This article provides steps on how to import a private key into the keystore for AutoSys Webserver using 2048-bit certs.

Release : 12.0

Component : CA Workload Automation AE (AutoSys)

1. Do Not add Bouncey Castle to Java security file!!
   If it is there, comment it out and renumber the list of providers. The list must start with 1 and continue consecutively (1,2,3,4.....etc)
   #
   # List of providers and their preference orders (see above):
   #
   security.provider.1=sun.security.provider.Sun
   security.provider.2=sun.security.rsa.SunRsaSign
   security.provider.3=sun.security.ec.SunEC
   security.provider.4=com.sun.net.ssl.internal.ssl.Provider
   security.provider.5=com.sun.crypto.provider.SunJCE
   security.provider.6=sun.security.jgss.SunProvider
   security.provider.7=com.sun.security.sasl.Provider
   security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
   security.provider.9=sun.security.smartcardio.SunPCSC
   
   
2. Logon to the AutoSys Web Server machine.
   
   
3. cd to $AUTOUSER/webserver/conf
   
   
4. Backup the existing .keystore file and then remove it.
   mv .keystore .keystore.bak
   rm .keystore
   
   
5. Create a temporary JKS keystore containing your private key and self-signed certificate...
   keytool -genkey -alias tomcat -keyalg RSA -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -keypass changeit -keysize 2048 -dname "cn=xxxxxxxxx" -validity 720
   Note: xxxxxxxxx is your server HOSTNAME. This can be either short name or fully qualified name.
   
   
6. Generate the CSR
   keytool -certreq -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -file certreq.csr
   
   
7. Download .csr to desktop
   
   
8. Import the Root cert:
   keytool -importcert -alias RootCA  -file $AUTOUSER/webserver/conf/<name_of_your_Root_cert_file> -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
   Example name of cert file: RootCA.crt, RootCA.cer
   
   
9. Import the sub CA cert:
   keytool -importcert -alias SubCA1 -file $AUTOUSER/webserver/conf/<name_of_your_CA1_cert_file> -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
   Example name of cert file: CA1.crt, CA1.cer
   
   
10. Import the sub CA2 cert:
    keytool -importcert -alias SubCA2 -file $AUTOUSER/webserver/conf/<name_of_your_CA2_cert_file> -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
    Example name of cert file: CA2.crt, CA2.cer
    
    
11. Trusted/Private cert:
    keytool -importcert -trustcacerts -file /webserver/conf/<hostname>.crt -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
    
    
12. Test the keystore.
    $JAVA_HOME/bin/keytool -storepass changeit -list -v -keystore .keystore2
    
    
13. Convert the temporary JKS keystore to a BCFKS keystore with the correct file name that the Web Server will expect.
    keytool -importkeystore -srckeystore $AUTOUSER/webserver/conf/.keystore2 -destkeystore $AUTOUSER/webserver/conf/.keystore -deststoretype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $AUTOSYS/lib/bc-fips.jar
    
    
14. $JAVA_HOME/bin/keytool -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $AUTOSYS/lib/bc-fips.jar -storepass changeit  -storetype BCFKS -list -v -keystore .keystore
    
    
15. Update owner and permissions on the keystore file.
    
    
16. Restart webservices and soapserver

Product Documentation: Customize SSL for Web Services

KB Article: Error importing signed certificate into AutoSys Web Server keystore - keytool error: java.lang.Exception: Public keys in reply and keystore don't match