Generating Certificates for Secure Communications to FS4SP

Content Distributor

The FS4SP Content Distributor component on the FAST farm is responsible of receiving documents from the FAST Content SSA and route them to the Document Processors to be processed and indexed. The content distributor is configured in FS4SP as a secure service and therefore Aspire needs to communicate with it in a secure channel.

You can either create a new self-signed certificate for use with Fast and generate a Java key store based on this, or use the existing certificate (or a CA generated certificate) to secure the channel. For a production environment, it is recommended to use a Trusted Certificate from a Certificate Authority.

Using the Existing Certificate or a CA certificate

If you wish to generate a key store for Aspire using the existing FAST certificate (whether that is self-signed of from a Certificate Authority), follow the steps below. However, these make the following assumptions:

• The key they have already installed has been exported into a file named FASTSearchCert.pfx (you can do this from within certmgr.msc make sure to include the private key)
• Someone knows the password for the key
• Fast is installed at c:\fastsearch
• Java is installed at c:\Program Files\Java\jre7

WARNING the KEYSTORE and CERTIFICATE PASSWORDS WILL BE VISIBLE TO ANYONE WATCHING YOU FOLLOW THIS PROCEDURE

1. First create the files you need to generate your keystore:
   1. Create a working folder that contains the following folder structure in it:
      • demoCA
        • certs
        • crl
        • newcerts
        • private
   2. Create the file serial inside demoCA and edit it, add the value 01 to the file.
   3. Create an empty index.txt file inside demoCA.
   4. Copy your FASTSearchCert.pfx to the working folder
2. Open a cmd prompt and CD to the working folder.
3. Generate a private key file from your key:
   • Execute c:\fastsearch\bin\openssl pkcs12 -in FASTSearchCert.pfx -nocerts -nodes -out demoCA\private\cakey.pem -password <theCertificatePassword>
4. Generate a certificate for your new keystore
   • Execute C:\fastsearch\bin\openssl pkcs12 -in FASTSearchCert.pfx -clcerts -nokeys -out demoCA\cacert.pem -password <theCertificatePassword>
5. Generate a keystore to use with aspire:
   1. Execute "c:\Program Files\Java\jre7\bin\keytool" -genkey -keyalg "RSA" -storetype jks -dname "CN=FASTSearchCert" -validity 3650 -alias ds -keystore aspireKeystore.jks -storepass <theKeystorePassword> -keypass <theCertificatePassword>
   • Note the keystore password you will need it in your aspire configuration
   • Note the keystore location, you will need that to be accessible from aspire (you may want to move it into the aspire configuration somewhere.
6. Generate a request from your keystore
   • Execute "c:\Program Files\Java\jre7\bin\keytool" -certreq -alias ds -file .\newreq.pem -keystore aspireKeystore.jks -storepass <theKeystorePassword> -keypass <theCertificatePassword>
7. Generate a certificate for the keystore using openSSL
   • Execute c:\fastsearch\bin\openssl ca -config c:\fastsearch\etc\openssl.cnf -notext -policy policy_anything -out .\newcert.pem -in .\newreq.pem -keyfile demoCA\private\cakey.pem -days 10000
   • Follow the instructions entering “Y” when prompted
   • The certificate being generated expires in 27 years
8. Import the original cert as a trusted cert
   • Execute "c:\Program Files\Java\jre7\bin\keytool" -import -trustcacerts -alias ca -file demoCA\cacert.pem -keystore aspireKeystore.jks -storepass<theKeystorePassword>
9. Import your new self signed cert
   • Execute "c:\Program Files\Java\jre7\bin\keytool" -import -trustcacerts -alias ds -file newcert.pem -keystore aspireKeystore.jks -storepass <theKeystorePassword>

This file (File:GenerateKeystore.txt - download and save to .bat) will follow the procedure from step 3 onward, it prompts for the password and uses the same password from the original cert for the keystore and the newly created certificates (that could easily be modified in the script if desirable).

Using a New Self-signed Certificate

Creating a Certificate

In order to create a new certificate, run the following steps on the FS4SP Admin Server:

1. Open a command line window (cmd).
2. Change directory to %FASTSearch%\bin.
3. Create new self signed certificate:

   1. openssl genrsa -out key.pem 1024

      1. To display generated key: openssl rsa -noout -text -in key.pem

   2. openssl req -new -key key.pem -out req.pem -config %FASTSearch%\etc\openssl.cnf

      1. Ensure to provide the FASTSearchCert value in the Common Name field. This certificate name will be used in one command line in order to generate the java keystore later. On the rest of the fields provide significant information when requested.

   3. openssl req -x509 -key key.pem -in req.pem -out cert.pem -days 365 -config %FASTSearch%\etc\openssl.cnf

   4. openssl pkcs12 -export -out FASTSearchCert.pfx -inkey key.pem -in cert.pem

4. Install the FASTSearchCert.pfx on the server and follow instructions of http://technet.microsoft.com/en-us/library/ff381244.aspx#BKMK_ReplaceSSCertificateWCertificateSignedByCA to replace the current content SSA certificate with the new one.

NOTE: It is advised to use openssl to create the self signed certificate instead of Windows self-signed certificate wizard, as there are compatibility issues when creating the Java Keystore using a Windows self-signed certificate.

Generating the Java Keystore

To generate the Java Keystore, run these steps on the FS4SP Admin Server:

1. Create the following directory structure:
   • demo
   • demo/CA
   • demo/CA/certs
   • demo/CA/crl
   • demo/CA/newcerts
   • demo/CA/private
2. Create the file serial inside demo/CA folder and edit it. Add the value 01 to the file.
3. Create an empty index.txt file inside demo/CA folder.
4. Copy cert.pem file from %FastSearch%\bin folder to demo/CA folder and rename it to cacert.pem
5. Copy key.pem file from %FastSearch%\bin folder to demo/CA/private folder and rename it cakey.pem
6. Generate the java keystore. Make sure to be in the demo folder at the moment to run the command lines and replace <password> by the one provided on the step Creating a Certificate.

   1. keytool -genkey -keyalg "RSA" -storetype jks -dname "CN=FASTSearchCert" -validity 365 -alias ds -keypass <password> -keystore javakeys.key -storepass <password>

   2. keytool -certreq -alias ds -file newreq.pem -keystore javakeys.key -keypass <password> -storepass <password>

   3. openssl ca -config %FASTSearch%\etc\openssl.cnf -notext -policy policy_anything -out newcert.pem -in newreq.pem -keyfile CA\private\cakey.pem

   4. keytool -import -trustcacerts -alias ca -file CA\cacert.pem -keystore javakeys.key

   5. keytool -import -trustcacerts -alias ds -file newcert.pem -keystore javakeys.key

7. Copy the javakeys.key file generated on the demo folder to the Aspire Server. This is the required keystore file to configure the Publish to FS4SP application.