Installing customized SSL certificates for use in TADDM

You can install your own customized SSL certificates and use them with TADDM.

  1. Create a backup copy of the following keystore files:
    • $COLLATION_HOME/etc/serverkeys
    • $COLLATION_HOME/etc/jssecacerts.cert
  2. Go to the $COLLATION_HOME/etc directory, open command line and enter the keytool and TADDM sslpassphrase parameters with the values in the following manner:
    • Linux operating system:
      keytool=../external/jdk-Linux-x86_64/bin/keytool
pass=XXXXXXXX30374
    • Windows operating system:
      set keytool=..\external\jdk-Windows-i386-64\bin\keytool.exe
set pass=XXXXXXXX30374
    The value of the pass parameter is the value of the com.collation.sslpassphrase property that is specified in the collation.properties file.
  3. Remove self-signed certificate and key from TADDM by running the following commands:
    • Linux operating system:
      $keytool -delete -alias collation -noprompt -keystore jssecacerts.cert -storepass $pass
$keytool -delete -alias collation -noprompt -keystore serverkeys -storepass $pass
    • Windows operating system:
      %keytool% -delete -alias collation -noprompt -keystore jssecacerts.cert -storepass %pass%
%keytool% -delete -alias collation -noprompt -keystore serverkeys -storepass %pass%
  4. Generate SSL key with the required CN, validity, algorithm, and other parameters, and save it to the serverkeys file.
    For example, you can run the following command:
    • Linux operating system:
      $keytool -genkey -alias collation -keystore serverkeys -validity 3650 -keyAlg RSA -sigalg SHA256WithRSA -keypass $pass -storepass $pass -dname "CN=John Public, OU=Engineering, OU=NA, o=Company, L=Manhattan, S=New York, c=US"
    • Windows operating system:
      %keytool% -genkey -alias collation -keystore serverkeys -validity 3650 -keyAlg RSA -sigalg SHA256WithRSA -keypass %pass% -storepass %pass% -dname "CN=John Public, OU=Engineering, OU=NA, o=Company, L=Manhattan, S=New York, c=US"
    Fix Pack 11
    Note: The Serverkeys and algorithm are upgraded to use TLS Version 1.3. When generating the SSL key for TLSv1.3, run the below command:
    • Linux operating system:
      $keytool -genkey -alias collation -keystore serverkeys -validity 3650 -keyAlg EC -sigalg SHA256withECDSA -keypass $pass -storepass $pass -dname "CN=John Public, OU=Engineering, OU=NA, o=Company, L=Manhattan, S=New York, c=US"
    • Windows operating system:
      %keytool% -genkey -alias collation -keystore serverkeys -validity 3650 -keyAlg EC -sigalg SHA256withECDSA -keypass %pass% -storepass %pass% -dname "CN=John Public, OU=Engineering, OU=NA, o=Company, L=Manhattan, S=New York, c=US"
  5. Create another backup copy of the serverkeys file, where you saved the generated SSL key.
  6. Generate the certificate signing request (CSR file) by running the following command:
    • Linux operating system:
      $keytool -certreq -alias collation -storepass $pass -file /tmp/certreq.csr -keystore serverkeys
    • Windows operating system:
      %keytool% -certreq -alias collation -storepass %pass% -file C:\temp\certreq.csr -keystore serverkeys
  7. Use the CSR file to get the SSL certificate from official certificate authority. Save the certificate on your TADDM server, for example in the tmp directory on Linux operating system, or in the C:\temp directory on Windows operating system.
    Note: There are two types of certificates: 'Individual certificate' and 'Full chain of certificate'.
  8. Fix Pack 6 To import the received certificate ('Individual certificate' or 'Full chain of certificate') to both serverkeys and jssecacerts.cert files on TADDM, run the below commands:
    Important: For the -file parameter, specify the path to the file where you saved the SSL certificate in the previous step, for example: /tmp/cert.crt on Linux operating system.
    Individual certificate
    • Linux operating system:
      $keytool -import -trustcacerts -alias root -noprompt -keystore serverkeys -storepass $pass -keypass $pass -file /tmp/CAcert.cer
      $keytool -import -trustcacerts -alias intermediate -noprompt -keystore serverkeys -storepass $pass -keypass $pass -file /tmp/IntermediateCAcert.cer
      $keytool -import -trustcacerts -alias server -noprompt -keystore serverkeys -storepass $pass -keypass $pass -file /tmp/serverCAcert.cer
      $keytool -import -trustcacerts -alias root -noprompt -keystore jssecacerts.cert -storepass $pass -keypass $pass -file /tmp/CAcert.cer
      $keytool -import -trustcacerts -alias intermediate -noprompt -keystore jssecacerts.cert -storepass $pass -keypass $pass -file /tmp/IntermediateCAcert.cer
      $keytool -import -trustcacerts -alias server -noprompt -keystore jssecacerts.cert -storepass $pass -keypass $pass -file /tmp/serverCAcert.cer
    • Windows operating system:
      %keytool% -import -trustcacerts -alias root -noprompt -keystore serverkeys -storepass %pass% -keypass %pass% -file C:\temp\CAcert.cer
      %keytool% -import -trustcacerts -alias intermediate -noprompt -keystore serverkeys -storepass %pass% -keypass %pass% -file C:\temp\IntermediateCAcert.cer
      %keytool% -import -trustcacerts -alias server -noprompt -keystore serverkeys -storepass %pass% -keypass %pass% -file C:\temp\serverCAcert.cer
      %keytool% -import -trustcacerts -alias root -noprompt -keystore jssecacerts.cert -storepass %pass% -keypass %pass% -file C:\temp\CAcert.cer
      %keytool% -import -trustcacerts -alias intermediate -noprompt -keystore jssecacerts.cert -storepass %pass% -keypass %pass% -file C:\temp\IntermediateCAcert.cer
      %keytool% -import -trustcacerts -alias server -noprompt -keystore jssecacerts.cert -storepass %pass% -keypass %pass% -file C:\temp\serverCAcert.cer
    Full chain of certificates
    • Linux operating system :
      $keytool –import –trustcacerts -alias collation -noprompt –keystore serverkeys -storepass $pass -keypass $pass -file /tmp/cert_chain.crt
      $keytool –import –trustcacerts -alias collation -noprompt –keystore jssecacerts.cert -storepass $pass -keypass $pass -file /tmp/cert_chain.crt
    • Windows operating system:
      %keytool% -import -trustcacerts -alias collation -noprompt -keystore serverkeys -storepass %pass% -keypass %pass% -file C:\temp\cert_chain.crt
      %keytool% -import -trustcacerts -alias collation -noprompt -keystore jssecacerts.cert -storepass %pass% -keypass %pass% -file C:\temp\cert_chain.crt
  9. Restart the TADDM server.
Keep the backup copies of the serverkeys file that you generated in step 4, and the file where you saved the SSL certificate in step 7. If you must replace or renew the certificate, these files are necessary. To replace, or renew the certificate, complete the following steps:
  1. Repeat the steps 2 and 3.
  2. Restore the serverkeys file.
  3. Repeat the steps 8 and 9.