CKB:SSL certificates: Unterschied zwischen den Versionen

Aus Cryptshare Documentation
Wechseln zu:Navigation, Suche
(Imported from text file)
 
Keine Bearbeitungszusammenfassung
 
(2 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
    
    


== Applies to: ==
== Applies to ==
{{NoteBox|title=|content=All versions of Cryptshare Server
{{NoteBox|title=|content=All versions of Cryptshare Server
}}
}}


== Purpose: ==
== Purpose ==
In this article, you will find an overview on how to set up a '''new SSL certificate''', install your '''wildcard certificate''', '''generate a CSR''' or resolve '''certificate related error messages.'''
In this article, you will find an overview on how to set up a '''new SSL certificate''', install your '''wildcard certificate''', '''generate a CSR''' or resolve '''certificate related error messages.'''


== Solution: ==
== Solution ==
=== Generating CSR from existing keystore ===
=== Generating CSR from existing keystore ===
If you already have a Keystore on your Cryptshare Server and would like to generate a CSR (Certificate Signing Request) for a certificate authority please follow this article:
If you already have a Keystore on your Cryptshare Server and would like to generate a CSR (Certificate Signing Request) for a certificate authority please follow this article:


'''Click here to expand...'''
1. copy current KeyStore from your Cryptshare Server to your computer by using WinSCP


# copy current KeyStore from your Cryptshare Server to your computer by using WinSCP  
[[File:45516204.png]]
 
2. open the KeyStore with KeyStore Explorer
 
[[File:45516205.png]]
 
3. enter the password '<nowiki/>'''CA0AZhuFM4NogQh''''  
    
    
[[File:45516204.png]]
[[File:45516206.png]]
 
 
# open the KeyStore with KeyStore Explorer 
4. generate CSR
[[File:45516205.png]] 
 
 
[[File:45516207.png]]
# enter the password ''''CA0AZhuFM4NogQh'''' 
 
 
5. enter the password '<nowiki/>'''CA0AZhuFM4NogQh'''' again
[[File:45516206.png]] 
 
 
[[File:45516208.png]]
# generate CSR
 
 
6. save the CSR File
[[File:45516207.png]]
 
 
[[File:45516209.png]]
# enter the password ''''CA0AZhuFM4NogQh'''' again
 
 
7. please proceed with the paragraph [[CSSCurrent_en:Setting_up_an_SSL_Certificate#Installing_a_Public_Certificate_in_the_Keystore_of_the_Cryptshare_Server|Public SSL Certificate]]
[[File:45516208.png]]
 
# save the CSR File
 
[[File:45516209.png]]
 
# please proceed with the paragraph [https://wiki.cryptshare.com/display/CSM/Setting+up+an+SSL+Certificate#SettingupanSSLCertificate-PublicSSLCertificate Public SSL Certificate]


-----
-----
=== Installation of an existing SSL certificate (e.g. wildcard SSL certificate) ===
=== Installation of an existing SSL certificate (e.g. wildcard SSL certificate) ===
This article describes how to install an already existing SSL certificate (e.g. wildcard SSL certificate) to your Cryptshare Server
This article describes how to install an already existing SSL certificate (e.g. wildcard SSL certificate) to your Cryptshare Server
'''Click here to expand...'''


# Create new Java-Keystore with KeyStore Explorer
# Create new Java-Keystore with KeyStore Explorer
[[File:45516210.png]]
[[File:45516210.png]]
2. Select '''JKS''' for new KeyStore type
 
2. Select '''JKS''' for new KeyStore type  
 
[[File:45516211.png]]
[[File:45516211.png]]
3. Import the available SSL certificate
 
3. Import the available SSL certificate
 
[[File:45516212.png]]
[[File:45516212.png]]
4. Select the certificate format, e.g. pkcs12 (.pfx) or OpenSSL (.crt, .cer, .pem)
 
4. Select the certificate format, e.g. pkcs12 (.pfx) or OpenSSL (.crt, .cer, .pem)
 
[[File:45516213.png]]
[[File:45516213.png]]
5. Use the default password ''''CA0AZhuFM4NogQh'''', to import the key pair
 
