Signing a Certificate

You can replace the self-signed certificate that Civic Platform generates with one of your own choosing. Agencies with their own certificate of authenticity (CA) can use these new certificates rather than asking users to import the original self-signed certificate into their browsers.

To replace a self-signed certificate

  1. From the command line, change directories to the conf folder of the service you want to configure.

  2. Rename the current server_keystore file to server_keystore_old.

    C:\Accela\jboss-4.0.2\server\av.web\conf>move server_keystore server_keystore_old

    1 file(s) moved.

  3. Generate a new key with the alias of tomcatssl into a keystore file called server_keystore. Replace the information in the command below with the information relative to your server and agency. CN= represents the server name as it appears in a URL, for example.

    C:\Accela\jboss-4.0.2\server\av.web\conf>keytool -genkey -alias tomcatssl -keyalg RSA -keystore server_keystore -storepass changeit -dname "CN=av.thisagency.net,OU=IT Department,O=Agency Name,L=Agency Location,ST=CA,C=US" -validity 365

    Enter key password for <tomcatssl>(Press Enter)

    (RETURN if same as keystore password):

  4. Generate the certificate request with this information:

    C:\Accela\jboss-4.0.2\server\av.web\conf>keytool -certreq -keyalg RSA -alias tomcatssl -file newrequest.csr -keystore server_keystore -storepass changeit

  5. Open the newly generated file newrequest.csr and copy its contents to your clipboard.

  6. You now must submit the contents of this file to receive a certificate. Ensure that the type of certificate template you choose represents a web server style certificate.

  7. After you receive notice of certificate issuance, download both the new certificate and the certificate chain from in DER format. Open the new certificate by double-clicking it to ensure that Issued To equals the name you entered in CN= .

  8. Copy both the new certificate (hereafter referred to as certnew.cer) and the certificate chain (certnew.p7b) to the conf folder.

  9. To extract the certificates in the chain, double-click the certnew.p7b file and expand the folders on the left side.

  10. For each certificate in the chain, starting from the bottom, right-click the certificate and choose All Tasks->Export. Export the certificate in DER format and call it rootn.cer where n represents its numerical order in the chain. For example, root1.cer, root2.cer.

  11. Repeat step number 10 for each certificate in the chain except for the topmost that represents your certificate already saved as certnew.cer.

  12. Import all of the root certificates into the keystore beginning with root1.cer on down as seen below.

    C:\Accela\jboss-4.0.2\server\av.web\conf>keytool -import -alias root -keystore server_keystore -storepass changeit -trustcacerts -file root1.cer

    Owner: CN=Accela Root CA

    Issuer: CN=Accela Root CA

    Serial number: 3afc4a24883ae8b74ec32b36a68d1b07

    Valid from: Thu Oct 12 14:24:24 PDT 2006 until: Mon Oct 12 14:25:12 PDT 2026

    Certificate fingerprints:

    MD5: 02:CC:5D:C6:14:BF:38:BF:48:B3:D4:79:54:78:DA:47

    SHA1: 4D:6D:A1:7F:25:CC:46:54:34:E5:8C:27:AF:33:C4:20:51:98:A6:DE

    Trust this certificate? [no]: yes

    Certificate added to keystore

    C:\Accela\jboss-4.0.2\server\av.web\conf>keytool -import -alias root2 -keystore

    server_keystore -storepass changeit -trustcacerts -file root2.cer

    Certificate added to keystore

    C:\Accela\jboss-4.0.2\server\av.web\conf>keytool -import -alias root3 -keystore

    server_keystore -storepass changeit -trustcacerts -file root3.cer

    Certificate added to keystore

  13. With the root certificates in place, import the certnew.cer file representing your actual website certificate.

    C:\Accela\jboss-4.0.2\server\av.web\conf>keytool -import -alias tomcatssl -keystore server_keystore -storepass changeit -trustcacerts -file certnew.cer

    Certificate reply installed in keystore

  14. Examine the keystore to verify that the certificate chain shows correctly.

    C:\Accela\jboss-4.0.2\server\av.web\conf>keytool -list -v -keystore server_keystore -storepass changeit

    Keystore type: jks

    Keystore provider: SUN

    Your keystore contains 4 entries

    Alias name: root2

    Creation date: March 17, 2007

    Entry type: trustedCertEntry

    Owner: CN=Accela Intermediate CA, DC=Accela, DC=net

    Issuer: CN=Accela Root CA

    Serial number: 617b65c8000000000004

    Valid from: Tue Oct 31 16:15:07 PST 2006 until: Mon Oct 31 17:25:07 PDT 2011

    Certificate fingerprints:

