Importing a certificate from a certification authority

A certificate is more likely to be trusted by others if it is signed by a certification authority (CA) than if it is not. Obtaining and importing a certificate from a CA require that you complete the following steps:

  1. Generate a certificate signing request (CSR).
  2. Import the certificate from the CA.
  3. If the CA returns a chain of certificates, replace the self-signed certificate with the certificate chain.

You must replace your self-signed certificate with a certificate chain in which each certificate in the chain authenticates the public key of the signer of the previous certificate in the chain, up to a root CA.

Note

BMC Atrium Orchestrator and BMC authentication services are SHA-2 compliant.

Before you import the certificate reply from a CA, you need one or more trusted certificates in your keystore or in the cacerts keystore file:

  • If the certificate reply is a certificate chain, you need only the top certificate of the chain, which is the root CA certificate authenticating the CA's public key.
  • If the certificate reply is a single certificate, you need a certificate for the issuing CA (the one that signed the certificate). If that certificate is not self-signed, you must obtain a certificate for its signer up to a self-signed CA certificate.

Note

Because the cacerts keystore file ships with five VeriSign root CA certificates, you might not need to import a VeriSign certificate as a trusted certificate in your keystore. However, if you request a signed certificate from a different CA, and a certificate authenticating that CA's public key has not been self-signed or signed by another CA (in which case you also need a certificate authenticating that CA's public key). For example, the Calbro Services company is a CA, and you obtain a file named Calbro.cer that is a self-signed certificate from Calbro Services, authenticating that CA's public key.

Warning

Ensure the certificate is valid prior to importing it as a trusted certificate. View it first using the keytool -printcert command or the keytool -importcert command without the -noprompt option, and verify that the displayed certificate fingerprints match the expected ones. The certificate has not been compromised in transit only if the fingerprints are exact matches.

After you import a certificate authenticating the public key of the CA to which you submitted your certificate signing request, or after there is a certificate in the cacerts file, you can import the certificate reply and replace your self-signed certificate with a certificate chain:

  • If the CA reply was a chain, this chain is the one returned by the CA in response to your request.
  • If the CA reply was a single certificate, this chain is the certificate chain constructed using the certificate reply and the trusted certificates that are available in the keystore where you import the reply or in the cacerts keystore file.

To generate a CSR

To generate a CSR, follow the instructions provided by the CA you are using. The process varies depending on the CA.

The CA authenticates the requestor and returns a signed certificate, authenticating your public key.

Note

In some cases, the CA might return a chain of certificates, each one authenticating the public key of the signer of the previous certificate in the chain.

To import the certificate from the CA

From a command prompt, type the following command:

keytool -importcert -alias aliasName -file fileName.cer

For example:
keytool -importcert -alias bao -file BMCAtriumOrchestrator.cer

This command creates a trusted certificate entry in the keystore using the data from the file BMCAtriumOrchestrator.cer, and assigns the alias bao to the entry.

Note

For BMC Atrium Orchestrator, Keytool is available in the AO_HOME/jvm/bin directory. 

To replace a self-signed certificate with a certificate chain

From a command prompt, type the following command:
keytool -importcert -trustcacerts -file fileName.cer

For example:
keytool -importcert -trustcacerts -file VSCalbro.cer

Suppose you sent your certificate signing request to VeriSign. You can use this command to import the reply, which assumes the returned certificate is named VSCalbro.cer.