How To Install Pem Certificate Windows 7

Install a CA-signed SSL document with the Java keytool

1. Last updated

2. Salvage equally PDF

Overview

Every Code42 server includes a self-signed document to support secure HTTPS connections. That document enables encryption of client-server communications, but information technology cannot fairly place your server and protect your clients from counterfeiters. This article describes how to configure a more secure option: using the Java keytool to create an SSL/TLS document signed by a trusted certificate authority (CA).

Other articles draw other tools for creating a CA-signed certificate:

• The KeyStore Explorer provides a graphical user interface for managing certificates and keystores.
• Linux administrators typically use OpenSSL.

Server security requires a CA-signed certificate and the TLS protocol
Reliable security of any production web server requires an SSL certificate signed by a trusted certificate authorisation (CA) and enforced use of the TLS protocol (that is, HTTPS, not HTTP).

Your on-premises Code42 authority server is no exception. A Code42 server that is configured to use a signed certificate, strict TLS validation, and strict security headers protects server communications with browsers, your Code42 apps, and other servers.

• By default, your authority server uses a self-signed certificate and TLS. That provides for encrypting customer-server traffic.
• Adding a CA-signed document provides further security by confirming your server's identity to clients. It prevents attackers from acquiring client data through counterfeit servers and encryption keys.
• Never reconfigure a production server to employ HTTP, rather than TLS and HTTPS.
• Configuring Code42 servers and apps to use strict TLS validation further ensures the security of customer-server connections.
• Configuring Code42 servers to use an HTTPS Strict Transport Security (HSTS) response header further prevents unencrypted browser access to Code42 consoles.

Before you begin

• Consult your security or web administrators to acquire about your organization's existing keys, certificates, and keystores. Make up one's mind whether y'all will:
  • Generate a new key and get a new CA-signed certificate for it.
    In this case, notice the accost of the CA your organization uses. Once yous asking a signed certificate from a CA, the CA's reply may take as long equally a week.
  • Import existing keys and certificates, or an existing keystore, that volition piece of work in your Code42 server'south domain.
    Signed certificates secure specific domain names or ranges of subdomains. Your arrangement may have certificates for *.case.com. A wildcard certificate works for multiple subdomains, including dominance-server.instance.com.

    Existing materials must include Subject Culling Name (SAN)
    Certificates and keystores built to an older standard may lack the Subject Alternative Proper name (SAN) extension. Most browsers now distrust such certificates. If your existing certificates and keystores don't have the SAN extension, showtime over with a new certificate signing request.

• Once you have a Java keystore for your Code42 server'south domain, sign in to your Code42 console, and import the keystore for your Code42 server's use. Importing requires the Server Administrator or SYSADMIN role.
  

  Build your keystore on any machine
  You can generate keys and build keystores on any secure machine and then import the result, a *.jks file, to your authority server via the Code42 console. You practice not need whatsoever further access to the authority server'south host auto.

• Importing a keystore requires briefly stopping and restarting your Code42 server. Consider stopping and restarting your Code42 server during low-traffic hours.
• If you import a document and primal with uncommonly stiff encryption, first configure your Code42 server to accept longer keys.

Need help?
Assistance creating a keystore or treatment a certificate signing asking (CSR) are beyond the telescopic of Customer Champions. For assistance, contact your Customer Success Manager (CSM) to appoint our Professional Services team.

Terminology

These instructions use the post-obit terms:

• Key: A unique string of characters that seeds a mathematical algorithm for encryption and decryption. Keys come in pairs. A public key encrypts data to be decrypted with the corresponding private key.
• Certificate: A file that contains a public key and identifies who owns that key and its respective private cardinal. In a signed document, a trusted certificate authority (CA) affirms that a public key does indeed belong to the owner named in the certificate. A document chain links a public central to a widely trusted root certificate.
• Keystore: A file that holds a combination of keys and certificates.
• PKCS, PFX: A binary format for fundamental, document, and keystore files. Typical file names are *.pkcs, *.p12, *.p7b, *.pfx
• Java keystore: The binary format for keystores used past Code42 servers. Typical file names are .keystore and *.jks
• PEM: An ASCII text format for keys and certificates. Typical file extensions are *.pem, *.cardinal, *.csr, *.cert. The binary counterpart is DER-format file. An X.509 certificate may or may not be in PEM format.

To place a PEM file, read it with a panel or text editor. If you see ASCII text, it'southward a PEM file.

Configure the keytool command

The Java keytool installs as part of a system'south Java runtime engine (JRE) and runs at the Windows or Linux command line. To use keytool, install information technology on your system and configure its use as described below.

