Skip to end of metadata
Go to start of metadata

 Exporting the CA Certificates of SSL Server Authentication Certificate from Browser

To export the root/issuer of an SSL Server Authentication certificate from browser, kindly follow these instructions:

  1. Open the SSL link [https] in the browser
  2. Click the Lock icon at the left hand side of the secure link
  3. Click the certificate option from the drop down menu
  4. Select Certification Path -> Issuer Root CA -> View Certificate
  5. Select Details -> Copy to File.
  6. Select DER based encoding.
  7. Select Next -> Browse [mention the name and the location where you wish to save the certificate] -> Finish.
  8. The certificate is exported and saved to the specified location.

For a visual representation of the above steps, see the below image:

 

 The following link guides on adding the issuing CA of the SSL Server Authentication certificate in Trust Manager:

http://manuals.ascertia.com/ADSS-Admin-Guide/default.aspx#pageid=trust_manager3

How to replace the default ADSS SSL Server Authentication Certificate with a production certificate?

Create a new Server SSL Key to replace the default key. The key can be managed by the ADSS Server Software Crypto module or by a connected HSM. Click here to learn how to create a new key. Follow these steps:

  1. Generate a new key pair with purpose "SSL Server Authentication" from Key Manager > Service Keys by clicking the New button.
  2. On the Key Manager > Service Keys > Certificates page select "Create CSR/Certificate" to create a Self-signed Certificate or PKCS#10 to create a delegated certificate issued by a Local/External CA.  (Best is to use a delegated SSL Server Authentication certificate because when using a self-signed certificate, it will need to be trusted at each individual client.  With delegated certificates, it is enough to trust the CA and in the case of a public CA it would be trusted by default.  

    Icon

    While filling the certificate details, make sure to use the ADSS Server Machine Name or IP as the common name of the new certificate as well as in the SAN extension as dNSName.

  3. Export this SSL Server authentication certificate if it will be required to be trusted on the client/operator machines.  Click here to learn how to export a certificate file out of ADSS Server.
  4. Go to Global Settings > System Certificates page and replace the default SSL Server Authentication certificate with the newly created certificate.
  5. If the new SSL Server Authentication Certificate/key resides on an HSM connected to the ADSS Server then follow additional instructions listed here
  6. Restart the ADSS Server Windows service or Unix daemon for the changes to take effect.
  7. You can additionally delete the default_ssl_server_key from the Key Manager > Service Keys module if it is not needed.

How to delete the Temporary Root CA or ADSS Default Root CA?

  1. Change the default_ssl_server_key. Click here for more details
  2. Go to Verification Service > Verification Profiles, edit profile > Trust Anchor Settings and remove the Temporary Root CA or ADSS Default Root CA. If this service is not licensed then run the following query on your database:

  3. Go to XKMS Service > XKMS Profiles, edit profile > Trust Anchor Settings and remove the Temporary Root CA or ADSS Default Root CA. If this service is not licensed then run the following query on your database:

  4. Go to SCVP Service > SCVP Policies, edit policy > Trust Anchor Settings and remove the Temporary Root CA or ADSS Default Root CA. If this service is not licensed then run the following query on your database:

  5. Go to OCSP Service > Registered CAs and remove the Temporary Root CA or ADSS Default Root CA. If this service is not licensed then run the following query on your database:

  6. Go to Trust Manager and delete the Temporary Root CA, ADSS Default Root CA and/or ADSS Samples Test CA (Configured Local CA).

Steps for TLS Client Authentication communication with ADSS Services 

Follow these steps for successful SSL handshake:

ADSS Server Settings:

  1. The SSL Server authentication certificate configured in ADSS Server must include Machine Name/Domain Name/IP Address of the relevant ADSS Server deployment, in certificate's Common Name (and also as SAN extension if there are multiple domain names).


  2. Register the issuer CA of the SSL Client Authentication Certificate in the Trust Manager with purpose CA for verifying SSL client certificates.


  3. Go to Client Manager Screen and edit the relevant Client, under the General section, register the SSL Client Authentication Certificate and save the settings


  4. Restart the ADSS Server Core, Console and Service instances from Windows services or Unix daemons for the changes to take effect.

Client Side Settings:

  1. The issuer CA of the ADSS Server SSL Server Authentication Certificate must be registered in the client Application e.g in JRE trust store or IIS

JAVA based Application:

Follow these steps to register the issuer CA of the ADSS Server SSL Server Authentication Certificate in JRE Trust Store:

    • Using GUI based SSL Trust Manager utility shipped with AFP/SES Server:
      • Go to location [AFP/SES Installation Directory]/ssl/
      • Launch the bat/sh file ssl_trust_manager
      • Add the issuer CA of the SSL Server Authentication Certificate
      • Close the window
      • Restart the AFP/SES Server from Windows services or Unix daemons for the changes to take effect.
    • Using headless JAVA built-in tool:
      • Stop the AFP/SES Server from Windows services or Unix daemons.
      • Open the command prompt window
      • Navigate to location [AFP/SES Installation Directory]/jre/bin/
      • Run the following commands as per requirement (remember to correct the path for -keystore and -file accordingly):
        • For View Keystore Entries: 
          keytool -list -v -keystore [AFP/SES Installation Directory]\jre\lib\security\jssecacerts -storepass password 
           
        • For adding CA to the Keystore: 
          keytool -import -trustcacerts -alias SSLIssuerCA -file [File patch CA Certificate] -keystore [AFP/SES Installation Directory]\jre\lib\security\jssecacerts -storepass password
           
        • For deleting the CA from KeyStore: 
          keytool -delete -alias jsseca_alias -keystore [AFP/SES Installation Directory]\jre\lib\security\jssecacerts -storepass password
           

.NET Based Applications:

 Follow these steps to register the issuer CA of the ADSS Server SSL Server Authentication Certificate in Windows Key Store for .NET based client application:

    • Start -> Run, type mmc
    • A dialog is shown, click the File from the menu bar and select Add/Remove snap-in
    • Another dialog is shown, select certificates from the left pane and press Add button
    • Select Computer Account from the opened dialog, click next 
    • Click Finish and then OK button to close the dialog
    • From the left pane under Certificates, select Trusted Root Certification Authorities and import ADSS Server SSL Server Authentication Certificate’s root CA over here.
  1. The ADSS Server URL used by the client application must have the same Machine Name/Domain Name/IP Address which is given in the common name or SAN of the ADSS Server SSL Server Authentication Certificate.

 

 

  • No labels