Installing an SSL Certificate

Lee Painter

Introduction

Your JADAPTIVE server requires a valid signed SSL certificate for production use. As a Java-based server, the native SSL certificate format is a PKCS12 key store.

You can modify the configuration for this key store in the conf/jadaptive.properties file.

server.ssl.key-store-password=changeit
server.ssl.key-store-type=PKCS12
server.ssl.key-store=conf/cert.p12
server.ssl.key-alias=server

A new self-signed 2048 bit RSA SSL Certificate is created using the above properties on the initial startup.

 

Replace with another PKCS12 Certificate

You can replace the p12 file with another certificate by modifying the properties above. Ensure that you provide the correct alias, path, and password for the key store.

 

Generating a new Certificate for Signing

The default self-signed certificate is unsuitable for signing. If you want to obtain a new signed certificate, then you should first generate a new key store with the command: 

keytool -genkey -alias server -keyalg RSA -keysize 2048 -storetype pkcs12 -keystore newcert.p12

This will prompt you for the certificate details. Ensure you enter the correct hostname when asked for your first and last name.

Enter keystore password:  
Re-enter new password: 
What is your first and last name?
 [Unknown]: www.jadaptive.com
What is the name of your organizational unit?
 [Unknown]: Jadaptive Limited
What is the name of your organization?
 [Unknown]: Jadaptive Limited
What is the name of your City or Locality?
 [Unknown]: Nottingham
What is the name of your State or Province?
 [Unknown]: England
What is the two-letter country code for this unit?
 [Unknown]: GB

Is CN=www.jadaptive.com, OU=Jadaptive Limited, O=Jadaptive Limited, L=Nottingham, ST=England, C=GB correct?
 [no]: y

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
for: CN=www.jadaptive.com, OU=Jadaptive Limited, O=Jadaptive Limited, L=Nottingham, ST=England, C=GB

 

Setup the jadaptive.properities file accordingly, changing the path to the new key store, the alias (if you changed it from default), and the password. 

You can now generate a certificate request using the command:

keytool -certreq -alias server -keyalg RSA -file output.csr -keystore newcert.p12

Take the output.csr file and send this to your certification authority. 

 

Importing the Signed Certificate

Once you have received the signed certificate from your CA, we recommend downloading a P7b bundle as this will contain all the necessary certificates, including root and any intermediate certificates.

keytool -import -trustcacerts -alias server -file cert.p7b -keystore newcert.p12

 

Using a PEM Key and Certificate

As an alternative to working with Java Keystore files, you can configure jadaptive.properties to import a key and certificate from a set of PEM files. 

Configure the properties below to point to your PEM files.

server.ssl.private-key=conf/key.pem
server.ssl.private-key-password=password
server.ssl.ca-bundle=conf/chain.pem
server.ssl.certificate=conf/cert.pem

When you next start up the server, the server will convert the PEM files to a PKCS12 key store and set it up using the path, password, and alias configured for the default key store overwriting the default key store and certificate.