI Server and SA Manager. The server certificate is based on a root certificate. The root certificate can be loaded into the various keystores and marked as trusted.
soi401
These procedures are applicable if your organization has not provided any certificates.
A new CA SOI system requires a server certificate and keystore for UI Server and SA Manager. The server certificate is based on a root certificate. The root certificate can be loaded into the various keystores and marked as trusted.
The CA SOI server systems within an organization must share the same root certificate.
To generate certificates and keystore, follow these steps:
Download OpenSSL for Windows.
Before you generate a certificate and keystore, download the OpenSSL for Windows.
Follow these steps:
  1. Download Openssl from https://sourceforge.net/projects/openssl/files/latest/download location. The openssl folder is downloaded to your system.
  2. Unzip the Openssl folder.
  3. Create
    CERTS
    folder in C drive.
    For example, C:\CERTS
  4. Navigate to
    <opensslfolder>\bin
    and copy the
    openssl.exe
    and
    openssl.cnf
    to
    CERTS
    folder.
Generate Root Certificate, Server Certificate, and Keystore
After you copy the openssl.exe and openssl.cnf file to your local system, you must generate root certificate, server certificate, and Keystore. 
Generate a root certificate only once. The openssl utility creates a
demoCA
folder (for example, C:\CERTS\demoCA). Ensure that you retain this folder because when you add CA SOI system to an enterprise domain connector you require all the server certificates singed by the same root certificates.
Follow these steps:
  1. From the command prompt, navigate to the
    CERTS
    folder by using the following command:
    cd C:\CERTS
  2. Generate root certificate:
    1. Set the following options:
      set OPENSSL_FIPS=1
      set OPENSSL_CONF=C:\CERTS\openssl.cnf
    2. Create a private key and a certificate request, and place it as CASOIRoot.pem by using the following command. The following example creates a certificate that is valid for ten years, that is, (days = 365x10).
      openssl.exe req -x509 -new -nodes -key CASOIRoot.key -days 3650 -out CASOIRoot.pem
      You are prompted to enter the following information. The Common Name must be
      CA SOI Root.  
      This information is added to your certificate. For example:
      Country Name (2 letter code) [AU]:US
      State or Province Name (full name) [Some-State]:MA
      Locality Name (eg, city) []:Boston
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA Inc
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:CA SOI Root
      Email Address []:
      The root certificate is generated.
       
  3. Generate Server Certificate and Keystore:
    • Generating server certificate and keystore must be done for each CA SOI server. Each CA SOI system must have its own server certificate.
    • We assume that your CA SOI Server name is soi1.ca.com.
    1. Use the openssl
      genrsa
      command to create the private key file of the server.
      openssl.exe genrsa -rand openssl.exe -out soi1.key 2048
    2. To generate a signing request for the server certificate, use the following opensll 
      req
      command.
      openssl.exe req -new -key soi1.key -out soi1.csr
      You are prompted to enter the following information:
      Country Name (2 letter code) [AU]:US
      State or Province Name (full name) [Some-State]:MA
      Locality Name (eg, city) []:Boston
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA Inc
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:soi1.ca.com
      Email Address []:
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:
      • The Common Name must be the FQDN of the CA SOI server.
      • Leave the challenge password blank.
    3. To sign the server certificate with the root key, use the following openssl
      ca
      command. The following example creates a certificate that is valid for ten years (days = 365x10).
      openssl.exe ca -keyfile CASOIRoot.key -cert CASOIRoot.pem -notext -in soi1.csr -out soi1.crt -days 3650
    4. To generate a temporary keystore
      KEYSTORE.p12
      that holds the CA SOI server certificate, use the following openssl
      pkcs12
      command.
      openssl.exe pkcs12 -export -in soi1.crt -inkey soi1.key -out KEYSTORE.p12 -name tomcatssl -CAfile CASOIRoot.pem -caname CASOIRoot
      When prompted for the password, enter 
      catalyst.
    5. To delete the existing ssa.jks file, use the following command.
      del ssa.jks
    6. To generate a keystore
      ssa.jks
      that holds the CA SOI server certificate, use the following
      keytool -importkeystore
      command.
      keytool.exe -importkeystore -srckeystore KEYSTORE.p12 -srcstoretype PKCS12 -srcstorepass catalyst -destkeystore ssa.jks -deststorepass catalyst
    7. To import the CA SOI root certificate into the keystore 
      ssa.jks,
      use the following
      keytool -importcert
      command.
      keytool.exe -importcert -alias casoiroot -file CASOIRoot.pem -trustcacerts -keystore ssa.jks -storepass catalyst
    The keystore (
    ssa.jks
    ) is created. 
Use the
 ssa.jks
 keystore in the next step: Configure UI Server to Enable CAC Authentication.