Getting a Signed Certificate for Skylight orchestrator

This article provides the procedures required to deploy a signed certificate to the application server of the Skylight orchestrator.

By default, the product ships with a self-signed certificate produced by Accedian. If your organization prefers to use a trusted certificate from a third-party Certificate Authority (CA), you should perform the procedures in this application note.

Organization

This section is organized according to the main steps required to obtain a trusted certificate and deploy it to the Skylight orchestrator:

• Prepare a new keystore
• If the user uses one certificate (the p7b or pem format) file or three certificate (root, intermediate, server) files, they need to follow three steps below:
• Generate a keystore
• Generate a certificate service request
• Import signed certificate into keystore
• If the user uses one certificate (the pfx format) file, they need to follow three steps below:
• Convert the .pfx certificate file to the keystore (ca_keystore) file with the JKS format
• Change the password of key within the ca_keystore file to changeit
• Change the alias of key within the ca_keystore file to skylight

• Update the Skylight orchestrator keystore
• Restart Skylight orchestrator.

Prerequisites

At various points in these procedures, you will log into the Skylight orchestrator. In order to log in, you need the following:

• Putty or a similar terminal client
• IP address and port of the Skylight orchestrator
• Username and password for the visionems account for the Skylight orchestrator
• The Skylight orchestrator software should be running.

Notes about the Keystore

You will use a Java tool called keytool at various points in these procedures. When using keytool, you will require a keystore alias and a password. Sometimes, you will be prompted to enter a keypass (a password for a key).

You should use the default values:

• For alias, use: skylight
• For storepass, use: changeit
• For keypass, use: changeit

Preparing a New Keystore

Depending on whether the certificate format is .p7b, .pem, .pfx extension, or three certificate files (root, intermediate, server), the user needs to proceed accordingly.

One Certificate (the p7b or pem format) File Or Three Certificate (root, intermediate, server) Files

If the user has one certificate (p7b or pem format) file or three certificate (root, intermediate, server) files, the user needs to follow the three steps below:

1. Generating a Keystore

A Java Keystore is a container for authorization certificates or public key certificates. The Skylight orchestrator product has a default keystore that contains the existing Accedian self-signed certificate.

In this procedure, you will generate a new keystore in which to store the new certificate that you will obtain from the CA.

The name of the new keystore file will be: ca_keystore

1. Open an SSH session to port 22 of the Skylight orchestrator and log in using the visionems username and password.

2. Enter the following command to generate the new keystore for the CA certificate:
   /opt/accedian/skylight/jdk/bin/keytool -keystore ca_keystore -genkey -alias skylight -keyalg RSA -keysize 2048 -storepass changeit

3. When you are prompted for your first and last name, enter the fully qualified domain name of the Skylight orchestrator server (for example: vision.accedian.net):

What is your first and last name? 
     [Unknown]: domainName

4. When you are prompted with the following questions, answer with appropriate values for your organization:

What is the name of your organizational unit? 
   [Unknown]: organizationalUnit 
What is the name of your organization? 
   [Unknown]: companyName 
What is the name of your City or Locality? 
   [Unknown]: yourCity 
What is the name of your State or Province? 
   [Unknown]: yourState 
What is the two-letter country code for this unit? 
   [Unknown]: yourCountryCode

5. When prompted to confirm the information you just entered, enter yes or y.

Example prompt: Is CN=vision.accedian.net, OU=Certs, O=Accedian,
L=Stockholm, ST=Sweden, C=SE correct?
[no]:

2. Generating Certificate Service Request

After generating a keystore for the new certificate you want to obtain, you must generate a certificate request and this request (a file) to the Certifying Authority chosen by your organization (i.e. Verisign or GoDaddy).

1. Open an SSH session to port 22 of the Skylight orchestrator and log in using the visionems username and password.

2. Enter the following command to generate the certificate request:
   /opt/accedian/skylight/jdk/bin/keytool -certreq -keyalg RSA -alias skylight -file ca_keystore.csr -keystore ca_keystore -storepass changeit​

3. The certificate request file (ca_keystore.csr) is generated in the current directory (/home/visionems).

4. Transfer the certificate request file to your PC and send the certificate request to your CA.

3. Importing Signed Certificate into Keystore

After you have sent your .csr file to your CA and the CA has signed the certificate, you must import the signed certificate into your CA keystore.

How you import the signed certificate(s) depends on the CA and the format of the signed certificate that the CA provides. The CA will provide guidelines on the use of their signed certificates.

Store the certificate file(s) on the Skylight orchestrator

The CA will provide the signed certificate in one of these forms:

• One certificate file (for example: PKCS7 [p7b] format)
• Three certificate files (root, intermediate, server)

You will need to transfer the certificate file or files from your CA to your computer. You can use an SCP client (such as WinSCP) to transfer the file(s) from your computer to the Skylight orchestrator. During the transfer:

• Use the visionems username and password to log into the Skylight orchestrator.
• Store the certificate file(s) in the /tmp directory on the appliance.

