Gather Security Certificates and Information

Before you can start setting up
CA Spectrum
CAC Authentication, verify that you have the appropriate security certificates and security information readily available to you. Start by gathering the required certificate and security information.
Follow these steps:
  1. Gather root and intermediate certificates for the CACs.
  2. Determine the method that you plan to use for CAC verification. Record the information that is indicated for your selection as appropriate:
    • OCSP AIA
      Retrieves the parameters of the OCSP server from the certificate on the Common Access Card from the “AIA extension” of the certificate. The OCSP responder certificate is required.
    • OCSP Server
      Uses a URL to access the OCSP server and a certificate for the specified server. The OCSP responder certificate and the OCSP responder URL are required.
    • CRL Directory
      Uses a path to the directory which contains CRL files. The full path to the directory containing CRLs is required.
    • CRL URL
      Specifies a list, separated by spaces, of full URLs to the CRL files that are provided by the web server. The full URL to each CRL is required.
    • CRL Distribution Point
      Specifies that
      CA Spectrum
      retrieves the information about the web location of the CRL files from the certificate itself.
    For more information about these options, see How CACs Work.
  3. (Optional) If you are using Lightweight Directory Access Protocol (LDAP), collect the following information:
    • Hostname
    • Port
    • Base distinguished name
    • User distinguished name
    • User password
    • EDIPI attribute name
    • LDAP server certificate (if you plan to enable SSL)
    • Field name to map ID to
    • Field from which to extract the
      CA Spectrum
    • For mapping from the certificate to LDAP:
    • Decide whether ID information on the card certificate (EDIPI or another type of the ID) will come from the subject, alternative name, or rfc822 name.
    • Create a parsing rule to extract ID information from the card.
Generate a Self-Signed Certificate
If you do not already have a certificate, generate a self-signed certificate on the OneClick server.
Follow these steps:
  1. Open a command prompt/shell and change the directory to: <
  2. Run the "keytool" program with the following arguments:
    -genkey -alias tomcatssl -keyalg RSA -keystore <SPECROOT>/custom/keystore/cacerts
  3. Enter
    for the -keystore password.
    The word 'changeit' is the default password for the keystore.
  4. Complete the fields. The following fields are not self-explanatory:
    • First+Last name
      Specifies the fully qualified domain name of your OneClick server. For example, "myhostname.mydomain".
    • Organizational Unit
      Specifies your company division. For example, Spectrum Engineering.
    • Organization
      Specifies the company name. For example, CA Inc.
  5. Verify that your information is correct, and type 'yes' to accept.
  6. Press Enter to use the same password as the keystore.
Import an Existing Self-Signed Certificate for the OneClick Server
If you already have a certificate, you must import it for
CA Spectrum
CAC Authentication.
To import the existing certificate for
CA Spectrum
CAC Authentication
  1. Change the directory to: <SPECROOT>/Java/bin.
  2. Run the following command:
    ./keytool -importcert -alias tomcatssl -file cert_file -keystore <SPECROOT>/custom/keystore/cacerts
    • cert_file
      Specifies the existing OneClick certificate file.
  3. Type
    for the keystore password.
  4. Press Enter to use the same password as the keystore.
Import an Existing Private Key and Certificate for the OneClick Server
This procedure destroys your existing cacerts keystore and creates a new one with your private key and certificate. At present, you cannot force a private key into an existing keystore. This procedure is the only way to create a new keystore with a preexisting private key.
Follow these steps:
  1. Gather the private key and the certificate files.
  2. Change the directory to a temporary directory.
  3. Execute the following command:
    openssl pkcs12 -export -inkey <private_key_file> -in <server_cert_file> -out mycert.pfx -name "default"
  4. Change to the following directory:
  5. Execute the following command:
    keytool -importkeystore -srckeystore <path_to_mycert.pfx> -srcstoretype pkcs12 -destkeystore <SPECROOT>/custom/keystore/cacerts -srcalias default -destalias tomcatssl -destkeypass changeit
    Your private key and server certificate are now stored in the keystore, which is located in the following directory: