PEM keystores received from a Certificate Authority can
be converted into keystores for use with Build Forge.
If you have a set of PEM files from a Certificate Authority,
you must use them to create a set of OpenSSL and JSSE keystores for
Build Forge.
- Include Build Forge tool directories in your PATH.
<bfinstall>/openssl
<bfinstall>/ibmjdk/bin
for Windows
<bfinstall>server/ibmjdk/bin
for UNIX
or Linux
For UNIX and Linux, include the following directory in LD_LIBRARY_PATH:
<bfinstall>/openssl
- Convert the PEM files into a PKCS12 keystore.
Use
the following command:
openssl pkcs12
-export
-name "buildforge"
-out buildForgeKeyStore.p12
-inkey <key.pem>
-passin pass:<pempassword>
-in <crt.pem>
-password pass:<bfpassword>
- Verify that the certificate has been added and can be read.
keytool -v
-list
-keystore buildForgeKeyStore.p12
-storepass <bfpassword>
-storetype pkcs12
If you get an error about
an invalid key size, download unrestricted policy files. Use the directions
at the beginning of this section.
- Export the public certificate.
In a command
window, go to <bfinstall>/keystore
, and
then run this command:
keytool -export
-alias buildforge
-file cert.der
-keystore buildForgeKeyStore.p12
-storepass <bfpassword>
-storetype pkcs12
- The certificate is stored in file
cert.der
.
- Use the same
<bfpassword>
that was
specified for keystores during installation. Otherwise you need to
change the configuration.
- Create the truststore and import the public certificate.
In a command window, go to <bfinstall>/keystore
,
then run this command:
keytool -import
-noprompt -trustcacerts
-alias buildforge
-file cert.der
-keystore buildForgeTrustStore.p12
-storepass <bfpassword>
-storetype pkcs12
- Put the public client certificate in buildForgeCert.pem.
In a command window, go to <bfinstall>/keystore
,
and then run this command:
openssl pkcs12 -clcerts -nokeys
-in buildForgeKeyStore.p12
-passin: pass:<bfpassword>
-out buildForgeCert.pem
- Put the certificate and keys in buildForgeKey.pem
In
a command window, go to <bfinstall>/keystore
,
and then run this command:
openssl pkcs12
-in buildForgeKeyStore.p12
-passin pass:<bfpassword>
-passout pass:<bfpassword>
-out buildForgeKey.pem
- Create the PEM Certificate Authority buildForgeCA.pem.
- Download the CA root certificate to
<bfinstall>/keystore
.
It is named CARootCert.crt. It needs to be added to your PEM
keystores and can be imported into buildForgeTrustStore.p12.
- In a command window, go to
<bfinstall>/keystore
,
and then run these commands:cat CARootCert.crt > buildForgeCA.pem
keytool -import -noprompt -v -trustcacerts
-alias "CA Root"
-file CARootCert.crt
-keystore buildForgeTrustStore.p12
-storepass <bfpassword>
-storetype pkcs12
Build Forge uses a password-protected PEM keystore, buildForgeKey.pem.
The Apache server prompts for the password during startup. If you
do not want to be prompted for a password during startup, then generate
a PEM keystore that is not password-protected and have the Apache
server use it. The following command is an example.
openssl rsa -in buildForgeKey.pem
-passin pass:<password>
-out buildForgeKeyForApache.pem
Be sure
the unprotected PEM keystore is readable by any user who needs access
to the ID of the process that runs Build Forge.