- Print
- PDF
Getting a Signed Certificate for Skylight orchestrator
This article provides the procedures required to deploy a signed certificate to the application server of the Legacy orchestrator.
By default, the product ships with a self-signed certificate. If your organization prefers to use a trusted certificate from a third-party Certificate Authority (CA), you should perform the procedures in this application note.
Organization
This section is organized according to the main steps required to obtain a trusted certificate and deploy it to the Legacy orchestrator:
- Prepare a new keystore
- If the user uses one certificate (the p7b or pem format) file or three certificate (root, intermediate, server) files, they need to follow three steps below:
- Generate a keystore
- Generate a certificate service request
- Import signed certificate into keystore
- If the user uses one certificate (the pfx format) file, they need to follow three steps below:
- Convert the .pfx certificate file to the keystore (ca_keystore) file with the JKS format
- Change the password of key within the ca_keystore file to changeit
- Change the alias of key within the ca_keystore file to skylight
- Update the Legacy orchestrator keystore
- Restart Legacy orchestrator.
Prerequisites
At various points in these procedures, you will log into the Legacy orchestrator. In order to log in, you need the following:
- Putty or a similar terminal client
- IP address and port of the Legacy orchestrator
- Username and password for the visionems account for the Legacy orchestrator
- The Legacy orchestrator software should be running.
Notes about the Keystore
You will use a Java tool called keytool at various points in these procedures. When using keytool, you will require a keystore alias and a password. Sometimes, you will be prompted to enter a keypass (a password for a key).
You should use the default values:
- For alias, use: skylight
- For storepass, use: changeit
- For keypass, use: changeit
Preparing a New Keystore
Depending on whether the certificate format is .p7b, .pem, .pfx extension, or three certificate files (root, intermediate, server), the user needs to proceed accordingly.
One Certificate (the p7b or pem format) File Or Three Certificate (root, intermediate, server) Files
If the user has one certificate (p7b or pem format) file or three certificate (root, intermediate, server) files, the user needs to follow the three steps below:
1. Generating a Keystore
A Java Keystore is a container for authorization certificates or public key certificates. The Legacy orchestrator product has a default keystore that contains the existing Accedian self-signed certificate.
In this procedure, you will generate a new keystore in which to store the new certificate that you will obtain from the CA.
The name of the new keystore file will be: ca_keystore
Open an SSH session to port 22 of the Legacy orchestrator and log in using the visionems username and password.
Enter the following command to generate the new keystore for the CA certificate:
/opt/accedian/skylight/jdk/bin/keytool -keystore ca_keystore -genkey -alias skylight -keyalg RSA -keysize 2048 -storepass changeitWhen you are prompted for your first and last name, enter the fully qualified domain name of the Legacy orchestrator server (for example: vision.accedian.net):
What is your first and last name?
[Unknown]: domainName
- When you are prompted with the following questions, answer with appropriate values for your organization:
What is the name of your organizational unit?
[Unknown]: organizationalUnit
What is the name of your organization?
[Unknown]: companyName
What is the name of your City or Locality?
[Unknown]: yourCity
What is the name of your State or Province?
[Unknown]: yourState
What is the two-letter country code for this unit?
[Unknown]: yourCountryCode
- When prompted to confirm the information you just entered, enter yes or y.
Example prompt: Is CN=vision.accedian.net, OU=Certs, O=Accedian,
L=Stockholm, ST=Sweden, C=SE correct?
[no]:
2. Generating Certificate Service Request
After generating a keystore for the new certificate you want to obtain, you must generate a certificate request and this request (a file) to the Certifying Authority chosen by your organization (i.e. Verisign or GoDaddy).
Open an SSH session to port 22 of the Legacy orchestrator and log in using the visionems username and password.
Enter the following command to generate the certificate request:
/opt/accedian/skylight/jdk/bin/keytool -certreq -keyalg RSA -alias skylight -file ca_keystore.csr -keystore ca_keystore -storepass changeitThe certificate request file (ca_keystore.csr) is generated in the current directory (/home/visionems).
Transfer the certificate request file to your PC and send the certificate request to your CA.
3. Importing Signed Certificate into Keystore
After you have sent your .csr file to your CA and the CA has signed the certificate, you must import the signed certificate into your CA keystore.
How you import the signed certificate(s) depends on the CA and the format of the signed certificate that the CA provides. The CA will provide guidelines on the use of their signed certificates.
Store the certificate file(s) on the Legacy orchestrator
The CA will provide the signed certificate in one of these forms:
- One certificate file (for example: PKCS7 [p7b] format)
- Three certificate files (root, intermediate, server)
You will need to transfer the certificate file or files from your CA to your computer. You can use an SCP client (such as WinSCP) to transfer the file(s) from your computer to the Legacy orchestrator. During the transfer:
- Use the visionems username and password to log into the Legacy orchestrator.
