Creating a keystore
A keystore is a database of keys. Private keys in a keystore have a certificate chain associated with them, which authenticates the corresponding public key. A keystore also contains certificates from trusted entities.
The keystore must contain a key pair with a certificate signed by a trusted Certification Authority (CA).
How to create a keystore?
We will be using the JDK 'keytool', which is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication (user authenticates himself/herself to the service).
To generate the keystore, open a command line and enter the following to generate a key pair and certificate directly into it:
keytool –keystore [keystore file name] –alias [domain] –genkey –keyalg RSA
For example:
keytool –keystore myKeystore –alias aspire –genkey –keyalg RSA
This command will prompt for information about the certificate and for passwords to protect both the keystore and the keys within it. The only mandatory response is to provide the fully qualified host name of the server at the "first and last name" prompt.
Certificate information, for example:
Enter keystore password: myKeystorePassword
Re-enter new password: myKeystorePassword
What is your first and last name?
[Unknown]: my-pc.search.local
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=my-pc.search.local, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for <aspire>
(RETURN if same as keystore password): myKeyPassword
Re-enter new password: myKeyPassword
A keystore file is generated with the content encrypted.
To view the certificate explicitly, 'keytool' has a command to export the certificate from the keystore. We can do so with the following command:
keytool -export -alias [domain] -file [filename for certificate] -keystore [keystore file name]
For example:
C:\Users\user.SEARCH> keytool -export -alias aspire -file aspire.crt -keystore myKeystore Enter keystore password: myKeystorePassword Certificate stored in file <aspire.crt>
This certificate is enough to run SSL. However, this certificate we generated will not be trusted by the browser unless we request a well known Certificate Authority (CA) to sign our key/certificate. Among them are: AddTrust, Entrust, GeoTrust, RSA Data Security, Thawte, ,VISA, ValiCert, Verisign and beTRUSTed.
Crawling HTTPs
The following instructions describe how to import a certificate to crawl HTTPs sites:
- Access URL with the browser and download a copy of the certificate.
- Create folder on Aspire for the certificate. For example: data\ssl\certName.cer
- Run %JAVA_HOME%\bin\keytool -import -file data\ssl\certName.cer -keystore data\ssl\keyStore.ks
On step 3, keytool program can be found on bin folder under Java installation path.
- Add to bin\startup.bat:
-Djavax.net.ssl.trustStore=C:\pathToKeyStore\keyStore.ks -Djavax.net.ssl.trustStorePassword=password
On step 4, the password you specify here is asked on step 3 by keytool program.
Note: To import multiple certificates (for different connectors) use -alias parameter in step 3
e.g. to import certificate from JIVE site: %JAVA_HOME%\bin\keytool -import -file data\ssl\spCertName.cer -alias jive -keystore data\ssl\keyStore.ks And to import certificate from Confluence site: %JAVA_HOME%\bin\keytool -import -file data\ssl\confluenceCertName.cer -alias confluence -keystore data\ssl\keyStore.ks
Overview
Content Tools