- \n
- You will need access to a trusted Certificate Authority (CA).\n
- \n
- If you do not have access to a trusted CA, you will need OpenSSL.<\/li>\n<\/ul>\n<\/li>\n
- You will need Perl.<\/li>\n<\/ul>\n
<\/a>Create Self-Signed Certificates Using OpenSSL<\/h2>\n
Note<\/strong>: If you have access to a trusted Certificate Authority (CA) and already have the cacert.pem<\/strong>, servercert.pem<\/strong> and serverkey.pem<\/strong> files, skip to Generate Keystores<\/a>.<\/p>\n
To create a self-signed certificate using OpenSSL, perform the following steps:<\/p>\n
- \n
- Locate OpenSSL CA.pl<\/strong> file as this file is required to create a dummy CA certificate file. This will be inside the bin<\/strong> directory within the OpenSSL directory.<\/li>\n
- Create a temporary directory to store the certificates and navigate to it in the command line<\/li>\n
- Execute the following command based on your operating system (you may need to edit the path accordingly)<\/li>\n<\/ol>\n
Linux<\/strong><\/p>\n
\/usr\/lib\/ssl\/misc\/CA.pl -newca<\/pre>\n
Windows<\/strong><\/p>\n
C:\\OpenSSL-Win32\\bin\\CA.pl -newca<\/pre>\n
![\"\"](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-9.png\")
Figure 1. Create Certificate and Private Key<\/em><\/figcaption><\/figure>\n This creates demoCA\/cacert.pem<\/strong> (CA Certificate) and demoCA\/private\/cakey.pem<\/strong> (private key)<\/p>\n
- \n
- Make a server certificate signing request (CSR) using the following command:<\/li>\n<\/ol>\n
openssl req -newkey rsa:2048 -nodes -keyout newreq.pem -out newreq.pem<\/pre>\n
![\"\"](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-10.png\")
Figure 2. Create CSR<\/em><\/figcaption><\/figure>\n Note: <\/strong>The Common Name <\/strong>is the fully qualified domain name (FQDN) of your server. This must match the servername\/hostname.<\/p>\n
- \n
- Execute the following command based on your operating system. You may need to edit the path accordingly.<\/li>\n<\/ol>\n
Linux<\/strong><\/p>\n
\/usr\/lib\/ssl\/misc\/CA.pl -sign<\/pre>\n
Windows<\/strong><\/p>\n
C:\\OpenSSL-Win32\\bin\\CA.pl -sign<\/pre>\n
![\"\"](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-11.png\")
Figure 3. Certificate Created<\/em><\/figcaption><\/figure>\n You should have the following three files:<\/p>\n
- \n
- cacert.pem<\/strong><\/li>\n
- newreq.pem<\/strong><\/li>\n
- newcert.pem<\/strong><\/li>\n<\/ul>\n
- \n
- Rename newreq.pem<\/strong> to serverkey.pem<\/strong>.<\/li>\n
- Rename newcert.pem<\/strong> to servercert.pem<\/strong>.<\/li>\n<\/ol>\n
<\/a>Generate Keystores<\/h2>\n
You should have the following three files:<\/p>\n
- \n
- cacert.pem<\/strong><\/li>\n
- serverkey.pem<\/strong><\/li>\n
- servercert.pem<\/strong><\/li>\n<\/ul>\n
- \n
- Convert the servercert.pem<\/strong> file to PKC12 format (*.p12) using the following command:<\/li>\n<\/ol>\n
openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out servercert.p12 -name servercertificate<\/pre>\n
Note<\/strong>: The converted file (servercert.p12) acts as a server certificate and is used to generate keystore. When prompted for Export Password, enter a password and keep the password safe.<\/p>\n
- \n
- Create a java keystore file by converting the servercert.p12<\/strong> file to Java Keytool format by using the following command:<\/li>\n<\/ol>\n
keytool -importkeystore -destkeystore servercert.jks -srckeystore servercert.p12 -srcstoretype PKCS12 -alias servercertificate<\/pre>\n
Note<\/strong>: When prompted for the destination keystore password<\/strong>, enter a password and keep it safe. It will be used as the keystore password<\/strong> in the server.xml<\/strong> file. Also, when prompted for the source keystore password, enter the export password for input servercert.p12<\/strong> file created in the previous step (Step 8).<\/p>\n
- \n
- Navigate to the demoCA directory (cd demoCA) and create a java truststore file by converting the cacert.pem<\/strong> file to Java Keytool format by using the following command:<\/li>\n<\/ol>\n
keytool -import -keystore cacerts.jks -alias cacert -file cacert.pem<\/pre>\n
Note<\/strong>: When prompted for keystore password<\/strong>, enter a password and keep the password safe. It will be used as the truststore password<\/strong> in the server.xml <\/strong>file.<\/p>\n
![\"\"](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-12.png\")
Figure 4. Add Certificate to Keystore<\/em><\/figcaption><\/figure>\n <\/a>Generate a Certificate Signing Request (CSR)<\/h2>\n
- \n
- Create a new key-CSR pairing<\/li>\n<\/ol>\n
keytool -genkey -alias servercertificate -keyalg RSA -keysize 2048 -keystore servercert.jks<\/pre>\n
- \n
- Enter your DN information and confirm it with a “yes” when prompted<\/li>\n
- Create a new Certificate Signing Request (CSR)<\/li>\n<\/ol>\n
keytool -certreq -alias servercertificate -keyalg RSA -file yourdomain.csr -keystore servercert.jks<\/pre>\n
- \n
- Enter your keystore password.<\/li>\n
- Send the CSR to your Certificate Authority (CA).<\/li>\n
- Make a copy of servercert.jks<\/strong> and rename the copy file as cacerts.jks.<\/strong><\/li>\n
- Once you have received the cacert.pem<\/strong> and servercert.pem<\/strong> from your CA, execute the following commands to import the certificates.<\/li>\n<\/ol>\n
keytool -import -keystore cacerts.jks -alias cacert -file cacert.pem\r\nkeytool -import -keystore servercert.jks -alias servercertificate -file servercert.pem<\/pre>\n
<\/a>Configure SSL\/TLS Using Generated Certificates<\/h2>\n
To configure SSL\/TLS in Ephesoft Transact, perform the following steps.<\/p>\n
- \n
- Take a backup of the existing server.xml<\/strong> file located at [Ephesoft_Directory<\/em>]<\/strong>\/JavaAppServer\/conf.<\/li>\n
- Open the server.xml <\/strong>in edit mode and locate the existing HTTP\/HTTPS connector.<\/li>\n<\/ol>\n
![\"\"](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-13.png\")
Figure 5. Locate HTTPS Connector<\/em><\/figcaption><\/figure>\n - \n
- Comment the existing connector by surrounding the connector tag in comment tags.<\/li>\n<\/ol>\n
![\"\"](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-14.png\")
Figure 6. Comment Out Existing Connector<\/em><\/figcaption><\/figure>\n - \n
- Locate the comment \u201cConnector for enabling PIV\/CAC configuration\u201d. Uncomment the following lines:<\/li>\n<\/ol>\n
![\"\"](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-15.png\")
Figure 7. Uncomment New Connector Protocol<\/em><\/figcaption><\/figure>\n This connector includes the following configurable properties:<\/p>\n
- Locate the comment \u201cConnector for enabling PIV\/CAC configuration\u201d. Uncomment the following lines:<\/li>\n<\/ol>\n
- Open the server.xml <\/strong>in edit mode and locate the existing HTTP\/HTTPS connector.<\/li>\n<\/ol>\n
- Once you have received the cacert.pem<\/strong> and servercert.pem<\/strong> from your CA, execute the following commands to import the certificates.<\/li>\n<\/ol>\n
- Create a new key-CSR pairing<\/li>\n<\/ol>\n
- Navigate to the demoCA directory (cd demoCA) and create a java truststore file by converting the cacert.pem<\/strong> file to Java Keytool format by using the following command:<\/li>\n<\/ol>\n
- Create a java keystore file by converting the servercert.p12<\/strong> file to Java Keytool format by using the following command:<\/li>\n<\/ol>\n
- serverkey.pem<\/strong><\/li>\n
- Rename newcert.pem<\/strong> to servercert.pem<\/strong>.<\/li>\n<\/ol>\n
- newreq.pem<\/strong><\/li>\n
- cacert.pem<\/strong><\/li>\n
- Execute the following command based on your operating system. You may need to edit the path accordingly.<\/li>\n<\/ol>\n
- Locate OpenSSL CA.pl<\/strong> file as this file is required to create a dummy CA certificate file. This will be inside the bin<\/strong> directory within the OpenSSL directory.<\/li>\n
![](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-16.png\")
<\/strong><\/p>\n![](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-17.png\")
<\/strong><\/p>\n![\"\"](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-18.png\")
![\"\"](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-19.png\")
![\"\"](\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2017\/12\/word-image-20.png\")