PEM keystores received from a Certificate Authority can
be converted into keystores for use with Build Forge.
Before you begin
Download the unrestricted policy files for your SDK. This
prerequisite applies only if your keysize is too large for the restricted
policy files. Download the files from https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=jcesdk&lang=en_US&S_PKG=142ww
Note: You
must use the keytool utility provided by IBM.
About this task
If you have a set of PEM files from a Certificate Authority,
you must use them to create a set of OpenSSL and JSSE keystores for
Build Forge.
Procedure
- Include Build Forge tool directories in your PATH.
- <bfinstall>/openssl
- <bfinstall>/ibmjdk/bin for Windows
- <bfinstall>server/ibmjdk/bin for UNIX
or Linux
For UNIX and Linux, include the following directory in LD_LIBRARY_PATH:
<bfinstall>/openssl
- Convert the PEM files into a PKCS12 keystore.
Use
the following command:
openssl pkcs12
-export
-name "buildforge"
-out buildForgeKeyStore.p12
-inkey <key.pem>
-passin pass:<pempassword>
-in <crt.pem>
-password pass:<bfpassword>
- Verify that the certificate has been added and can be read.
keytool -v
-list
-keystore buildForgeKeyStore.p12
-storepass <bfpassword>
-storetype pkcs12
If you get an error about
an invalid key size, download unrestricted policy files. Use the directions
at the beginning of this section.
- Export the public certificate.
In a command
window, go to <bfinstall>/keystore, and
then run this command:
keytool -export
-alias buildforge
-file cert.der
-keystore buildForgeKeyStore.p12
-storepass <bfpassword>
-storetype pkcs12
- The certificate is stored in file cert.der.
- Use the same <bfpassword> that was
specified for keystores during installation. Otherwise you need to
change the configuration.
- Create the truststore and import the public certificate.
In a command window, go to <bfinstall>/keystore,
then run this command:
keytool -import
-noprompt -trustcacerts
-alias buildforge
-file cert.der
-keystore buildForgeTrustStore.p12
-storepass <bfpassword>
-storetype pkcs12
- Put the public client certificate in buildForgeCert.pem.
In a command window, go to <bfinstall>/keystore,
and then run this command:
openssl pkcs12 -clcerts -nokeys
-in buildForgeKeyStore.p12
-passin: pass:<bfpassword>
-out buildForgeCert.pem
- Put the certificate and keys in buildForgeKey.pem
In
a command window, go to <bfinstall>/keystore,
and then run this command:
openssl pkcs12
-in buildForgeKeyStore.p12
-passin pass:<bfpassword>
-passout pass:<bfpassword>
-out buildForgeKey.pem
- Create the PEM Certificate Authority buildForgeCA.pem.
- Download the CA root certificate to <bfinstall>/keystore. It is named CARootCert.crt. It needs to be added to your PEM
keystores and can be imported into buildForgeTrustStore.p12.
- In a command window, go to <bfinstall>/keystore,
and then run these commands:
cat CARootCert.crt > buildForgeCA.pem
keytool -import -noprompt -v -trustcacerts
-alias "CA Root"
-file CARootCert.crt
-keystore buildForgeTrustStore.p12
-storepass <bfpassword>
-storetype pkcs12
Results
Build Forge uses a password-protected PEM keystore, buildForgeKey.pem.
The Apache server prompts for the password during startup.
If you
do not want to be prompted for a password during startup, then generate
a PEM keystore that is not password-protected and have the Apache
server use it. The following command is an example.
openssl rsa -in buildForgeKey.pem
-passin pass:<password>
-out buildForgeKeyForApache.pem
Be sure
the unprotected PEM keystore is readable by any user who needs access
to the ID of the process that runs Build Forge.