Windows

1. Download and install a recent version of the JRE from Oracle.
2. Locate the keytool with ii commands.
   The second command returns the location of keytool.exe.
   cd \
dir /b/s keytool.exe
3. Add the directory where keytool.exe resides to the PATH variable.
   PATH=%PATH%;<directoryWhereKeytool.exeResides>
   For example:
   PATH=%PATH%;C:\Plan Files\Java\jre1.8.0_111\bin
4. Return to a directory that belongs to your user name:
   cd \Users\<yourusername>
5. Repeat steps 2 and iii for any concluding window in which you desire to employ the keytool command.

Linux

Install a recent version of the JRE with commands similar the following:
sudo apt-get update
sudo apt-get install default-jre

Create a keystore

Create a keystore using 1 of the following options:

• Option 1: Create a new fundamental and Coffee keystore; import a CA'south signature.
• Option 2: Package existing PEM-format keys and certificates in a new Java keystore.
• Pick iii: Convert an existing PKCS or PFX keystore to a Java keystore.

Selection one: Create a new key and Java keystore; import a CA's signature

Step 1: Create a keystore and a signing asking

Create a Java keystore and a request for a CA to sign your public key.

Help writing commands
For assistance writing these commands, see DigiCert's Java Keytool CSR Magician.

1. Create the keystore with the control below, afterward substituting your value for one variable:

• <your.domain.com>: the consummate domain proper name of your Code42 server.

Enter the same password twice
The command will prompt you lot for two passwords. Supply the same value for both of them:
Enter keystore password:
Enter key password:

keytool -genkeypair -allonym <your.domain.com> -storetype jks -keystore <your.domain.com>.jks -validity 366 -keyalg RSA -keysize 4096                  

2. The control prompts you for identifying data.
   At "What is your starting time and last name" you must supply the domain proper noun of the Code42 server you want to secure.
   Nearly CAs require values for the other fields as well.

                    What is your first and concluding name? <your.domain.com>                    What is the name of your organizational unit? yourunit What is the name of your organization? yourorg What is the proper name of your City or Locality? yourcity What is the proper noun of your Land or Province? yourstate What is the two-letter country code for this unit? U.s.                  

3. Create the document signing asking (CSR) with the command below, after substituting your value for all four occurrences of one variable:

• <your.domain.com>: the complete domain name of your Code42 server.

keytool -certreq -alias <your.domain.com> -file <your.domain.com>.csr          -keystore <your.domain.com>.jks -ext san=dns:<your.domain.com>                  

Step 2: Request a CA-signed certificate

1. In the directory where y'all ran Step 1 above, find the file <your.domain.com>.csr
2. Submit the file <your.domain.com>.csr to your CA.
   • Details vary from one CA to another. Typically, you submit your request via a website, then the CA contacts you to verify your identity.
   • CAs can send signed reply files in a multifariousness of formats, and CAs use a diverseness of names for those formats. You desire the CA'south reply in PEM or PKCS#7 format.
3. Look (usually days or a week) for the CA's reply.

Stride 3: Import the CA's reply

The CA's reply volition provide i PKCS file or multiple PEM files. Import them into your keystore as follows:

1. Copy the CA's files into the directory where y'all created the keystore in Step 1 to a higher place.
2. Windows only: Configure the Keytool Command as described above.
3. Use keytool to import the CA reply files to your keystore
   (The commands will prompt you for your keystore password):

• If the CA sent a PKCS file, use the control below, after substituting your values for ii variables:
  • <your.domain.com> : The complete domain name of your Code42 server.
  • <CAreply.pkcs> : The name of the PKCS file provided by the CA.

keytool -importcert -allonym <your.domain.com> -file <CAreply.pkcs> -keystore <your.domain.com>.jks -trustcacerts                  

• If the CA sent PEM files, in that location may be one file, simply well-nigh often there are two or iii. Import the files to your keystore with commands in the social club shown beneath, after substituting your values for four variables:
  • <root.cert.pem> : The proper name of the root certificate file
  • <intermediate.cert.pem> : The name of the intermediate document file
    The root and intermediate files link the CA'due south signature to a widely trusted root certificate that is known to web browsers. Most, simply not all, CA replies include roots and intermediates.
  • <your.domain.com> : The complete domain name of your Code42 server
  • <server.cert.pem> : The name of the server document file
    The file links your domain name with your public key and the CA'south signature.

keytool -importcert -alias root -file <root.cert.pem> -keystore <your.domain.com>.jks -trustcacerts keytool -importcert -alias intermediate -file <intermediate.cert.pem> -keystore <your.domain.com>.jks -trustcacerts keytool -importcert -allonym intermediat2 -file <intermediat2.cert.pem> -keystore <your.domain.com>.jks -trustcacerts keytool -importcert -alias <your.domain.com> -file <server.cert.pem> -keystore <your.domain.com>.jks -trustcacerts                  

Troubleshoot
If y'all import certificates in the wrong social club, the above commands return an error message. To resolve the error, yous can:

• Consult your CA.
• Re-arrange the order of certificates and effort once more.
• Read each document with the post-obit command:
  keytool -printcert -file <filename.cert.pem>
  In the output, notation the Owner and Issuer (signer) of each certificate. Gild your import commands and then that the Issuer of each certificate matches the Possessor in the previous command.

