Since all certifiers participating in the CA/Browser forum assume keys with at least 2048 bit, it may be necessary to recreate the previous keystore, which still ran with 1024 bit.
Using the example avdito/SSL-certificate explorer, the procedure is briefly described here. The instructions should apply to all Java/Keytool based servers.

Creating a new Keystore and Private Key with 2048 bit:

  • cd adito-svncertificate
  • sudo keytool -genkey -alias agent -keystore agent-keystore.p12 -keypass PASSWORT -storetype PKCS12 -dname "cn=www.ihredomain.de" -storepass PASSWORT -validity 730
  • sudo vi certificate.properties (match names etc.)
  • sudo openssl req -nodes -newkey rsa:2048 -keyout www.yourdomain.de.key -out www.yourdomain.de.csr (Create CSR)

 

With this CSR (Certificate Signing Request) you can request a new certificate.

If you need to convert the certificate from PEM to PKCS12, the following call will help:

openssl pkcs12 -export -out certificate.pfx -inkey www.ihredomain.de.key -in certificate.crt -certfile CACert.crt</code

To import the converted certificate into adito/SSL Explorer:

  • In the adito directory
  • ant install
  • Select Import cert/keystore with PKCS12 File (without alias!)
  • Finish and complete the install
  • ant install-agent
  • restart adito service

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.