    MD5: 57:65:DD:CD:FD:B7:0A:09:6A:C1:19:49:15:A3:08:25

    SHA1: DC:06:C9:AC:86:35:53:CD:C9:4E:A9:F7:E1:86:9E:85:9C:01:3B:F5

    *******************************************

    *******************************************

    Alias name: root

    Creation date: March 17, 2007

    Entry type: trustedCertEntry

    Owner: CN=Accela Root CA

    Issuer: CN=Accela Root CA

    Serial number: 3afc4a24883ae8b74ec32b36a68d1b07

    Valid from: Thu Oct 12 14:24:24 PDT 2006 until: Mon Oct 12 14:25:12 PDT 2026

    Certificate fingerprints:

    MD5: 02:CC:5D:C6:14:BF:38:BF:48:B3:D4:79:54:78:DA:47

    SHA1: 4D:6D:A1:7F:25:CC:46:54:34:E5:8C:27:AF:33:C4:20:51:98:A6:DE

    *****************************************

    *******************************************

    Alias name: tomcatssl

    Creation date: March 17, 2007

    Entry type: keyEntry

    Certificate chain length: 4

    Certificate[1]:

    Owner: CN=av.thisagency.net, OU=Accela, O=Accela, L=San Ramon, ST=CA, C=US

    Issuer: CN=Accela Branch Issuing CA, DC=Accela, DC=net

    Serial number: 141907de00010000003f

    Valid from: Thu March 17 09:33:23 PDT 2007 until: Sat March 16 09:33:23 PDT 2009

    Certificate fingerprints:

    MD5: C6:09:D9:19:9C:E1:3B:FB:75:44:BD:BB:99:E0:BC:36

    SHA1: B3:4C:83:69:4A:62:25:73:D8:8F:BF:16:44:A5:41:72:86:F2:2B:4D

    Certificate[2]:

    Owner: CN=Accela Branch Issuing CA, DC=Accela, DC=net

    Issuer: CN=Accela Intermediate CA, DC=Accela, DC=net

    Serial number: 66078b0700010000000a

    Valid from: Wed Nov 01 10:11:38 PST 2006 until: Mon Oct 31 11:11:38 PDT 2011

    Certificate fingerprints:

    MD5: 20:52:B5:74:2A:AC:26:37:3E:4B:38:07:FA:F5:AB:54

    SHA1: 88:9A:98:9A:E2:8F:88:EC:B5:C8:13:21:F0:EF:3C:01:1B:CC:9F:32

    Certificate[3]:

    Owner: CN=Accela Intermediate CA, DC=Accela, DC=net

    Issuer: CN=Accela Root CA

    Serial number: 617b65c8000000000004

    Valid from: Tue Oct 31 16:15:07 PST 2006 until: Mon Oct 31 17:25:07 PDT 2011

    Certificate fingerprints:

    MD5: 57:65:DD:CD:FD:B7:0A:09:6A:C1:19:49:15:A3:08:25

    SHA1: DC:06:C9:AC:86:35:53:CD:C9:4E:A9:F7:E1:86:9E:85:9C:01:3B:F5

    Certificate[4]:

    Owner: CN=Accela Root CA

    Issuer: CN=Accela Root CA

    Serial number: 3afc4a24883ae8b74ec32b36a68d1b07

    Valid from: Thu Oct 12 14:24:24 PDT 2006 until: Mon Oct 12 14:25:12 PDT 2026

    Certificate fingerprints:

    MD5: 02:CC:5D:C6:14:BF:38:BF:48:B3:D4:79:54:78:DA:47

    SHA1: 4D:6D:A1:7F:25:CC:46:54:34:E5:8C:27:AF:33:C4:20:51:98:A6:DE

    *******************************************

    *******************************************

    Alias name: root3

    Creation date: March 17, 2007

    Entry type: trustedCertEntry

    Owner: CN=Accela Branch Issuing CA, DC=Accela, DC=net

    Issuer: CN=Accela Intermediate CA, DC=Accela, DC=net

    Serial number: 66078b0700010000000a

    Valid from: Wed Nov 01 10:11:38 PST 2006 until: Mon Oct 31 11:11:38 PDT 2011

    Certificate fingerprints:

    MD5: 20:52:B5:74:2A:AC:26:37:3E:4B:38:07:FA:F5:AB:54

    SHA1: 88:9A:98:9A:E2:8F:88:EC:B5:C8:13:21:F0:EF:3C:01:1B:CC:9F:32