This document describes how to use private (internally signed) certificates with WCC.
Commercial Certificate Authorities (CA) like Verisign and Comodo no longer issue signed certificates for internal networks. Therefore a prerequisite to using this procedure is to have an internal CA setup. Clients (e.g. web browsers) should have the root and any intermediate certificates imported into their certificate store.
CA Workload Control Center # ALL Supported Version
This scenario walks you through the process of requesting and using a privately signed certificate from a trusted certificate authority.
1. Login to the WCC host as the WCC software owner (e.g. wcc)
2. Set the Java environment
JAVA_HOME=$CA_WCC_INSTALL_LOCATION/jre; export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH; export PATH
3. Change directory to the keystore location
4. Copy the existing .keystore file to a backup location.
cp .keystore /var/tmp/
copy .keystore %TEMP%
5. Delete the existing key in the keystore
keytool -delete -alias tomcat -keystore .keystore -storepass changeit
6. Create a new key:
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<hostname>" -ext san=dns:cn=<hostname> -validity <days>
<hostname> the WCC hostname
<days> expiration period of the certificate in days (e.g. 5475 = 15 years)
NOTE: the dname here should have your Fully Qualified URL that your users would be using WCC URL with. example:
Example (the double quotes around SAN are needed):
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=wcc.company.com,O=Your Company Inc,L=San Jose,S=California,C=US" -ext "SAN=DNS:wcc.company.com,DNS:wccserver1.company.com,DNS:wccserver2.company.com" -validity 365
7. Create the certificate signing request (CSR)
keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -file wcc.cert.req.csr
NOTE: During the generation of the CSR above, some certificate admins require you to provide additional stuff like Subject Alternate names example:
keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -file wcc.cert.req.csr -ext "SAN=DNS:wcc.company.com,DNS:wccserver1.company.com,DNS:wccserver2.company.com"
8. Have the certificate request signed by your internal CA
The internal CA will need to return the following in PEM format:
a. root certificate
b. any/all intermediate certificate(s)
c. the private (signed) certificate generated from the CSR
9. Import the root certificate. Enter ‘yes’ to trust the certificate.
keytool -importcert -alias RootCA -file <ca.cert.pem> -keystore .keystore -storepass changeit
<ca.cert.pem> is the root certificate received from the internal CA.
10. (Optional) Import any/all intermediate certificate(s)
keytool -importcert -alias IntermediateCA -file <intermediate.cert.pem> -keystore .keystore -storepass changeit
<intermediate.cert.pem> is the intermediate key received from the internal CA.
11. Import the private (signed) certificate
keytool -importcert -trustcacerts -file <wcc.cert.pem> -alias tomcat -keystore .keystore -storepass changeit
<wcc.cert.pem> is the Private Key received from the internal CA.
12. Restart WCC services
unisrvcntr restart CA-wcc-services
Restart the CA-wcc-services service from Microsoft Windows Services Console.
IMPORTANT: Ensure that the root certificate and any intermediate certificates are imported into client (e.g. web browsers) certificate stores.