*******************************************
Importing a P12 (i.e.: PKCS12) Certificate Chain into a BridgeGate Java KeyStore (JKS)
*******************************************
Keytool path: C:\bridgegate\java\bin\keytool.exe
Openssl path: C:\bridgegate\utils\openssl\openssl.exe
P12 Certificate Chain: C:\data\cert\Bridgegate_HUBCertificates.p12
BG Staging JSK KeyStore: C:\data\cert\bridgegate.jks
*** Note: The Alias used in the JKS does not need to match the Common Name (CN) of the Client System Key. The more important thing is that the BridgeGate Java KeyStore (JKS) does not contain duplicate aliases. ***
1) List and verify P12 Certificate Chain contents:
c:\bridgegate\java\bin>keytool -v -list -storetype pkcs12 -keystore C:\data\cert\Bridgegate_HUBCertificates.p12
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: Bridgegate_HUB
Creation date: Jul 11, 2014
Entry type: SecretKeyEntry
2) IF the P12 Certificate Chain file is not password locked, you will need to recreate is with a password:
*** Export you current certificate to a password less pem type. Note: Leave the ‘Import Password’ field empty in this step.
c:\bridgegate\utils\openssl>openssl pkcs12 -in C:\data\cert\Bridgegate_HUBCertificates.p12 -out C:\data\cert\export.tmp.pem -nodes
Enter Import Password:
MAC verified OK
*** Convert the password less pem to a new pfx file with password:
C:\bridgegate\utils\openssl>openssl pkcs12 -export -in C:\data\cert\export.tmp.pem -out C:\data\cert\Bridgegate_HUBCertificates.locked.p12 -name “Bridgegate_HUB”
Loading ‘screen’ into random state – done
Enter Export Password:
Verifying – Enter Export Password:
3) Confirm Alias name is new password locked P12 Certificate Chain. Step 2 creates alias based on -name argument, if this is left out, the alias name can be “1”.
*** Confirm Chain length of 3 and the Owner/Issuer of each Certificate are in the proper order. ****
c:\bridgegate\java\bin>keytool -v -list -storetype pkcs12 -keystore C:\data\cert\Bridgegate_HUBCertificates.locked.p12
Enter keystore password: ******
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: bridgegate_hub
Creation date: Jul 14, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=Bridgegate_HUB ClientSystem, OU=IT, O=ICA, L=Nashville, ST=TN, C=US
Issuer: CN=uat CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US
.
Certificate[2]:
Owner: CN=uat CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US
Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US
.
Certificate[3]:
Owner: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US
Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US
4) Import the P12 Certificate Chain into your BridgeGate Java KeyStore (JKS).
**** Note: You can alter the Alias name with the -alias and -destalias arguments. ****
c:\bridgegate\java\bin>keytool -importkeystore -destkeystore C:\data\cert\bridgegate.jks -srckeystore C:\data\cert\Bridgegate_HUBCertificates.locked.p12-srcstoretype PKCS12
Enter destination keystore password:
Enter source keystore password:
Entry for alias Bridgegate_HUB successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
5) Verify the JKS contains the new Certificate under the correct Alias.
*** WARNING: This password field is displayed on screen as clear text! ***
c:\bridgegate\java\bin>keytool -v -list -storetype jks -keystore C:\data\cert\bridgegate.jks > c:\data\cert\out.txt
Enter keystore password: *********