Using the DoD InstallRoot tool to create a trust store

This topic describes how to use the InstallRoot tool to create a trust store that contains all of the U.S. Department of Defense (DoD) certificates needed for PKI authentication with TrueSight Server Automation.  

1. Go to the Tools section on the IASE PKI site.
2. Click the Trust Store tab.
   
3. Find the link to download the latest version of the InstallRoot tool, for example, 4.0.
   
4. Download the installer that is appropriate for the platform you are using.
5. Double-click the downloaded file to start the installation process.
6. On the Welcome screen, click Next.
7. Specify the directory in which you want to install the tool, and click Next.
8. On the InstallRoot Features screen, click Next.
9. On the next screen, click Install.
10. After the installation is finished, click Run InstallRoot.

11. Expand DoD.

    Note

    For testing purpose, use the JITC certificates instead of the DoD ones.

12. Press Shift and select the list of certificates.
13. Click the Certificate tab, and and then click PEM.
    
14. In the Export dialog box, specify the location in which you want to save the exported files.
15. From the command line, navigate to the directory in which you saved the exported files. The directory shows a list of files similar to the following:
    

16. In NSH or another shell, use a simple for loop and import the exported certificates into a new trust store, as follows. This import process assumes that the path for keytool (which is part of the JRE install) is included in the PATH environment variable. If not included, specify the path to it.

    for file in *.cer 
    do 
    keytool -importcert -noprompt -file "${file}" -alias "${file%.*}"
        -keystore DoDRoot.jks -storepass <password> -keypass <password>;
    done
    

    -keystore identifies the trust store you are setting up, and -storepass provides the password for accessing the trust store.

    Tip

    As an alternative to using Network Shell, you can use a Windows batch script, such as the following example script:
    @ECHO OFF for /r %%f in (*.cer) do ( "D:\Program Files\BMC Software\BladeLogicPortal\BladeLogicPortalInstallJVM18\bin\keytool.exe" -importcert -noprompt -file "%%f" -alias "%%~nf" - keystore DoDRoot.jks -storepass "<password>" -keypass "<password>" )

17. Verify that the certificates were imported to the trust store, as follows.

    $keytool -list -keystore DoDRoot.jks -storepass <password>
    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 26 entries
    dod_root_ca_2__4c__dod_ca-21, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): AC:2A:DD:57:01:0A:71:9A:8B:3D:09:BD:CF:FD:9A:66:35:CF:45:FC
    us_dod_cceb_interoperability_root_ca_1__4e__dod_root_ca_2, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 7D:A8:E8:42:96:EE:23:88:18:EE:42:72:87:77:45:08:B2:6D:09:4A
    dod_root_ca_2__01b9__dod_email_ca-30, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 44:F7:8C:98:37:19:29:1E:CB:87:70:09:40:68:DA:84:1D:AC:85:45
    dod_root_ca_2__01b5__dod_ca-30, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): BC:AB:48:78:BA:72:DC:43:5B:20:86:02:E8:BB:76:9D:08:E1:A9:0E
    dod_root_ca_2__01b2__dod_ca-27, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): CE:D0:0D:53:66:8B:58:7E:7B:6B:A6:E1:3C:05:1D:1B:59:C2:5E:6B
    dod_root_ca_2__50__dod_ca-26, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 93:61:47:63:51:54:C9:9E:50:42:D2:B3:B5:AC:B6:5A:E2:38:91:1E
    dod_root_ca_2__01b8__dod_email_ca-29, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 81:0B:FB:48:C1:AF:A8:E3:C5:FF:7D:50:B3:28:57:6A:5E:BF:9E:29
    dod_root_ca_2__46__dod_email_ca-22, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 82:0E:3A:FF:52:CF:FA:50:A2:50:8C:BD:FD:60:92:24:82:EE:E5:2F
    dod_root_ca_2__01b7__dod_email_ca-28, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 38:CA:D5:1F:D6:03:E4:50:BC:66:CD:8B:C1:52:FB:CE:35:44:C7:A4
    dod_root_ca_2__01b3__dod_ca-28, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): F0:26:B3:B7:86:6E:4D:EC:FE:5C:3E:C1:5C:60:AC:6C:A1:24:61:1C
    dod_root_ca_2__039f__dod_email_ca-31, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 8C:41:53:A8:95:CE:01:1A:E1:31:1F:C7:E0:71:4C:BA:86:D7:1A:3E
    dod_root_ca_2__4e__dod_ca-25, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): D6:2E:D2:E2:28:AA:62:00:1E:5C:1B:51:DA:DF:AB:04:75:37:0C:C0
    dod_root_ca_2__01b4__dod_ca-29, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 4E:9B:43:6D:B4:F0:90:AD:3D:9E:6E:00:AE:DF:44:48:1C:AA:B7:6F
    dod_root_ca_2__49__dod_email_ca-23, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 64:45:2B:65:70:60:3C:48:97:CC:AD:C0:78:D0:78:D9:C1:47:E0:D7
    dod_root_ca_2__03a2__dod_email_ca-32, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 60:75:8C:59:72:01:93:EB:45:72:5C:AB:34:E8:F8:DE:5C:C5:B5:FD
    dod_root_ca_2__47__dod_ca-24, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 49:3C:BA:AF:16:2F:73:3F:55:13:DC:94:02:67:10:E6:A2:08:0F:E4
    dod_root_ca_2__039d__dod_ca-31, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 07:A2:9B:87:8A:0D:C9:C3:F9:79:B9:8B:92:E4:0D:DD:33:9C:F0:87
    dod_root_ca_2__4f__dod_email_ca-25, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 2A:AA:05:6E:C6:2C:38:59:65:90:EE:0D:63:12:81:8F:8A:D7:CB:C8
    dod_root_ca_2__51__dod_email_ca-26, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 8F:D4:3C:F4:C9:FD:D6:90:2C:59:56:FF:05:4B:5D:2B:06:56:FA:48
    dod_root_ca_2__05__dod_root_ca_2, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 8C:94:1B:34:EA:1E:A6:ED:9A:E2:BC:54:CF:68:72:52:B4:C9:B5:61
    dod_root_ca_2__03a1__dod_ca-32, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 2C:3C:9B:8B:2D:9B:D4:29:DF:DE:BB:80:E9:07:E8:A2:E6:A1:AE:40
    dod_root_ca_2__4a__dod_email_ca-21, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 0E:24:EC:07:9C:38:85:CC:51:62:75:F5:3C:CE:BE:EF:AC:CC:25:60
    dod_root_ca_2__45__dod_email_ca-24, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): C3:B0:72:97:7A:A0:82:A0:1C:24:63:56:5E:9E:A5:89:BA:AA:C5:E5
    dod_root_ca_2__48__dod_ca-22, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): F5:B0:92:42:14:6F:07:1C:4F:C9:DA:F4:CD:87:07:10:08:68:13:B5
    dod_root_ca_2__4b__dod_ca-23, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 92:5E:C8:C4:C7:83:38:DA:1E:B2:C5:68:8A:FB:A7:5F:5F:83:BE:EE
    dod_root_ca_2__01b6__dod_email_ca-27, Oct 20, 2014, trustedCertEntry,
    Certificate fingerprint (SHA1): 6F:EE:67:34:5F:F6:26:5F:13:37:00:AC:00:1A:51:F0:01:3B:47:7D
    
18. Use this trust store when configuring PKI authentication.