Import a certificate in p7b or pem format

If your CA provided a certificate as a single file (in PKCS7 [p7b] or pem format), you just need to import the certificate file once. The name of the certificate file will depend on the CA. In the procedure, the file name is indicated as follows: certfile.p7b

1. Open an SSH session to port 22 of the Skylight orchestrator and log in using the visionems username and password.

2. Enter the following command to import the certificate file:
   /opt/accedian/skylight/jdk/bin/keytool -import -alias skylight -trustcacerts -file /tmp/certfile.p7b -keystore ca_keystore

3. If prompted to enter keystore password, enter:
   changeit

4. If prompted “... is not trusted. Install reply anyway? [no]”, enter:
   yes
   The following message indicates that the certificate was successfully imported:

Certificate reply was installed in keystore

Import certificates in other formats

If your CA did not provide a certificate in p7b format, you must import three certificates: root, intermediate and server (one by one in the order shown below).

1. Open an SSH session to port 22 of the Skylight orchestrator and log in using the visionems username and password.

2. Import the root certificate by entering:
   /opt/accedian/skylight/jdk/bin/keytool -import -alias root -trustcacerts -file /tmp/rootcertfile -keystore ca_keystore

3. If prompted to enter keystore password, enter:
   changeit

4. If prompted “Trust this certificate? [no]”, enter:
   yes

5. Import the intermediate certificate by entering:
   /opt/accedian/skylight/jdk/bin/keytool -import -alias interm -trustcacerts -file /tmp/intercertfile -keystore ca_keystore

6. If prompted to enter keystore password, enter:
   changeit

7. If prompted “Trust this certificate? [no]”, enter:
   yes

8. Import the server certificate by entering:
   /opt/accedian/skylight/jdk/bin/keytool -import -alias skylight -trustcacerts -file /tmp/servercertfile -keystore ca_keystore

9. If prompted to enter keystore password, enter: changeit

10. If prompted “... is not trusted. Install reply anyway? [no]”, enter: yes

One Certificate (the pfx format) File

If the user has one certificate (the pfx format) file, they need to follow three steps below:

1. Convert the .pfx certificate file to the keystore (ca_keystore) file with the JKS format:
   a. Enter:
   /opt/accedian/skylight/jdk/bin/keytool -importkeystore -srckeystore <yourcertificatefile.pfx> -srcstoretype pkcs12 -destkeystore ca_keystore -deststoretype JKS
   b. If prompted to “Enter destination keystore password”, enter:
   changeit
   c. If prompted to “Re-enter new password”, enter:
   changeit
   d. If prompted to “Enter source keystore password”, enter:
   
   e. Check the output, the alias is shown. This alias will be used in the next steps.
   For example:
   Entry for alias te-123-12232-abc23232312 successfully imported.
   Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
   => alias is “te-123-12232-abc23232312”
   The ca_keystore file is created. It includes information and certificate of the user which is provided in your_certificate_file.pfx file.

2. Change the password of key within the ca_keystore file to changeit:
   

   ---

   Note: You can skip this step if the password of the key within yourcertificatefile.pfx file is changeit.

   ---

   a. Enter:
   /opt/accedian/skylight/jdk/bin/keytool -keypasswd -alias <the alias from step 1.e> -keystore ca_keystore
   b. If prompted to “Enter keystore password”, enter:
   changeit
   c. If prompted to “Enter key password for <the alias from step 1.e>”, enter:
   
   d. If prompted with “New key password for <the alias from step 1.e>”, enter:
   changeit
   e. If prompted to “Re-enter new key password for <the alias from step 1.e>”, enter:
   changeit

3. Change the alias of key within the ca_keystore file to skylight:
   

   ---

   Note: You can skip this step if the alias from step 1.e is skylight.

   ---

   a. Enter:
   /opt/accedian/skylight/jdk/bin/keytool -changealias -alias <the alias from step 1.e> -destalias skylight -keystore ca_keystore -storepass changeit

Updating the Skylight orchestrator Keystore

At this point, we have a fully signed certificate in your new ca_keystore. We need to transfer this certificate over to the keystore used by the Skylight orchestrator.

1. Open an SSH session to port 22 of the Skylight orchestrator and log in using the visionems username and password.

2. Enter:
   cd /opt/accedian/skylight/glassfish/glassfish/domains/skylightdomain/config

3. Copy the certificates to the Skylight orchestrator Web UI keystore:
   /opt/accedian/skylight/jdk/bin/keytool -importkeystore -srckeystore /home/visionems/ca_keystore -destkeystore ./keystore.jks

4. If prompted to enter keystore password, enter: changeit

5. If prompted, "Existing entry alias skylight exists, overwrite? [no]:", enter: yes

Restarting Skylight orchestrator

In order for the new certificate to take effect, the Skylight orchestrator must be restarted.

1. Enter:
   sudo service sd.vision restart

2. If prompted, enter the visionems user password.