- Store the certificate file(s) in the /tmp directory on the appliance.
Import a certificate in p7b or pem format
If your CA provided a certificate as a single file (in PKCS7 [p7b] or pem format), you just need to import the certificate file once. The name of the certificate file will depend on the CA. In the procedure, the file name is indicated as follows: certfile.p7b
Open an SSH session to port 22 of the Legacy orchestrator and log in using the visionems username and password.
Enter the following command to import the certificate file:
/opt/accedian/skylight/jdk/bin/keytool -import -alias skylight -trustcacerts -file /tmp/certfile.p7b -keystore ca_keystoreIf prompted to enter keystore password, enter:
changeitIf prompted “... is not trusted. Install reply anyway? [no]”, enter:
yes
The following message indicates that the certificate was successfully imported:
Certificate reply was installed in keystore
Import certificates in other formats
If your CA did not provide a certificate in p7b format, you must import three certificates: root, intermediate and server (one by one in the order shown below).
Open an SSH session to port 22 of the Legacy orchestrator and log in using the visionems username and password.
Import the root certificate by entering:
/opt/accedian/skylight/jdk/bin/keytool -import -alias root -trustcacerts -file /tmp/rootcertfile -keystore ca_keystoreIf prompted to enter keystore password, enter:
changeitIf prompted “Trust this certificate? [no]”, enter:
yesImport the intermediate certificate by entering:
/opt/accedian/skylight/jdk/bin/keytool -import -alias interm -trustcacerts -file /tmp/intercertfile -keystore ca_keystoreIf prompted to enter keystore password, enter:
changeitIf prompted “Trust this certificate? [no]”, enter:
yesImport the server certificate by entering:
/opt/accedian/skylight/jdk/bin/keytool -import -alias skylight -trustcacerts -file /tmp/servercertfile -keystore ca_keystoreIf prompted to enter keystore password, enter: changeit
If prompted “... is not trusted. Install reply anyway? [no]”, enter: yes
One Certificate (the pfx format) File
If the user has one certificate (the pfx format) file, they need to follow three steps below:
Convert the .pfx certificate file to the keystore (ca_keystore) file with the JKS format:
a. Enter:
/opt/accedian/skylight/jdk/bin/keytool -importkeystore -srckeystore <yourcertificatefile.pfx> -srcstoretype pkcs12 -destkeystore ca_keystore -deststoretype JKS
b. If prompted to “Enter destination keystore password”, enter:
changeit
c. If prompted to “Re-enter new password”, enter:
changeit
d. If prompted to “Enter source keystore password”, enter:
e. Check the output, the alias is shown. This alias will be used in the next steps.
For example:
Entry for alias te-123-12232-abc23232312 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
=> alias is “te-123-12232-abc23232312”
The ca_keystore file is created. It includes information and certificate of the user which is provided in your_certificate_file.pfx file.Change the password of key within the ca_keystore file to changeit:
Note: You can skip this step if the password of the key within yourcertificatefile.pfx file is changeit.
a. Enter:
/opt/accedian/skylight/jdk/bin/keytool -keypasswd -alias <the alias from step 1.e> -keystore ca_keystore
b. If prompted to “Enter keystore password”, enter:
changeit
c. If prompted to “Enter key password for <the alias from step 1.e>”, enter:
d. If prompted with “New key password for <the alias from step 1.e>”, enter:
changeit
e. If prompted to “Re-enter new key password for <the alias from step 1.e>”, enter:
changeitChange the alias of key within the ca_keystore file to skylight:
Note: You can skip this step if the alias from step 1.e is skylight.
a. Enter:
/opt/accedian/skylight/jdk/bin/keytool -changealias -alias <the alias from step 1.e> -destalias skylight -keystore ca_keystore -storepass changeit
Updating the Legacy orchestrator Keystore
At this point, we have a fully signed certificate in your new ca_keystore. We need to transfer this certificate over to the keystore used by the Legacy orchestrator.
Open an SSH session to port 22 of the Legacy orchestrator and log in using the visionems username and password.
Enter:
cd /opt/accedian/skylight/glassfish/glassfish/domains/skylightdomain/configCopy the certificates to the Legacy orchestrator Web UI keystore:
/opt/accedian/skylight/jdk/bin/keytool -importkeystore -srckeystore /home/visionems/ca_keystore -destkeystore ./keystore.jksIf prompted to enter keystore password, enter: changeit
If prompted, "Existing entry alias skylight exists, overwrite? [no]:", enter: yes
Restarting Legacy orchestrator
In order for the new certificate to take effect, the Legacy orchestrator must be restarted.
Enter:
sudo service sd.vision restartIf prompted, enter the visionems user password.
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks