Menu
I'm trying to enable SSL for Boomi webservices. I've followed the instructions on their documentation to generate the CSR and sent it to CA for signing. I've received the signed certificate in .pem format. I've looked at the contents of the file and it doesn't contain any information about any private key.
These are the steps on Boomi's documentation.
1) Replace the keystore path, KEYSTORENAME and –dname parameters in this command with your information (this –dname “….” option can be omitted if the trusted root authority requests this information when submitting the CSR) and run the following command to generate the key:
keytool -genkey -dname "CN=HOSTNAME, OU=ORGUNIT, O=ORG, L=LOCATION, S=STATE, C=COUNTRY" -alias Boomi -keyalg RSA -keystore c:\Certificates\Boomi\KEYSTORENAME -keysize 2048
2) Replace the KEYSTORENAME in this command and run the following command to generate the CSR:
keytool -certreq -keyalg RSA -alias Boomi -file c:\Certificates\Boomi\KEYSTORENAME.csr -keystore c:\Certificates\Boomi\KEYSTORENAME
3) Submit the CSR to the Trusted Root Authority (for example, Verisign), and request/download the returned certificate in PKCS7 format. This will have a public, G3 intermediate, and G5 intermediate certificate all in one certificate. Java must be 1.6 or newer.
4) Replace the certificate file path\name and keystore path\name in this command and run the following command to import the PKCS7 certificate:
keytool -import -alias Boomi -trustcacerts -file c:\Certificates\Boomi\NEWCERTNAME.p7b -keystore c:\Certificates\Boomi\KEYSTORENAME
5) Replace the new and destination keystore paths/names and passwords (if different from changeit) in this command and run the following command to convert to .p12 format for import into Boomi:
keytool -importkeystore -srckeystore c:\Certificates\Boomi\KEYSTORE -destkeystore c:\Certificates\Boomi\KEYSTORENAME.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -srcalias Boomi -destalias Boomi -srckeypass changeit -destkeypass changeit -noprompt
I'm stuck at step 4 because I don't have the signed certificate in .p7b format. I've searched around for any information about how to convert .pem file to .p7b file, and all of them mention that the .pem file will contain key information along with the certificate information. But since the .pem file that I have doesn't have the key info, how should I go about converting .pem to .p7b and eventually arrive at .p12 cert.
Also, if possible, can you please explain what do these formats mean?
498
First, check out this ServerFault answer for information on keys and keyformats.
Second, to address your issue, the .pem file may or may not contain private key information. In the case of a signed certificate (signed after submitting CSR to the CA), it typically will not inlcude the private key. In your instructions, the private key exists in the keystore, already. I believe the command in instruction number 4 will import the trustchain (.p7b) into the keystore, so you'll have the public key, private key, and trust chain all in the same [protected] file.
If you don't have the file in the .p7b format, you could request the CA send it to you in .p7b format.
Barring that, the first thing I would try is changing the command to include the .pem file instead of the .p7b file. keytool is pretty smart, and I would think it would figure out what it needed to do to import the .pem instead of the .p7b.
If that doesn't work for some reason, there's more you can do, but things start to get more complicated. I would start with this link. Good luck!
191
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
