This document was provided by Bruan Consulting, but was modified by me (Chris Arnett) as I went through the process of getting it setup on our MagicInfo server. I tried to fill in some areas that they did not elaborate on to make it easier to understand, mostly how to create the private key/CSR request using OpenSSL, which is installed/setup on the MagicInfo Server. Note: I did setup the required environment variables for OpenSSL.
Requirements
OpenSSL installed on Magic Info Server, with necessary environment variables set. See this article: https://public.cloud.myinfo.gov.sg/docs/OpenSSL_installation_guide.pdf
KeyStore Explorer software
...
-----END CERTIFICATE-----
\uD83D\uDCD8 Instructions
Generating CSR with OpenSSL/DigiCert Website
Inspecting SSL certificate:
...
For each of intermediate certificate it will be required to obtain PEM text file. Sometimes those files are provided with signed identity certificate from certification authority (CA). If not, those files can be easily obtained from CA website or by exporting from above path using Windows functionality.
Obtaining PEM text files for intermediate certificates
Generate an CSR form the MagicInfo server.
Browse to: https://www.digicert.com/easy-csr/openssl.htm
...
The “-traditional” flag coverts the key to PKCS1/OpenSSL format, which is what Keystore Explorer will be expecting. By default OpenSSL 3 will create the key in PKCS8 format. If you try to use that key, you’ll get an invalid format error when you try to create the JKS Keystore file in Keystore Explorer. Newer versions of OpenSSL say BEGIN PRIVATE KEY because they contain the private key + an OID that identifies the key type (this is known as PKCS8 format). In PKCS1 format, if you examine the Private Key with Notepad++, the key will start with “-----Begin RSA Private Key--------”. That’s how you can confirm you have the correct format.
**I found this next part about converting the cert was not really necessary, since the InCommon certs come in X.509 format by default.
Open identity certificate preview, go to certification path tab, select first intermediate certificate from the path and click View Certificate button. Next, go to Details tab.
...
Repeat above steps for each intermediate certificate in the path.
Creating JKS keystore from PEM files (private key and certificates)
Start KeyStore Explorer software
Click on Create a new KeyStore option on welcome screen or select File > New from menu.
...
Save keystore file. At this point keystore should be ready for deployment.
HTTPS configuration in Tomcat
Copy created JKS keystore file onto Magicinfo server and place it in a folder accessible by MagicInfo service. Default MagicInfo keystores are in <MagicInfo_dir>\runtime\keystore folder.
Go to <MagicInfo dir>\tomcat\conf\ folder and open server.xml file. If HTTPS option was selected during MagicInfo server installation, there should be a predefined connector with SSL support enabled like the one below. Otherwise add below connector definition to server.xml file.
...
Info |
---|
Highlight important information in a panel like this one. To edit this panel's color or style, select one of the options in the menu. |
\uD83D\uDCCB Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|