Need help with Cloud Proxy configuration for Certificate Authority Certificates (PKCS8)
search cancel

Need help with Cloud Proxy configuration for Certificate Authority Certificates (PKCS8)

book

Article ID: 235310

calendar_today

Updated On:

Products

DX SaaS

Issue/Introduction

I'm trying to configure the DX SaaS Cloud proxy to use my existing EM certificates & JKS. Need help on proper setup or conversion from EM Java KeyStore to this setup:

– apm.server.keyCertChainFile
Input a path to an X.509 certificate file in PEM format.
– apm.server.keyFile
Input a path to a PKCS#8 private key file in PEM format

My current certificate files are based on PKCS#7, so not sure if this an issue. I have access to these files:

.crt – the default certificate format returned when using the Sectigo email retrieval link for “x509 Certificate Only; Base 64 encoded” certificate. Most applications use this.

.cer – The format Used by most servers (Web, Application) in order to validate or verify their identity.

.pem – Created by using OpenSSL to change the extension from .crt to .pem. The format needed to construct a .pfx file. For private key installation on a server.

PKCS12 (.pfx) – Also known as the PFX or p12 File. Created when you combine the Certificate Authority (Sectigo) Chained Pem, your certificate (in .pem format) and the private key (.key file) in a single, encrypted file.

Chained .pem – Contains the Certificate Authority (Sectigo) public root and intermediate certificates. Needed to create a .pfx file.

PKCS7 – only stores x.509 certificate, does not include Private Key

 

I currently have configured:

# SSL Configuration
# If true, then the secure server will generate a self-signed certificate on startup. (default: true)
apm.server.useSelfSignedCert: false

# A X.509 certificate chain file in PEM format. If apm.server.useSelfSignedCert is set to true, then the certificate and key will be ignored.
apm.server.keyCertChainFile: /opt/ca/cloudproxy/config/Certificates/apm_etc_ams1907_com_EE_96_65_FA_8A_FA_B3_F0_E6_7D_04_B0_D9_D9_BC_DD.cer

# A PKCS#8 private key file in PEM format. If apm.server.useSelfSignedCert is set to true, then the certificate and key will be ignored.
apm.server.keyFile: /opt/ca/cloudproxy/config/Certificates/apm_etc_ams1907_com_EE_96_65_FA_8A_FA_B3_F0_E6_7D_04_B0_D9_D9_BC_DD.pem
#apm.server.keyFile: /opt/ca/cloudproxy/config/Certificates/NEW_APM.pem

# Protocols enabled for encrypted connections
apm.server.secureProtocols: TLSv1.2

Environment

Release : SAAS

Component : Integration with APM

Resolution

  1. Download PEM certificate from  Certificate Tool used to create JKS for APM EM’s

 

  1. Create PKCS7

 

    • openssl crl2pkcs7 -nocrl -certfile <downloaded PEM> -out <NEW NAME>.p7b

 

  1. Create a X.509 certificate chain file in PEM format

 

    • openssl pkcs7 -in <NEW NAME>.p7b  -print_certs -out <NEW NAME>.pem

 

  1. Create A PKCS#8 private key file in PEM format (this example uses the JKS built when creating the CSR for request)

 

    • keytool -importkeystore -srckeystore <NEW JKS>.jks -destkeystore <NEW NAME>.p12 -deststoretype PKCS12
    • openssl pkcs12 -in <NEW NAME>.p12 -nodes -nocerts -out <NEW NAME>_KEY.pem

 

 

application.yml

 

# SSL Configuration

# If true, then the secure server will generate a self-signed certificate on startup. (default: true)

apm.server.useSelfSignedCert: false

 

# A X.509 certificate chain file in PEM format. If apm.server.useSelfSignedCert is set to true, then the certificate and key will be ignored.

apm.server.keyCertChainFile: /opt/ca/cloudproxy/config/Certificates/<NEW NAME>.pem

 

# A PKCS#8 private key file in PEM format. If apm.server.useSelfSignedCert is set to true, then the certificate and key will be ignored.

apm.server.keyFile: /opt/ca/cloudproxy/config/Certificates/<NEW NAME>_KEY.pem

 

# Protocols enabled for encrypted connections

apm.server.secureProtocols: TLSv1.2