Contact UsSupport Portal

How to Import a Certificate

Import the Certificate Generated by Certification Authority (CA)

There are different ways to generate a Certificate Signing Request (CSR), depending on whether user securing a single domain or multiple domains. Here's an overview of the two types and how you can generate them:

Multi-Domain CSR (SAN - Subject Alternative Name)

  • To secure multiple domains with a single SSL/TLS certificate, user will need to use SAN (Subject Alternative Name) in certificate configuration. SAN allows to include multiple domains in one certificate, which is ideal for scenarios where user needs to configure HTTPS for various subdomains or entirely different domain names. Refer to Configuration Using SAN and DNS section to know how to configure multiple domains for HTTPS.

Single Domain CSR

  • A Single Domain CSR is used when you want to secure just one domain with an SSL/TLS certificate. It contains only one Common Name (CN), which corresponds to the domain you want to secure. Refer to Steps to Generate Key and CSR section to generate the CSR file.

After generating the CSR, you need to provide the resulting file to your Certificate Authority (CA) to obtain the corresponding certificate file (.cer).

Note: If you're setting up a OpsHub Integration Manager and configuring the connection with endpoints over mutual TLS (mTLS), the CA that issues your certificate must be trusted by the endpoint. Alternatively, it should be the same CA that signed the endpoint's certificate.

Once the certificate file (e.g., opshub.cer) is generated by your CA, follow the import steps provided below.

Note: If your CA delivers the certificate in .PEM format instead, refer to the PEM Configuration section for instructions.

Steps to Import Certificate File

Dynamic parameters to update in the commands:

  • When executing the following commands, you need to replace the dynamic parameters with values specific to your setup:

    • <OpsHub Installation Path>:

      • Replace this with the actual path where your OpsHub is installed. For example: C:\Program Files\OpsHub

    • <myalias>:

      • Replace this with the alias you want to assign to the certificate. This alias helps you reference the certificate in the keystore. For example, use something like: opshub-cert, root

    • <your-keystore-password>:

      • The default password for the keystore is changeit. If you've changed the keystore password, use the updated password. For example, if you updated the password to newpassword, replace it like this: -storepass newpassword

Follow these commands based on the certificate provided by your CA:

Command to import .csr file:

  • If your certificates are in Root certificates or Chain certificates, first import root certificate and then the actual certificate. Otherwise import your certificate file only.

Importing root certificate:

keytool -importcert -alias <root> -keystore <OpsHub Installation path>\AppData\OpsHubData\cacerts -trustcacerts -file <Path of your Root CER file>

Importing normal certificate:

keytool -importcert -alias <opshub.com> -keystore <OpsHub Installation Path>\AppData\OpsHubData\cacerts -file <Path of your CER file>

Command to import .pem file:

  • Importing .pem file with only a certificate:

  • If your .pem file contains only the certificate (not the full chain), you can import it directly into the keystore

keytool -importcert -file <certificate.pem> -keystore "<OpsHub Installation Directory>/AppData/OpsHubData/cacerts" -alias <myalias>

  • Import the PKCS#12 file into a Java keystore:

  • Once you have the '.p12' file, you can import it into a Java keystore using the 'keytool' command

keytool -importkeystore -destkeystore "<OpsHub Installation Path>/AppData/OpsHubData/cacerts" -srckeystore <keystore.p12> -srcstoretype PKCS12 -alias <myalias>

Note: Replace keystore.p12 with the path to your PKCS#12 file.

  • Import the Chain certificate using keytool:

  • Use the following keytool command to import the chain certificate into the Java keystore:

keytool -importcert -trustcacerts -alias <myalias> -file <chain.pem> -keystore "<OpsHub Installation Path>/AppData/OpsHubData/cacerts" -storepass <your-keystore-password>

Note: Here, replace chain.pem with the name of the .pem file given by the CA. If you’ve changed it, use the updated password.