5. Use the default password '<nowiki/>'''CA0AZhuFM4NogQh'''', to import the key pair
 
[[File:45516214.png]]
[[File:45516214.png]]
6. Import and check the certificate chain
6. Import and check the certificate chain
[[File:45516215.png]]
[[File:45516215.png]]
[[File:45516216.png]]   
[[File:45516216.png]]   
[[File:45516217.png]]
[[File:45516217.png]]
7. Save the KeyStore
 
7. Save the KeyStore
 
[[File:45516218.png]]
[[File:45516218.png]]
8. Use the default password ''''CA0AZhuFM4NogQh'''', to save the KeyStore
 
8. Use the default password '<nowiki/>'''CA0AZhuFM4NogQh'''', to save the KeyStore
 
[[File:45516214.png]]
[[File:45516214.png]]
9. Install the created KeyStore on the Cryptshare Server [https://wiki.cryptshare.com/display/CSM/Setting+up+an+SSL+Certificate#SettingupanSSLCertificate-InstallingtheKeystoreontheCryptshareServer Setting up an SSL Certificate#InstallingtheKeystoreontheCryptshareServer]
-----


-----
9. Install the created KeyStore on the Cryptshare Server [[CSSCurrent_en:Setting_up_an_SSL_Certificate#Installing_a_Public_Certificate_in_the_Keystore_of_the_Cryptshare_Server|Setting up an SSL Certificate]]
-----
== SSL certificate related errors: ==
== SSL certificate related errors: ==
=== Start failed after SSL KeyStore installation ===
=== Start failed after SSL KeyStore installation ===
A new KeyStore is created or a new SSL certificate is installed in the existing KeyStore, but the Cryptshare Server start failed after the KeyStore is installed.
A new KeyStore is created or a new SSL certificate is installed in the existing KeyStore, but the Cryptshare Server start failed after the KeyStore is installed.
'''Click here to expand...'''


The most common reason is a '''wrong KeyStore format or a wrong password'''.
The most common reason is a '''wrong KeyStore format or a wrong password'''.
Zeile 78: Zeile 86:
# The format of the KeyStore is ''''JKS''''
# The format of the KeyStore is ''''JKS''''
[[File:45516219.png]]
[[File:45516219.png]]
2. the password for the certificate in the KeyStore is the default password ''''CA0AZhuFM4NogQh''''
 
2. the password for the certificate in the KeyStore is the default password '<nowiki/>'''CA0AZhuFM4NogQh''''
 
[[File:45516220.png]]
[[File:45516220.png]]
3. The password for the KeyStore is the default password ''''CA0AZhuFM4NogQh''''
 
3. The password for the KeyStore is the default password '<nowiki/>'''CA0AZhuFM4NogQh''''
 
[[File:45516221.png]]
[[File:45516221.png]]


Zeile 90: Zeile 102:
[[File:45516222.png]]
[[File:45516222.png]]


'''Click here to expand...'''
Export the private key from the keystore used for the creation of the CSR file and import it together with the requested SSL certificate into a new keystore.
 
1. open the existing keystore used for the generating of the CSR file


Export the private key from the keystore used for the creation of the CSR file and import it together with the requested SSL certificate into a new keystore.
# open the existing keystore used for the generating of the CSR file
2. klick with the right mouse button on the entry in the keystore
2. klick with the right mouse button on the entry in the keystore
3. open the menu entry 'Export --> Export Private Key'
3. open the menu entry 'Export --> Export Private Key'
[[File:45516223.png]]
[[File:45516223.png]]
4. save the private key in OpenSSL format to your local machine
4. save the private key in OpenSSL format to your local machine
[[File:45516224.png]]
[[File:45516224.png]]
[[File:45516225.png]]
[[File:45516225.png]]
5. create new Java-Keystore of type '''JKS'''
5. create new Java-Keystore of type '''JKS'''
[[File:45516210.png]]
[[File:45516210.png]]
[[File:45516211.png]]
[[File:45516211.png]]
6. impot the available SSL certificate
 
