UMP-self-signed certificate of 2048-bit
Article ID: 107578
Updated On:
Products
DX Infrastructure Management
NIMSOFT PROBES
Issue/Introduction
UMP- How to generate and import a self-signed certificate of 2048-bit strength
Environment
UIM & UMP 8.51
Resolution
First you must download OpenSSL for Windows from the following location and install it on the UMP server:
http://gnuwin32.sourceforge.net/packages/openssl.htm
e.g.
http://downloads.sourceforge.net/gnuwin32/openssl-0.9.8h-1-setup.exe
Once this is installed on the UMP server then we will follow these steps:
- deactivate wasp probe
- delete the file /Nimsoft/probes/service/wasp/conf/wasp.keystore
- restart wasp which will regenerate the above file
- use the probe utility to access the wasp probe, and run the callback ssl_reinitialize_keystore, providing a password which you must make note of as we will use this password for future steps.
Now open a command prompt on the UMP server and navigate to the following location:
C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf
Issue the following command to delete the current 1024-bit certificate:
"C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool.exe" -delete -alias wasp -keystore wasp.keystore
Issue the following command to generate the public and private key pair which is valid for one year (you can set the validity to any length you desire, many customers use 3650, which is ten years):
"C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool.exe" -genkeypair -alias wasp -keyalg RSA -keysize 2048 -keystore wasp.keystore -validity 365
Next we will generate a certificate signing request for a 1-year certificate:
"C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool.exe" -certreq -alias wasp -validity 365) -keystore wasp.keystore -file wasp.csr
Next we have to export the private key from the keystore so we can use it to generate a self-signed certificate with this command. You will need to enter the keystore password which you made note of above in the appropriate fields:
"C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool.exe" -importkeystore -srckeystore wasp.keystore -srcstorepass (keystore password) -srckeypass (keystore password) -destkeystore wasp.keystore.p12 -deststoretype PKCS12 -srcalias wasp -deststorepass (keystore password) -destkeypass (keystore password)
This will create a file called wasp.keystore.p12 in the wasp/conf folder.
Next use this command to export the private key from this .p12 file:
"C:\Program Files (x86)\GnuWin32\bin\openssl" pkcs12 -in wasp.keystore.p12 -passin pass:(keystore password) -nocerts -out wasp.key -passout pass:(keystore password)
This will create a wasp.key file in the wasp/conf folder.
Now we will use this key to generate our actual self-signed certificate:
"C:\Program Files(x86)\GnuWin32\bin\openssl" req -x509 -sha256 -days 365 -key wasp.key -in wasp.csr -out wasp.cer
This will create a wasp.cer file in the wasp/conf folder, which is our certificate.
Now the final step is to import this certificate:
"C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool.exe" -import -trustcacerts -alias wasp -file wasp.cer -keystore wasp.keystore
Now you can deactivate the wasp probe and activate it again and the 2048-bit self-signed certificate is now enabled.
Please execute this procedure.
http://gnuwin32.sourceforge.net/packages/openssl.htm
e.g.
http://downloads.sourceforge.net/gnuwin32/openssl-0.9.8h-1-setup.exe
Once this is installed on the UMP server then we will follow these steps:
- deactivate wasp probe
- delete the file /Nimsoft/probes/service/wasp/conf/wasp.keystore
- restart wasp which will regenerate the above file
- use the probe utility to access the wasp probe, and run the callback ssl_reinitialize_keystore, providing a password which you must make note of as we will use this password for future steps.
Now open a command prompt on the UMP server and navigate to the following location:
C:\Program Files (x86)\Nimsoft\probes\service\wasp\conf
Issue the following command to delete the current 1024-bit certificate:
"C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool.exe" -delete -alias wasp -keystore wasp.keystore
Issue the following command to generate the public and private key pair which is valid for one year (you can set the validity to any length you desire, many customers use 3650, which is ten years):
"C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool.exe" -genkeypair -alias wasp -keyalg RSA -keysize 2048 -keystore wasp.keystore -validity 365
Next we will generate a certificate signing request for a 1-year certificate:
"C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool.exe" -certreq -alias wasp -validity 365) -keystore wasp.keystore -file wasp.csr
Next we have to export the private key from the keystore so we can use it to generate a self-signed certificate with this command. You will need to enter the keystore password which you made note of above in the appropriate fields:
"C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool.exe" -importkeystore -srckeystore wasp.keystore -srcstorepass (keystore password) -srckeypass (keystore password) -destkeystore wasp.keystore.p12 -deststoretype PKCS12 -srcalias wasp -deststorepass (keystore password) -destkeypass (keystore password)
This will create a file called wasp.keystore.p12 in the wasp/conf folder.
Next use this command to export the private key from this .p12 file:
"C:\Program Files (x86)\GnuWin32\bin\openssl" pkcs12 -in wasp.keystore.p12 -passin pass:(keystore password) -nocerts -out wasp.key -passout pass:(keystore password)
This will create a wasp.key file in the wasp/conf folder.
Now we will use this key to generate our actual self-signed certificate:
"C:\Program Files(x86)\GnuWin32\bin\openssl" req -x509 -sha256 -days 365 -key wasp.key -in wasp.csr -out wasp.cer
This will create a wasp.cer file in the wasp/conf folder, which is our certificate.
Now the final step is to import this certificate:
"C:\Program Files (x86)\Nimsoft\jre\jre8u102\bin\keytool.exe" -import -trustcacerts -alias wasp -file wasp.cer -keystore wasp.keystore
Now you can deactivate the wasp probe and activate it again and the 2048-bit self-signed certificate is now enabled.
Please execute this procedure.
Feedback
Powered by
