How can I use DXcertgen to create client certificates, and store them in the JXplorer keystores?
Article ID: 54076
Updated On:
Products
Issue/Introduction
Description
You can use dxcertgen to create users certificates at the same time as generating the DSA certificates.
By specifying the location and passwords to the java keystores, dxcertgen can automatically
add the newly created CA and user certificates into the cakeystore and the clientkeystore.
Solution
Assumptions
The DSA that you will be using to authenticate will have a prefix of:
"o=Democorp,c=au"
The LDIF containing the user entries will be located in the root of C Drive (C:\).
Procedure
In order to create user certificates using Dxcertgen, you need to have the following already prepared:
- An LDIF file that contains the list of DN's that you want to use.
- Java environment variables setup.
- The location of the JXplorer keystores and their respective password.
Create the LDIF file
The LDIF file can be a full LDIF dump of the selected users.
Make note of where you save this file as it's fully qualified path will be used when generating the certificates.
In the LDIF file below, the following user certificates will be created:
- cn=Joe Bloggs,ou=Information,ou=Corporate,o=Democorp,c=au
- cn=Marjorie SIMPER,ou=Information,ou=Corporate,o=Democorp,c=au
version: 1
dn: cn=Joe Bloggs,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Joe Bloggssn: BLOGS
dn: cn=Marjorie SIMPER,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Marjorie SIMPERsn: SIMPER
Java Environment Variables Configured
In order to run the dxcertgen tool and have it access the keystores, you will need to define several environment variables.
- Set the environment variable JAVA_HOME to the JRE path, for example:
- Ensure that the environment variable PATH includes the Java bin folder, for example:
- To verify, run the following command:
C:\Program Files\Java\jre1.6.0_07
C:\Program Files\Java\jre1.6.0_07\bin
keytool
The output of the keytool will begin with the following output:C:\>keytoolkeytool usage: -certreq [-v] [-protected] [-alias <alias>] [-sigalg <sigalg>]
[-file <csr_file>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg> ]] ... [-providerpath <pathlist> ]Note: The keytool utility is a Java utility and is documented on the java keytool web page on the Java web site http://java.sun.com.
Location of keystores
The location of the keystores for the open source version of Jxplorer can be found in the following
folder (assuming that the default installation location was used):
C:\Program Files\JXplorer\security
The keystores and their default passwords are listed below:
<Please see attached file for image>
Running the Dxcertgen command
The dxcertgen command below will perform several tasks. They are:
- Create a new CA keypair and certificate.
- Create a new DSA keypair for each DSA in the DXHOME/config/knowledge folder.
- Sign each DSA certificate using the CA created in step 1.
- Create and sign each user certificate as it parses the LDIF file specified.
- Store the CA certificate and the user certificates in the respective keystores.
dxcertgen -u "C:\users.ldif" -c "C:\Program
Files\JXplorer\security\clientcerts" -C passphrase -s
"C:\Program Files\JXplorer\security\cacerts" -S changeit certsThe output for the Dxcertgen command will look like the following:
Setting root certificate and public/private keys for signing...Exporting certificate 'dxcertgen' from C:\Program Files\JXplorer\security\cacerts...alias 'dxcertgen' not foundGenerating public and private key pair...Generating key pair for 'dxcertgen' in C:\Program Files\JXplorer\security\cacerts...Exporting certificate 'dxcertgen' from C:\Program Files\JXplorer\security\cacerts...Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Importing certificate 'dxcertgen' into C:\Program Files\JXplorer\security\cacerts...Importing certificate 'dxcertgen' into C:\Program Files\JXplorer\security\clientcerts...Writing root certificate to trusted.pem...
Generating DXserver personalities from server files...Generating a new personality certificate for lang...Generating a 1024-bit RSA public/private key pair..............++++++............++++++Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Writing personality certificate to C:\Program
Files\CA\Directory\dxserver\config\ssld\personalities\ lang.pem...Generating a new personality certificate for democorp...Generating a 1024-bit RSA public/private key pair.......................................................++++++...............++++++Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Writing personality certificate to C:\Program
files\CA\Directory\dxserver\config\ssld\personalities\ democorp.pem...
Generating user certificates...
Generating a new user certificate for Joe_Bloggs...Generating public and private key pair...Generating key pair for 'Joe_Bloggs' in C:\Program Files\JXplorer\security\clientcerts...Exporting certificate 'Joe_Bloggs' from C:\Program Files\JXplorer\security\clientcerts...Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Importing certificate 'Joe_Bloggs' into C:\Program
Files\JXplorer\security\clientcerts...Generating a new user certificate for Marjorie_SIMPER...Generating public and private key pair...Generating key pair for 'Marjorie_SIMPER' in C:\Program
Files\JXplorer\security\clientcerts...Exporting certificate 'Marjorie_SIMPER' from C:\Program
Files\JXplorer\security\clientcerts...Generating an x509 v3 certificate...Signing certificate with trusted root CA's private key...Importing certificate 'Marjorie_SIMPER' into C:\Program
Files\JXplorer\security\clientcerts...
Done.
Verification
Once the command is complete, you should see the following certificates in the Java Keystores that Jxplorer accesses:
<Please see attached file for image>
<Please see attached file for image>
Connecting to CA Directory using your newly added keys
In order for you to be able to use your new CA and user certificates to connect to a DSA, the following must be in place:
- User entries must exist in the CA Directory DSA that matches the DN of the user certificates.
- To perform this simply load the LDIF file below into your DSA that has a prefix of:
"o=Democorp,c=au".
- To load the LDIF file into the DSA use the following command:
- An SSLD Daemon must exist.
- To create an SSL Daemon that sources the default trusted.pem CA certificate file and DSA personality certificates, use the following command:
ssld install ssldservice -ca config/ssld/trusted.pem -certs
config/ssld/personalities - Once the SSL Daemon has been installed, it needs to be started. You can do this by issuing the following command:
ssld start ssldservice
- The DSA's must be recycled in order to refresh their configuration.
dxserver stop {dsaName}Then you need to restart the DSA
dxserver start {dsaName} - Using JXplorer, you then need to make a connection using the authentication level of: "SSL+SASL+Keystore Password"
version: 1
dn: ou=Corporate,o=Democorp,c=auobjectClass: organizationalUnit
dn: ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: organizationalUnit
dn: cn=Joe Bloggs,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Joe Bloggssn: BLOGGS
dn: cn=Marjorie SIMPER,ou=Information,ou=Corporate,o=Democorp,c=auobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topcn: Marjorie SIMPERsn: SIMPER
dxmodify -a -c -h {hostName} -p {DSA Port} -f {LDIFFileName}<Please see attached file for image>
Once connected you should see the DIT structure of the Directory:
<Please see attached file for image>
Environment
Component:
Attachments
Feedback