Command to import SAN Certificate:

keytool -importcert -alias <myalias> -keystore <your-keystore-location> -file <path-to-certificate-file> -storepass <your-keystore-password>

After successfully importing the certificate into the keystore, update the server.xml file to use the correct key alias.

  • The server.xml file is located at <OpsHub Installation Path>\OpsHub Server\conf

  • Change the keyAlias to match the alias you used during the import process.

Restart the Server:

  • After making the changes, restart the server to apply the new configuration.

Note: To change and encrypt the keystore and private key passwords, refer to the section Change Keystore and Private Key passwords for instructions on how to encrypt and update the passwords in server.xml.

Appendix

Renew the Certificate

If certificates in the keystore have expired, you need to reimport them in the keystore. Refer to import commands in Import the Certificate Generated by Certificate Authority section.

Steps to Generate Key and CSR

Following are steps to import the OpsHub Integration Manager SSL certificate which is generated by third party Certificate authority (CA).

Note Following steps can be performed once OpsHub Integration Manager installation is completed successfully with the self-signed SSL configuration.

  • Stop the running OpsHub Server/OpsHub Server Service.

  • Take the backup of OpsHubData folder in /AppData/OpsHubData.

  • Open the command prompt with the administrative privileges & within command prompt, go to the /AppData/OpsHubData directory.

Following are set of commands that should be performed in the given sequence within command prompt. Commands will respectively create a CSR & Cers certificate (generated by your CA) & import the certificate on the machine where OpsHub Integration Manager is installed.

keytool -genkeypair -keyalg RSA -alias opshub.com -keysize 2048 -keystore <OpsHub Installation Directory>\AppData\OpsHubData\cacerts

Upon successful execution of above command, it will prompt you to enter the password for AppData/OpsHubData/cacerts, i.e., keystore password. Enter the password for the same. The default password for the keystore is 'changeit'.

Note After entering the password, you will be prompted to fill information about certificate details, out of which for the first name and last name value it is mandatory to provide the host name of the machine where your OpsHub Integration Manager is installed otherwise you will not able to see the signed certificate even after the succefully import of certificate.

keytool -certreq -keyalg RSA -alias tomcat -file <path of new CSR file> -keystore <OpsHub Installation Path\AppData\OpsHubData\cacerts>

Example of the above command:

keytool -certreq -keyalg RSA -alias opshub.com -file <Installation Dir>\OpsHub_Resources\jre\lib\security\opshub.csr -keystore <OpsHub Installation Dir>\AppData\OpsHubData\cacerts

PEM Configuration

A .pem file is a Base64-encoded format used for cryptographic keys and certificates. It contains private keys, public keys, SSL/TLS certificates, and certificate chains. PEM files are human-readable and are enclosed with markers like "-----BEGIN ...-----" and "-----END ...-----."

  • Open the .pem file in any text editor to determine the next steps. Option 1: When you have a private key and certificate:

    • If the file contains a private key (denoted by -----BEGIN RSA PRIVATE KEY-----) and a certificate (denoted by -----BEGIN CERTIFICATE-----), refer to the section on Generate .p12 File for further steps.

    Option 2: If you only have a chain of certificates (and no private key):

    • In this case, the .pem file will typically contain a series of certificates in the chain, including the server certificate and intermediate certificates, but no private key. Simply follow the import instructions for handling Importing Certificates in the next steps.

Generate .p12 File

The prerequisite is you should have OpenSSL installed on your device.

  • If the .pem file provided by your Certificate Authority (CA) contains both a private key and a corresponding certificate in a single file, follow these steps to extract private key and certificate.

    Extract the private key from the .pem file: To extract the private key from the .pem file, use the following OpenSSL command:

    openssl rsa -in full.pem -out private-key.pem

    Extract the certificate from the .pem file: To extract the certificate from the .pem file, use this command:

    openssl x509 -in full.pem -out certificate.pem

  • Combine your private key and certificate into a single PKCS#12 (.p12) file, you can use the OpenSSL command. This file format is commonly used for storing both the private key and the certificate together in one file.

