This article will give a quick walkthrough of the installation or upgrade of an SSL Certificate with the generation of a Certificate Signing Request (CSR) into FileCatalyst Central.
These instructions assume you acquired your certificate from Thawte and that steps from another provider may differ. In step 4 of the resolution, the resulting file will be a self-signed .keystore file. This can also be used in place of a Trusted SSL Certificate but it is not recommended as a best practice.
To renew or upgrade an existing certificate, please follow the same steps as for a new certificate; however, use a different name for the .keystore file (for example, -keystore .keystoreNew)
FileCatalyst Central v3.6 and later.
For the purposes of this article, we will reference a Windows Environment and related file paths.
Install Java JDK:
Use the following guide to Install the Java Development Kit (JDK) on your Operating System: http://docs.oracle.com/javase/8/docs/technotes/guides/install/install_overview.html
- Generating a Certificate Signing Request (CSR):
By default, the embedded web server (Tomcat) will expect password to be changeit.
Open a Command Prompt.
- Navigate to the bin directory located inside the JDK Install location. A sample path looks like C:\<Path to JDK installation>\bin\
- Create a new folder on your system to store the Central SSL certificate. We used the following command:
- Navigate to the FCCentral-SSL directory by using the command:
- Generate a Certificate Signing Request (CSR):
- Use the keytool command to create the CSR. If the keytool command is not accessible from the command prompt the path to the JDK will need to be specified before the keytool command, view the notes at the bottom of this page for more information. Use the following command to execute the process:
keytool -keysize 2048 -genkey -keyalg RSA -alias tomcat -keystore .keystore
- The following prompts will be displayed. Fill them out with your Company’s information:
- Enter keystore password: changeit
- What is your first and last name?
[Unknown]: Must contain fully qualified domain name e.g.: www.mydomain.com
- What is the name of your organizational unit?
[Unknown]: FileCatalyst Testing (example)
- What is the name of your organization?
[Unknown]: FileCatalyst (example)
- What is the name of your City or Locality?
[Unknown]: Ottawa (example)
- What is the name of your State or Province?
[Unknown]: Ontario (Must contain no abbreviations)
- What is the two-letter country code for this unit?
[Unknown]: CA (example)
- Is CN= www.mydomain.com , OU= FileCatalyst testing , O= FileCatalyst , L= Ottawa, ST= Ontario , C= CA correct?
- Enter key password for <tomcat>
Press Enter if same as keystore password. Please specify the same password (changeit) for the .keystore and the keyEntry. If there was an error in the process you will receive the following error message when you restart the Tomcat Engine:
java.security.UnrecoverableKeyException: Cannot recover key
Observe that a .keystore file was created.
Run the following command to make sure you can read the .keystore file:
keytool -list -keystore .keystore
- The .keystore will be stored in the C:\<Path to JDK installation>\bin\ directory.
- Create a copy of the .keystore file in the FCCentral-SSL directory and store it on a removable disk for safekeeping in case of a server crash.
- Generate a CSR off the newly created .keystore and keyEntry:
- Open the Command Prompt.
- Navigate to the FCCentral-SSL directory, by using the command:
- Run the following keytool command in a Command Prompt:
keytool -certreq -alias tomcat -keyalg RSA -file c:\FCCentral-SSL\<newcertreqname>.csr -keystore .keystore
- You will be prompted to enter the keystore password. The following output will be observed:
Enter keystore password: changeit
The CSR will be saved to your C:\FCCentral-SSL\ directory
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
- Send the CSR file to your Certificate Authority (CA). If you want to use a self-signed SSL certificate, you can skip this step and proceed to step 7. A self-signed certificate will always display a warning to the end user that the certificate is not valid since it was not issued by a Certificate Authority. This type of SSL certificate will also affect some Java web applications including UnlimitedFTP Servlet, FileCatalyst Webmail, and FileCatalyst Workflow.
- Certificate Download and Format:
- When you receive the certificate from the Certificate Authority, download it in PKCS#7 format.
- Open the Trusted Certificate in Notepad or a text editor.
- If you obtained a certificate and it was not sent to you in PKCS#7 format, you must do these additional steps:
- Copy and paste the signed certificate from the email into Notepad or a text editor.
- Save the certificate as <yourcertname>.cer file.
- Double-click on the <yourcertname>.cer file and click on Install Certificate.
- Place the Trusted Certificate in your Personal Store.
- For Thawte certificate, download the Primary and Secondary Intermediate CAs for SSL 123. Make sure you download them as a .cer format.
- Install them by repeating steps 5c-iii.
- Open the Run Command on your computer and type in Certmgr.msc to open the Certificate Manager.
- Under Certificate for Current User, select Personal and expand the Certificates Folder.
- You should see your certificate that you imported as well as Thawte’s Primary and Secondary Intermediate Certificates.
- Right-Click on your certificate. Click on All Tasks, then hit Export.
- Select Cryptographic Message Syntax Standard - PKCS #7 Certificate (.p7b) and make sure to check Include all certificates in the certification path if possible.
- Save the file as <certname>.txt, under the C:\FCCentral-SSL\folder.
- Import the Certificate into the .keystore:
- Run the following command to import the signed certificate into the .keystore:
keytool -import -alias tomcat -trustcacerts -file <certname>.txt -keystore .keystore
- Deploy the Trusted Certificate and .keystore into FileCatalyst Central:
- Turn off the FileCatalyst Central Service.
- Using a text editor open the maconfig.conf file. It is located in the installation directory of FileCatalyst Central (C:\FileCatalyst Central\maconfig.conf).
- Change the web server's listening port to the default HTTPS Port (443). Locate the parameter below and change the value to 443. The parameter should look like:
- Enable SSL and modify your certificate details. Modify the following parameters with your Trusted or Self-Signed SSL Certificate details. The examples below use the information from the steps above. Please use the forward slash "/" when specifying the path to the .keystore file in the maconfig.conf file.
Java Keystore password:
Location of SSL Certificate:
- Save the file and close the text editor.
- Start the FileCatalyst Central Service. To access your FileCatalyst Central deployment use the following URL: https://<PublicDNS>:443/
- The SSL Port can not be changed in FileCatalyst Central v3.6 and v3.7. The default port (443) must be used.
- If the keytool command is not accessible from the command prompt the path to the JDK will need to be specified before the keytool command:
C:\<PathtoJDK>\bin\keytool -keysize 2048 -genkey -keyalg RSA -alias tomcat -keystore .keystore