4. Proceed to configuring your Code42 server beneath.

Choice 2: Package existing PEM-format key and certificates in a new Coffee keystore

If y'all take an existing individual key and certificates for your Code42 server'south domain, in PEM format, importing them into a Java keystore requires the OpenSSL tool. OpenSSL tin package the PEM files in a PKCS keystore. Coffee keytool can then convert the PKCS keystore to a Coffee keystore.

1. Install OpenSSL:
   • Windows: Download and install OpenSSL.
   • Linux: Verify that OpenSSL is installed past issuing the command openssl version
     If that returns an mistake, install OpenSSL with a command similar sudo apt-become install openssl
2. Gather your private cardinal, server certificate, and intermediate certificate into ane directory.
3. Package the cardinal and certificates into a PKCS keystore with the control below, afterward substituting your values for four variables
   (The command will prompt you lot for your keystore password):
   • <server.cert.pem>: The name of the server certificate file
     The file links your domain proper name with your public central and CA's signature.
   • <private.key.pem>: The individual counterpart to the public key in <server.cert.pem>
   • <intermediate.cert.pem>: The name of the intermediate certificate file
     The file links the CA'southward signature to a widely trusted root document that is known to web browsers.
   • <your.domain.com> : The complete domain name of your Code42 server

openssl pkcs12 -export -in <server.cert.pem> -inkey <individual.key.pem> -certfile <intermediate.cert.pem> -name "<your.domain.com>" -out <your.domain.com>.p12                

4. Convert the resulting PKCS keystore file, <your.domain.com>.p12 into a Java keystore. See Choice three, below.

Option three: Convert an existing PKCS or PFX keystore to a Coffee keystore

If you take an existing PKCS or PFX keystore for your Code42 server's domain, catechumen it to a Java keystore.

1. Windows only: Configure the keytool command as described higher up.
2. Event the command below, subsequently substituting your values for ii variables
   (The command will prompt you lot for keystore passwords):
   • <your.domain.com.p12> : The existing keystore file.
   • <your.domain.com> : The complete domain proper noun of your Code42 server

keytool -importkeystore -srckeystore <your.domain.com.p12> -srcstoretype PKCS12 -destkeystore <your.domain.com>.jks -deststoretype jks                

3. Go along to configuring your Code42 server below.

Configure your Code42 server to employ your keystore

Step ane: Back up your Code42 server's database

Equally a best practise, back up your Code42 server'south database:

1. Open the Code42 console.
2. Navigate to Settings > Server.
3. From the activeness carte du jour, select Dump Database.

Stride ii: Import your keystore to your Code42 server

1. In the Code42 console, select Settings > Security > Keys.
2. At SSL, bank check Require SSL to admission console.
3. Click Import Keystore.
4. Select your Java keytore file, <your.domain.com>.jks, and provide <yourpassword>.
5. Return to the system control line and stop and restart the Code42 server:

Windows:
net cease CrashPlanPROServer
net start CrashPlanPROServer

Linux:
sudo /opt/proserver/bin/proserver stop
sudo /opt/proserver/bin/proserver start

6. Give the server several minutes to showtime up, then render the browser to the Code42 console sign in folio:
   https://<your.domain.com>:4285
7. If the keystore import succeeds, your browser will show a secure connection rather than an exception warning.
   Indicators vary by browser.

Troubleshooting

• If your test Code42 server fails to start later installing the new keystore, uninstall and reinstall the server.
• If your product Code42 server fails to start after installing the new keystore, run into Recover your Code42 server to a previous state.
• Most problems with SSL certificates are related to key creation, signing, and conversion. We recommend that you:
  • Carefully repeat the process described to a higher place.
  • Check that your certificate and keystore files include the Discipline Alternative Proper noun (SAN) extension.
    Convert your keystore or certificate to text, as described beneath. Look for
    X509v3 Subject Alternative Proper name
  • Consult with your CA to make certain you accept the right intermediate certificates.
  • Consult documentation for the tool you lot're using:
    • OpenSSL
    • Java keytool
    • KeyStore Explorer
• For additional aid, contact your Customer Success Manager (CSM).

Automatically-generated self-signed certificates

Keys are kept in a keystore. Your dominance servers or storage servers utilize the keys in the keystore to securely process transactions.

