Our corporate standard is to setup our Web Servers with SSL using our approved "Wildcard" certificate.
How do we get the OneClick Web Server configured with SSL using a "Wildcard" certificate?
IMPORTANT: Make a copy of your $SPECROOT/custom/keystore/cacserts before attempting to import the “wildcard” certificates into the cacerts file.
Converting Wildcard SSL Certificate files to the Java Keystore format:
Make sure this folder contains all the certificate files you received from the Certificate Authority and the original Private key file used to generate your “wildcard” CSR (certificate signing request).
If you received your certificate from Comodo in "other" format you will have a bunch of files, which will need to be assembled in the correct order.
cat [Wildcard_PrivateKey.crt] [Wildcard_SignedCert.crt] [Intermediate_Cert.crt] [CA_Root_Cert.crt] > ca_bundle.pem
They are all now nicely bundled in a single file (ca_bundle.pem)
openssl pkcs12 -export -name <alias.domain.com> -in <ca_bundle.pem> -inkey <domain.com.key> -out <keystore.p12>
-name <alias.domain.com> is the domain you are going to be using the key on. This will also be the alias name in Step 4.
Do not use *.domain.com address as the name.
Use something like alias.domain.com, somename.domain.com, hostname.domain.com, etc.
- in <ca_bundle.pem>is the bundled Certificate Authority files containing your signed certificate.
- inkey <domain.com.key>is the Wildcard Private key file from the server that generated your “wildcard” CSR (certificate signing request).
- out <keystore.p12>is just the output file that you pick. This can be anything you choose. I used keystore.p12 as an example.
You will be asked to generate a password. To keep things simple, use the cacerts keystore password.
keytool -importkeystore -destkeystore <path/cacerts> -srckeystore <keystore.p12> -srcstoretype pkcs12 -alias <alias.domain.com>
-destkeystore <path/cacerts> is the name of the destination keystore file you want the files imported to.
-srckeystore <keystore.p12> is the PCKS12 keystore file you created in step 3.
-alias <alias.domain.com> is the name specified in step 3
IMPORTANT – the alias must match the name given in Step 3.
You will be asked to enter the password again. Use your cacerts password.
keytool -list -v -alias <alias.domain.com> -keystore <path/cacerts>
If you have already generated a "self-signed" certificate for your OneClick Web Server, you will need to remove the "self-signed" certificate from the cacerts keystore file, otherwise the "self-signed" certificate will take precedence over your "wildcard" certificate.
The command to remove a certificate from the cacerts file is:
keytool -delete -alias <alias.domain.com> -keystore <path/cacerts>
For more information on how to setup the OneClick Server for SSL see the "OneClick Server Communications and Network Configuration" Guide - "Configure OneClick for Secure Sockets Layer"