Advantages of using the Certificate Management Tool for SSL Certificates
As an overall security strategy, SSL security is a key component of the Rocket MultiValue application platform. The release of U2 Common Client 5.2.0 debuts a new tool, the Certificate Management Tool (CMT), which will reduce the overhead of system administrators in managing SSL certificates.
Why does the MV application platform need a new tool for SSL certificates?
The existing process of generating SSL certificates using XAdmin is complicated and involves many steps, which makes keeping track of and implementing security certificates a time-consuming and burdensome responsibility for system administrators. This new tool streamlines the SSL certificate creation procedure for system administrators.
What is CMT?
Part of U2 Common Client 5.2.0, the Certificate Management Tool (CMT) is a Windows Command Line tool that allows administrators to easily create, convert, edit and test certificates.
Before Running CMT
Please note, you need to configure the following environment before you can use the CMT.
- Make sure powershell, JVM, and openssl is in your session path
- For powershell, consult https://msdn.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell
- Openssl requires version 1.0.1m (at a minimum) from openssl.org
- JVM requires version 1.8 from oracle.com or OpenJDK, an open source alternative
Detailed Functionalities introduction
The Certificate Management Tool is run through the Windows Command Prompt, and there are 12 options that users can choose from:
- PFX (PKCS#12) to PEM (PKCS#8) Converter
- PFX Certificate Store Converter to PKCS#8 Store
- PEM Server Certificate and Private Key to PFX
- DER/PEM/PFX Import into NEW or EXISTING Java KeyStore
- Create CSR and Self-Signed Certificate (PFX or PEM)
- View PFX File Contents
- PEM Chain Certificates and Private Key to PFX)
- SSL Test Client
- SSL Test Server
- View Java KeyStore Contents
- Extract Entry from Java KeyStore into PFX
- Check PEM Certificate Expiry
In the next section, you’ll see screen shots from demos of each of the above 12 options. The tool comes with documentation that you can reference for more detailed information.
Even though the menu items are ordered from 1 to 12, I use them in a different order when using the CMT. For example, when preparing files, especially PFX files, I recommend using the order listed below:
- Start here with option 5 to create the test certificate
- Then use option 6 to view the newly generated PFX file contents
- Now you can use option 12 to check the expiry of the new certificate
- Next to start the SSL server by using the new certificate, you’ll use option 9
- Option 8 is next to connect to the SSL server started by last step
- To generate a new PFX file using the existing PEM file and private key, use option 3
- Finally use the option 1 to convert the existing PFX file to PEM
Now I’m going to go through each menu option in order. I’ve included screen shots from the demo which I hope you find useful.
Option 1: PFX (PKCS#12) to PEM (PKCS#8) Converter
This function converts a PFX format file to its corresponding PEM PKCS#8 format.
Option 2: PFX Certificate Store Converter to PKCS#8 Store
This function converts the local machine’s Microsoft Certificate Store from .pfx (PKCS#12) format to .pem (PKCS#8) format.
Option 3: PEM Server Certificate and Private Key to PFX
This function converts a PEM format certificate to a PFX format file. Please note, you need both passwords: one for the original private key and one for exporting the password for the PFX file.
When a new file is created, its contents can be viewed by selecting Option 6 in the main menu.
Option 4: DER/PEM/PFX Import into NEW or EXISTING Java KeyStore
This function imports certificates in DER/PEM/PFX format into the Java Key store and the key store will be created if it does not exist.
Option 5: Create CSR and Self-Signed Certificate (PFX or PEM)
This function allows users to create a CSR and self-signed certificates in .pfx and .pem format.
During the creation process, a password is needed. Like in Option 3, the password is used for the original private key for the PEM certificate and for exporting the password for the PFX file.
Option 6: View PFX File Contents
This function allows users to view the information of a PFX file. A password, which was input when creating this file is needed as well as another password to list the contained private key.
Option 7: PEM Chain Certificates and Private Key to PFX
This function creates a PFX format certificate by inputting the PEM chain certificates.
Option 8: SSL Test Client
This function creates a test SSL client to connect to a test server. A CA certificate will be required.
Option 9: SSL Test Server
This function creates an SSL test server, which requires a certificate and a private key.
Option 10: View Java KeyStore Contents
This function allows users to view the certificates in the Java KeyStore.
Option 11: Extract Entry from Java KeyStore into PFX
This function extracts certificates from the Java KeyStore and stores them in the PFX format. During the operation, users need to provide the Java KeyStore password; the PFX store also needs a password when it’s generated (the password must be at least 6 characters).
Option 12: Check PEM Certificate Expiry
This function is used to check the expiration information for a certificate.