    Steps to combine private key and certificate:

    1. Ensure you have two separate files:

      • privatekey.pem (Your private key file)

      • certificate.pem (Your certificate file)

    2. Use the following OpenSSL command to create the .p12 file:

      Note Replace 'certificate.pem' with your certificate file and 'privatekey.pem' with your private key file.

      openssl pkcs12 -export -in certificate.pem -inkey privatekey.pem -out keystore.p12

  • The output file keystore.p12 is the combined PKCS#12 file. Use this file to import certificate using commands for .pem file.

Configuration Using SAN and DNS

Generating a Key Pair To generate a key pair with RSA algorithm and a keystore:

keytool -genkeypair -alias <your-alias> -keyalg RSA -keysize 2048 -dname "CN=<your-domain>, OU=<your-department>, O=<your-organization>, L=<your-city>, ST=<your-state>, C=<your-country>, emailAddress=<your-email>" -ext "SAN=dns:<your-domain>" -keypass <your-key-password> -keystore <your-keystore-location> -storepass <your-keystore-password>

Parameters:

  • -alias <your-alias>: The alias for the key pair in the keystore. Choose a descriptive alias to identify the key pair.

  • -keyalg RSA: Specifies the key algorithm to use. RSA is commonly used for SSL keys.

  • -keysize 2048: Defines the key size. A key size of 2048 bits is a typical and secure size.

  • -dname: The Distinguished Name (DN) fields describe the identity associated with the certificate.

    • CN: Common Name (Domain name).

    • OU: Organizational Unit (E.g., department name).

    • O: Organization (Your company or organization).

    • L: Locality (City).

    • ST: State.

    • C: Country (Use the two-letter country code).

    • emailAddress: Your email address.

  • -ext "SAN=dns:<your-domain>": Adds the Subject Alternative Name (SAN) extension to include additional domain names or IP addresses in the certificate.

  • -keypass <your-key-password>: Password for the private key (used to encrypt the key).

  • -keystore <your-keystore-location>: Path to the keystore file where the private key and certificate will be stored.

  • -storepass <your-keystore-password>: Password for the keystore.

Generating a Certificate Signing Request (CSR) To generate a CSR after creating the key pair:

keytool -certreq -keyalg RSA -alias <your-alias> -file <path-to-output-csr-file> -keystore <your-keystore-location> -ext "SAN=dns:<your-domain>"

Parameters:

  • -certreq: Specifies that a Certificate Signing Request (CSR) will be generated. This command is used to generate the CSR after the keystore and key pair have been created.

  • -keyalg RSA: Defines the key algorithm to use. In this case, it is RSA, which is commonly used for SSL/TLS certificates.

  • -alias <your-alias>: The alias for the key pair in the keystore. The alias is used to identify the key pair in the keystore. Replace <your-alias> with the alias that was used when generating the key pair.

  • -file <path-to-output-csr-file>: The path and file name where the output CSR will be saved. The CSR file will be submitted to a Certificate Authority (CA) to obtain the SSL certificate.

  • -keystore <your-keystore-location>: The location of the keystore that contains the private key for which the CSR is being generated.

  • -ext "SAN=dns:<your-domain>": Specifies the Subject Alternative Name (SAN) extension for the certificate. SAN is used to add additional domain names (e.g., www.example.com) or IP addresses that will be included in the SSL certificate.

For steps to importing the certificate, refer to Importing Certificates section.

Configuration for the connection with endpoints over mTLS

  • mTLS is a method of mutual authentication, ensuring that the parties at each end of a network connection are authenticated by digital certificates.

  • To authenticate itself, OpsHub Integration Manager will send the certificate signed by the Certificate authorities(CA). This CA would either be trusted by the endpoint or have signed the endpoint certificate configured over mTLS.

    • Hence, this certificate shall be stored in the truststore of OpsHub Integration Manager located at <OpsHub Installation Directory>\AppData\OpsHubData\cacerts.

PreviousSSL Certificate ConfigurationNextDocker Deployment

Last updated