Create a New Keystore with OpenSSL and Keystore Explorer for DevTest
search cancel

Create a New Keystore with OpenSSL and Keystore Explorer for DevTest

book

Article ID: 260253

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

Create a New Keystore with OpenSSL and Keystore Explorer.

Environment

All supported DevTest releases and platforms.

Cause

N/A

Resolution

It is the responsibility of customers to get their own certificates, but shown here is what we do here at Broadcom to create a CSR.  Broadcom uses Digicert. Substitute your company information for the example below.

Software used:

OpenSSL:  https://www.openssl.org/

KeyStore Explorer: https://keystore-explorer.org/downloads.html

Need to set System Environment Variable for OpenSSL:

OPENSSL_CONF=C:\Program Files (x86)\GnuWin32\share\openssl.cnf


1) Create a private key:

Example:

C:\Program Files (x86)\GnuWin32\bin>openssl req -new -newkey rsa:2048 -nodes -keyout C:\Certificates_and_Keystores\private.key
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
............................+++
............................................+++
writing new private key to 'C:\Certificates_and_Keystores\private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Plano
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Broadcom
Organizational Unit Name (eg, section) []:IMS
Common Name (eg, YOUR name) []:machinename
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
-----BEGIN CERTIFICATE REQUEST-----
MIICpjCCAY4CAQAwYTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMQ4wDAYD
VQQHEwVQbGFubzERMA8GA1UEChMIQnJvYWRjb20xDDAKBgNVBAsTA0lNUzERMA8G
A1UEAxMIbWFjaGluZTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr
kEf1P55oe0PogeNPkzCDxj18/r1DURDYVVn8wK4IAs5B8ZqA1d1LgAPQtIEYN6Ux
JKHBDNVaMdYQkaYutdgo9Vs334nrmnBmWS18NvQnmILpu+kx+NxhNA38oQp18WuX
zDr64UVHX8P4d3pFrM3JUJWIeGuFBtNtxQDGwZZnb/gGfaym5flGWNwpWKgoOpiD
o/Y7hc8hJt0r1NDkuc3xw+hs0R2orGoJVvs2bJ8xsTZCWP/G2VMAf2pESCxMLZ2B
r+cK4Jt4SnqDQZl6HKYcshDWqbRsfkvJOWX10ykNxlRY81CRWyjY73ySxKEZBXgf
WTVv37dmiPDlkEmshb+HAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAeSYEXQ+o
0i7GALjz4TmGY5R1TdxpxpkYTxta89K+m+8nfnKD0RdsRWcoVzc3WSOaalv4mUu7
Xln0ZWAnzMiROMwQF8Ygs+l7bpAx3oVLLDKoOU6KfTrYkrycVNfxD4mqf3jHHCkm
B4IxfmE0FlWBlYH35zwlFSePWX9sZidGP01dQd0577Pf512//RqvTESa2F7s/kah
4CuLROKP9tC4yHJUBqFHN53eM/Fc49rLgginWW/utWepU5at5lPASYpuroAyTjGV
G5ctQfKQWCPrVqNP/J4OM7tdM7fG1OrBvyjuCIuu9YPsJUq3vJcWh0Wo6W3Wy2d8
TkN6GS/zO8O8Xg==
-----END CERTIFICATE REQUEST-----

 

2) Create a Certificate Signing Request:

Example:

C:\Program Files (x86)\GnuWin32\bin>openssl req -new -sha256 -key C:\Certificates_and_Keystores\private.key -out C:\Certificates_and_Keystores\machinename.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Plano
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Broadcom
Organizational Unit Name (eg, section) []:IMS
Common Name (eg, YOUR name) []:machinename
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

3) Send the the csr to your Certificate Authority (CA).

The CA will send you your certificate:  example: machinename.pem or machinename.crt or machinename.cer file.    (The extension depends on your company's standards)


Use Keystore Explorer for the remaining steps:

4) Create a new Keystore

5) New Keystore Type is JKS

6) Import Key Pair

7) Import Key Pair Type is OpenSSL

8) Browse to get your private.key file

9) Browse to get your certificate machinename.pem or machinename.crt or machinename.cer file.

If you get an error that the private key it is not in a valid OpenSSL format then run this OpenSSL command:

openssl rsa -in private.key -out private_new.key

THen Import the key pair again using the private_new.key, this will resolve the issue.

10) Import

11) Then import the intermediate certificate.if there is one.

12) Import

13) Then import the root certificate.if there is one.

Your keystore is ready to use with DevTest.

 

NOTE:  DevTest does not like the following special characters in keystore passwords: /, \, %

When creating the keystore passwords for DevTest, do not use these characters.  Use this rule when creating any keystore password on DevTest regardless of component.

The keystore must have the same passwords for PRIVATEKEY and KEYSTORE.  DevTest does not support keystores that have different passwords for PRIVATEKEY and KEYSTORE.

 

Powered by Wolken Software