Skip to main content
Version: 6.11.0

Install CA certificate

Before doing the following steps, ensure that your CA-signed certificate has the correct entries for Common Name and the SAN field extensions as we have provided guidance for earlier.

Portal server steps:

  1. Copy the CA-signed cert (e.g. Waratek_Secure_CA_Cert.pem) onto the Portal server and place in /opt/waratek.

    $ sudo cd /opt/waratek

  2. Shutdown the Portal.

    systemctl stop portal

  3. Backup/move existing keystore

    mv ./controller.keystore.p12 ./controller.keystore.p12.original2

  4. Create new PKCS12 keystore with same default name, using your CA signed cert and private key that was created when you created the CSR (certificate signing request)

    openssl pkcs12 -export -inkey ./CAcert_key.pem -in ./CAcert.pem -out ./controller.keystore.p12

  5. Change alias for private key entry as it defaults to "1" and we need "controller" as the default value and we don't want to override that in this example

    keytool -changealias -alias 1 -destalias controller -keystore ./controller.keystore.p12

  6. Change keystore ownership

    chown portal:portal ./controller.keystore.p12

  7. Re-start the Portal.

    systemctl start portal

Waratek Agent steps:

  • Using JDK Keystore

    Import the new CA-signed cert, Waratek_Secure_CA_Cert.pem, into the Java keystore and any other application-appropriate keystore(s) using the keytool executable under the version of Java that your application uses. The below example assumes that there is no other certificate entry with the alias WaratekSecureCACert.

    # The below example assumes Jrockit as the Java vendor and not HotSpot, J9, etc.
    /jrockit_jdk6/jre/bin/keytool -import -alias WaratekSecureCACert -trustcacerts -file Waratek_Secure_CA_Cert.pem -keystore $JAVA_HOME/jre/lib/security/cacerts

Ideally, you should place the root/CA certificate and any chained/Issuer certificate(s) into the Java keystore and any other application-appropriate keystore(s). Alternatively, you can import the actual end-entity certificate for the Portal.

The default password for the cacerts keystore is changeit.

  • Using Portal Keystore

    Import the new CA-signed cert, Waratek_Secure_CA_Cert.pem, into the custom keystore. The below example assumes that there is no other certificate entry with the alias WaratekSecureCACert.

    # The below example assumes Jrockit as the Java vendor and not HotSpot, J9, etc.
    /jrockit_jdk6/jre/bin/keytool -import -alias WaratekSecureCACert -file Waratek_Secure_CA_Cert.pem -keystore waratek_secure_keystore.jks

You have successfully reached Milestone Progress Checkpoint #4