Since all certifiers participating in the CA/Browser forum assume keys with at least 2048 bit, it may be necessary to recreate the previous keystore, which still ran with 1024 bit.
Using the example avdito/SSL-certificate explorer, the procedure is briefly described here. The instructions should apply to all Java/Keytool based servers.
Creating a new Keystore and Private Key with 2048 bit:
- cd adito-svncertificate
sudo keytool -genkey -alias agent -keystore agent-keystore.p12 -keypass PASSWORT -storetype PKCS12 -dname "cn=www.ihredomain.de" -storepass PASSWORT -validity 730
sudo vi certificate.properties (match names etc.)
sudo openssl req -nodes -newkey rsa:2048 -keyout www.yourdomain.de.key -out www.yourdomain.de.csr (Create CSR)
With this CSR (Certificate Signing Request) you can request a new certificate.
If you need to convert the certificate from PEM to PKCS12, the following call will help:
openssl pkcs12 -export -out certificate.pfx -inkey www.ihredomain.de.key -in certificate.crt -certfile CACert.crt</code
To import the converted certificate into adito/SSL Explorer:
- In the adito directory
- ant install
- Select Import cert/keystore with PKCS12 File (without alias!)
- Finish and complete the install
- ant install-agent
- restart adito service