Open navigation

Linux: add a certificate on Gespage

These methods are some examples of how to secure the Gespage user page.
It can be done by yourself or directly by our support by sending your certificate and the private key.


New procedure

Take the certificate as well as the intermediate certificate in .crt or .pem format.
Open them and check the content of the intermediate certificate under the main certificate where the content should look like this :


-----BEGIN CERTIFICATE----- xxxxxxx -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- xxxxxxx -----END CERTIFICATE-----

We can open it with the command on linux below :

cat domaine.crt AddTrustCA.crt > bundle.crt

Check that the generated file has the same MD5 as the private key :

openssl x509 -noout -modulus -in bundle.crt | openssl md5
openssl rsa -noout -modulus -in mydomain.key | openssl md5

You will need to retrieve the file cacert.jks located in one of the Gespage folders (Windows or Linux).
You can find it in the default folder :
C:\Program Files\GespageCore\server\config

Once recovered on your Linux station, copy the cacerts.jks of Gespage in the current folder :

cp /root/Desktop/cacerts.jks .

Import the bundle.crt into the cacerts.jks:

keytool -import -trustcacerts -alias root_alias_name -file bundle.crt -keystore cacerts.jks -storepass changeit

And validate the certificate.
Unite and convert the certificates and the private key into a .p12 file (pkcs12 format):

openssl pkcs12 -export -in bundle.crt -inkey mydomain.key -out mydomain.p12 -name s1as

Enter the following password: "changeit".
Import the .p12 in a keystore.jks

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore mydomain.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias s1as

Finally, place the keystore.jks as well as the cacerts.jks in the Gespage config file then restart the application.

----------------------------------------------------------------------------------------------------------------------------------------

Old Procedure

If we only have a pfx file, the following commands must be executed:

- openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
- openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
- openssl rsa -in key.pem -out server.key

If we are provided with a certificate with the .p7b extension with the following tags inside: -----BEGIN PKCS7-----

openssl pkcs7 -in certificatname.p7b -print_certs -outform PEM -out certificatname.pem

The certificatename.pem file must then be split into certificates and intermediate certificates.

The SVD provides us with the private key, certificate and intermediate certificate in PEM format (readable format):

Private key: corep-printing.u-strasbg.key
Certificate: cert-4286-corep-printing.u-strasbg.pem
Intermediate certificate: chain-4286-corep-printing.u-strasbg.pem

The private key, certificate and intermediate certificate (if provided) must first be converted to DER format.

openssl pkcs8 -topk8 -nocrypt -in corep-printing.u-strasbg.fr.key -inform PEM -out corep-printing.u-strasbg.fr.der -outform DER openssl x509 -in cert-4286-corep-printing.u-strasbg.fr.pem -inform PEM -out cert-4286-corep-printing.u-strasbg.fr.der -outform DER openssl x509 -in chain-4286-corep-printing.u-strasbg.fr.pem -inform PEM -out chain-4286-corep-printing.u-strasbg.fr.der -outform DER

A keystore.jks integrating the private key must then be generated from the java programme ImportKey.java  :

/opt/Gespage/GespageCore/JDK/bin/javac ImportKey.java java ImportKey corep-printing.u-strasbg.fr.der cert-4286-corep-printing.u-strasbg.fr.der

If you already have a keystore because you have created the CSR yourself, you have to do the following command to insert the certificate in the keystore.jks (in general you have to use the s1as alias) :

keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias" 

Import the intermediate certificate to the keystore.jks file:

keytool -import -alias corep-printing.u-strasbg.fr -file chain-4286-corep-printing.u-strasbg.fr.der -keystore /root/keystore.jks  -trustcacerts

The keystore file is generated under /root/keystore.jks . It must be copied under /usr/share/glassfishv3/glassfish/domains/domain1/config. It is necessary to restart GlassFish for it to be taken into account.
It is possible to convert a certificate from .CER to .PEM with openssl with the following command:

openssl x509 -inform der -in certificate.cer -out certificate.pem





Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.