6. impot the available SSL certificate
 
[[File:45516212.png]]
[[File:45516212.png]]
7. select the certificate format, e.g. pkcs12 (.pfx) or OpenSSL (.crt, .cer, .pem)
 
[[File:45516226.png]]
7. select the certificate format, e.g. pkcs12 (.pfx) or OpenSSL (.crt, .cer, .pem)
[[File:45516227.png]]
 
[[File:45516226.png]]  
 
[[File:45516227.png]]
 
[[File:45516228.png]]
[[File:45516228.png]]
8. import and check the certificate chain
8. import and check the certificate chain
[[File:45516215.png]]
[[File:45516215.png]]
[[File:45516216.png]]   
[[File:45516216.png]]   
[[File:45516217.png]]
[[File:45516217.png]]
9. save the Keystore
 
9. save the Keystore
 
[[File:45516218.png]]
[[File:45516218.png]]
10. use the default password ''''CA0AZhuFM4NogQh'''', to save the Keystore
 
10. use the default password '<nowiki/>'''CA0AZhuFM4NogQh'''', to save the Keystore
 
[[File:45516214.png]]
[[File:45516214.png]]
11. install the created keystore on the Cryptshare server [https://wiki.cryptshare.com/display/CSM/Setting+up+an+SSL+Certificate#SettingupanSSLCertificate-InstallingtheKeystoreontheCryptshareServer Setting up an SSL Certificate#InstallingtheKeystoreontheCryptshareServer]
 
11. install the created keystore on the Cryptshare server [[CSSCurrent_en:Setting_up_an_SSL_Certificate#Installing_a_Public_Certificate_in_the_Keystore_of_the_Cryptshare_Server|Setting up an SSL Certificate]]


-----
-----
=== The connection to LDAP cannot be established using SecureLDAP ===
=== The connection to LDAP cannot be established using SecureLDAP ===
If the connection to LDAP cannot be established using SecureLDAP, the cause is usually that a self-signed SSL certificate is installed on LDAP server, which cannot be trusted by Java.
If the connection to LDAP cannot be established using SecureLDAP, the cause is usually that a self-signed SSL certificate is installed on LDAP server, which cannot be trusted by Java.
Follow the steps below in order to import the LDAP SSL certificate to Java keystore of Cryptshare Installation:
Follow the steps below in order to import the LDAP SSL certificate to Java keystore of Cryptshare Installation:
'''Click here to expand...'''


'''Linux Server'''
'''Linux Server'''
Zeile 177: Zeile 211:


-----
-----
[[Kategorie:SSL]]
[[Kategorie:Web-Server]]

Aktuelle Version vom 30. Dezember 2022, 12:51 Uhr


Applies to

All versions of Cryptshare Server

Purpose

In this article, you will find an overview on how to set up a new SSL certificate, install your wildcard certificate, generate a CSR or resolve certificate related error messages.

Solution

Generating CSR from existing keystore

If you already have a Keystore on your Cryptshare Server and would like to generate a CSR (Certificate Signing Request) for a certificate authority please follow this article:

1. copy current KeyStore from your Cryptshare Server to your computer by using WinSCP

45516204.png

2. open the KeyStore with KeyStore Explorer

45516205.png

3. enter the password 'CA0AZhuFM4NogQh'

45516206.png

4. generate CSR

45516207.png

5. enter the password 'CA0AZhuFM4NogQh' again

45516208.png

6. save the CSR File

45516209.png

7. please proceed with the paragraph Public SSL Certificate


Installation of an existing SSL certificate (e.g. wildcard SSL certificate)

This article describes how to install an already existing SSL certificate (e.g. wildcard SSL certificate) to your Cryptshare Server

