Setting up a trust store for PKI authentication

This topic provides instructions for importing a certificate into a trust store and then make that trust store available to the Authentication Server.

To set up a trust store for PKI authentication

1. If you have not already done so, obtain the certificate for the certificate authority that issued the certificates on the smart card.
2. Import the certificate into a trust store file on the Authentication Server.
   Many methods exist for importing a certificate. One approach is to use Java's keytool utility, which is available on any machine where the Authentication Server is installed. For example, if you are importing a certificate with the Authentication Server's version of keytool, you might enter a command like the following:
   <installDirectory>/jre/bin/keytool -import -keystore PkiTruststore.jks -storepass ****** -file CA_CERT.cer
   where -keystore identifies the trust store you are setting up, -storepass provides the password for accessing the trust store (needed later in step 5), and -file identifies the certificate you are importing.
3. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
4. Make the trust store available to the Authentication Server by entering the following command:
   set PkiAuth TruststorePathname <certificateStore>
   where <certificateStore> is the local path to the trust store.
5. Provide the password needed to decrypt the certificate by entering the following command:
   set PkiAuth TruststorePassword ******
   Enter the password using clear text. The Application Server Administration console encodes the password that is displayed.
6. Specify the type of trust store by entering the following command:
   set PkiAuth TruststoreType <trustStoreType>
   In this command <trustStoreType>can be either of the following:
   • jks — Trust store uses the JKS format.
   • pkcs12 — Trust store uses the PKCS12 format.
7. Restart the Application Server.