How to Import private key into AutoSys Webserver keystore
search cancel

How to Import private key into AutoSys Webserver keystore


Article ID: 232709


Updated On:


CA Workload Automation AE


This article provides steps on how to import a private key into the keystore for AutoSys Webserver using 2048-bit certs.


Release : 12.0

Component : CA Workload Automation AE (AutoSys)


  1. Do Not add Bouncey Castle to Java security file!!
    If it is there, comment it out and renumber the list of providers. The list must start with 1 and continue consecutively (1,2,3,4.....etc)
    # List of providers and their preference orders (see above):

  2. Logon to the AutoSys Web Server machine.

  3. cd to $AUTOUSER/webserver/conf

  4. Backup the existing .keystore file and then remove it.
    mv .keystore .keystore.bak
    rm .keystore

  5. Create a temporary JKS keystore containing your private key and self-signed certificate...
    keytool -genkey -alias tomcat -keyalg RSA -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -keypass changeit -keysize 2048 -dname "cn=xxxxxxxxx" -validity 720
    Note: xxxxxxxxx is your server HOSTNAME. This can be either short name or fully qualified name.

  6. Generate the CSR
    keytool -certreq -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -file certreq.csr

  7. Download .csr to desktop

  8. Import the Root cert:
    keytool -importcert -alias RootCA  -file $AUTOUSER/webserver/conf/<name_of_your_Root_cert_file> -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
    Example name of cert file: RootCA.crt, RootCA.cer

  9. Import the sub CA cert:
    keytool -importcert -alias SubCA1 -file $AUTOUSER/webserver/conf/<name_of_your_CA1_cert_file> -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
    Example name of cert file: CA1.crt, CA1.cer

  10. Import the sub CA2 cert:
    keytool -importcert -alias SubCA2 -file $AUTOUSER/webserver/conf/<name_of_your_CA2_cert_file> -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
    Example name of cert file: CA2.crt, CA2.cer

  11. Trusted/Private cert:
    keytool -importcert -trustcacerts -file /webserver/conf/<hostname>.crt -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit

  12. Test the keystore.
    $JAVA_HOME/bin/keytool -storepass changeit -list -v -keystore .keystore2

  13. Convert the temporary JKS keystore to a BCFKS keystore with the correct file name that the Web Server will expect.
    keytool -importkeystore -srckeystore $AUTOUSER/webserver/conf/.keystore2 -destkeystore $AUTOUSER/webserver/conf/.keystore -deststoretype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $AUTOSYS/lib/bc-fips.jar

  14. $JAVA_HOME/bin/keytool -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $AUTOSYS/lib/bc-fips.jar -storepass changeit  -storetype BCFKS -list -v -keystore .keystore

  15. Update owner and permissions on the keystore file.

  16. Restart webservices and soapserver

Additional Information

Product Documentation: Customize SSL for Web Services

KB Article: Error importing signed certificate into AutoSys Web Server keystore - keytool error: java.lang.Exception: Public keys in reply and keystore don't match