If a Code42 server cannot find keys, it searches for keystores with the following precedence:

1. The keystore in the database, uploaded in the Code42 console or past API. (To upload the keys in the Code42 console, navigate toAdministration > Settings > Security > Keys.)
2. The keystore location on the server as configured by thec42.https.keystore.default system property. To verify the location, enter the following prop.show command in the Code42 console command-line interface (CLI): prop.testify c42.https.keystore.default

If for some reason your Code42 servers cannot locate the keys in these locations, they generate a self-signed certificate to ensure uninterrupted performance of your Code42 environment. The automatically-generated self-signed certificate should merely be used temporarily while you troubleshoot keystore bug. Code42 strongly recommends using a CA-signed certificate for production environments.

Convert certificates and keystores to text files

Document and keystore files are in binary or base64 formats. You tin brand them easier to read by converting files to PEM format and then converting PEM files to text, equally follows:

• Java keystore to PKCS

  keytool -importkeystore -srckeystore <filename>.jks -destkeystore <filename>.p12 -srcstoretype jks -deststoretype pkcs12

• PKCS to PEM

  openssl pkcs12 -in <filename>.p12 -out <filename>.crt

• PEM certificate to text

  openssl x509 -text -in <filename>.crt > <filename>.crt.txt

• PEM CSR to text (certificate signing request)

  openssl req -text -noout -in <filename>.csr > <filename>.csr.txt                      

A certificate in readable text

Certificate:     Data:         Version: 3 (0x2)         Serial Number: 4096 (0x1000)     Signature Algorithm: sha256WithRSAEncryption         Issuer: C = US, ST = MN, O = CAsOrg, OU = CAsUnit, CN = CAsName                      The issuer is the CA who signed the certificate.                      Validity             Non Before: Aug xv xiii:50:25 2018 GMT             Not Later : Aug 15 13:fifty:25 2019 GMT                      This certificate'due south expiration date.                      Subject: C = The states, ST = MN, L = YourTown, O = YourOrg, OU = YourUnit, CN = yourdomain.tld,             emailAddress = y'all@yourcompany.tld                      Subject: You and the website this certificate validates.                      Field of study Public Key Info:                      Your public fundamental. Clients employ it to encrypt messages.                      Public Fundamental Algorithm: rsaEncryption                  Public-Key: (2048 bit)                 Modulus:                     00:aa:a4:de:e3:e3:d4:b9:f3:3d:1c:1e:b7:1b:69:                     4f:5b:22:08:4b:75:81:54:91:8f:63:57:a8:0e:bd:                     ...                     ab:a3:21:3f:c4:28:1c:9a:4e:e4:f0:81:a2:ab:73:                     b3:83                 Exponent: 65537 (0x10001)         X509v3 extensions:             X509v3 Discipline Culling Proper name:                      Most browsers require the SAN extension.                      DNS:yourdomain.tld             X509v3 Bones Constraints:                 CA:FALSE             Netscape Cert Blazon:                 SSL Server             Netscape Comment:                 OpenSSL Generated Server Certificate             X509v3 Bailiwick Key Identifier:                 12:E8:E1:E5:65:57:BB:2A:1C:CC:E3:61:E8:5C:79:34:CF:DD:E3:B1             X509v3 Authority Key Identifier:                 keyid:F3:16:90:68:9A:B2:85:xl:A8:1D:F3:second:78:B2:6D:4E:82:0C:B0:32                 DirName:/CN=Vera/OU=Vera/O=VeraCA/L=Roseville/ST=MN/C=U.s.                 serial:ten:00             X509v3 Primal Usage: critical                 Digital Signature, Primal Encipherment             X509v3 Extended Key Usage:                 TLS Web Server Authentication     Signature Algorithm: sha256WithRSAEncryption          29:52:6f:5a:de:26:44:fifty:advertizing:e3:33:7b:8d:ba:2e:b5:cb:d9:          35:21:75:0c:6b:ea:e0:f4:d0:e3:72:8e:5d:9e:3b:02:bf:8f:          ...          81:45:8f:1f:71:45:xiii:0a:ec:f1:0c:seventy:30:f2:6f:73:cd:5c:          55:41:b6:b6:0a:fc:fb:c9 -----BEGIN CERTIFICATE----- MIIFpTCCA42gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx CzAJBgNVBAgMAk1OMRUwEwYDVQQKDAxQaGlsTm9yY3Jvc3MxDTALBgNVBAsMBFZl ... BeWBceJRAcqt2XtY/6HteHUxpxCbSPVcEZWw6dkrM4FFjx9xRRMK7PEMcDDyb3PN XFVBtrYK/PvJ -----Terminate Certificate-----                    

Source: https://support.code42.com/CP/Admin/On-premises/6/Configuring/Install_a_CA-signed_SSL_certificate_for_HTTPS_console_access

Posted by: kingoppre1988.blogspot.com

Share this post