  1. Create new Java-Keystore with KeyStore Explorer

45516210.png

2. Select JKS for new KeyStore type

45516211.png

3. Import the available SSL certificate

45516212.png

4. Select the certificate format, e.g. pkcs12 (.pfx) or OpenSSL (.crt, .cer, .pem)

45516213.png

5. Use the default password 'CA0AZhuFM4NogQh', to import the key pair

45516214.png

6. Import and check the certificate chain

45516215.png

45516216.png

45516217.png

7. Save the KeyStore

45516218.png

8. Use the default password 'CA0AZhuFM4NogQh', to save the KeyStore

45516214.png

9. Install the created KeyStore on the Cryptshare Server Setting up an SSL Certificate

SSL certificate related errors:

Start failed after SSL KeyStore installation

A new KeyStore is created or a new SSL certificate is installed in the existing KeyStore, but the Cryptshare Server start failed after the KeyStore is installed.

The most common reason is a wrong KeyStore format or a wrong password. Please check whether the following settings are correct:

  1. The format of the KeyStore is 'JKS'

45516219.png

2. the password for the certificate in the KeyStore is the default password 'CA0AZhuFM4NogQh'

45516220.png

3. The password for the KeyStore is the default password 'CA0AZhuFM4NogQh'

45516221.png


The requested public SSL certificate cannot be imported

The requested SSL certificate cannot be imported into the Keystore with the following error:

  • English: Could not establish trust for the CA Reply.
  • German: Vertrauenskette für die CA Antwort konnte nicht erstellt werden.

45516222.png

Export the private key from the keystore used for the creation of the CSR file and import it together with the requested SSL certificate into a new keystore.

1. open the existing keystore used for the generating of the CSR file

2. klick with the right mouse button on the entry in the keystore

3. open the menu entry 'Export --> Export Private Key'

45516223.png

4. save the private key in OpenSSL format to your local machine

45516224.png

45516225.png

5. create new Java-Keystore of type JKS

45516210.png

45516211.png

6. impot the available SSL certificate

45516212.png

7. select the certificate format, e.g. pkcs12 (.pfx) or OpenSSL (.crt, .cer, .pem)

45516226.png

45516227.png

45516228.png

8. import and check the certificate chain

45516215.png

45516216.png

45516217.png

9. save the Keystore

45516218.png

10. use the default password 'CA0AZhuFM4NogQh', to save the Keystore

45516214.png

11. install the created keystore on the Cryptshare server Setting up an SSL Certificate


The connection to LDAP cannot be established using SecureLDAP

If the connection to LDAP cannot be established using SecureLDAP, the cause is usually that a self-signed SSL certificate is installed on LDAP server, which cannot be trusted by Java.

Follow the steps below in order to import the LDAP SSL certificate to Java keystore of Cryptshare Installation:

Linux Server

  • copy the SSL certificate in x.509 format (.cer, .crt, .pem) to the folder /root
  • log in as root on the appliance
  • change into Java folder and change the permissions for keytool
`cd` `/opt/cryptshare-3/jre/bin/`

`chmod` `+x keytool`

  • import the SSL certificate
`.``/keytool` `-``import` `-trustcacerts -keystore ..``/lib/security/cacerts` `-``alias` `<sitename> -``file` `<SSL Certificate>`

where <alias> is the name of LDAP server and <SSL Certificate> is the certificate inclusive the path, e.g.  /root/LDAP-SSL-certificate.crt The default password for the JAVA certificate storage  is changeit

  • restart Cryptshare service
`rccryptshare restart`

Windows Server

  • copy the SSL certificate in x.509 format (.cer, .crt, .pem) to the server
  • open command line
  • change into Cryptshare Java folder
`cd` `<Cryptshare installation folder>\jre\bin`
  • import the SSL certificate
`keytool.exe -``import` `-trustcacerts -keystore ..\lib\security\cacerts -``alias` `<sitename> -``file` `<SSL Certificate>`

where <alias> is the name of LDAP server and <SSL Certificate> is the certificate inclusive the path, e.g.  <User Desktop>\LDAP-SSL-certificate.crt The default password for the JAVA certificate storage  is changeit

  • restart Cryptshare service

Now the SecureLDAP connection should work fine.