Setting up Control Center Director Keystore

About this task

Connect:Direct Agent, Control Center Director Web Services, and Engine communicate over TLS using CA-signed certificates.

Procedure

  1. Create a Certificate Authority (CA). Skip this step, if you already have a CA certificate.

    To generate Control Center Director and Connect:Direct Agent certificates, you must first have a CA. Execute the command below to generate a CA:

    keytool -genkey -alias <CA_ALIAS> -keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass
<KEYPASS> -validity 3650 -dname <DOMAIN_NAME> -keystore <CA_KEYSTORE> -storepass
<KEYSTORE_PASSWORD>

Example domain, "CN=CA,OU=unit,O=ABC,L=loc,ST=state,C=CC"
  2. Generate a certificate/KeyStore for Control Center Director:

    If you've generated a CA in step 1, then execute the following command to get a CA certificate:

    keytool -export -alias <CA_ALIAS>  -file ca.crt -rfc -keystore <CA_KEYSTORE> -storepass
<KEYSTORE_PASSWORD>
  3. Create CA-signed certificates
    1. Generate a server certificate 
      keytool -genkey -alias <CERT_ALIAS> -keyalg RSA -keysize 4096 -sigalg SHA512withRSA
-keypass <KEYPASS> -validity 3650 -dname <DOMAIN_NAME> -keystore <KEYSTORE> -storepass 
<KEYSTORE_PASSWORD>
    2. Import the CA certificate as your trustedcacerts into your KeyStore. 
      keytool -import -trustcacerts -alias <CA_ALIAS>> -file ca.crt -keystore <KEYSTORE>
-storepass <KEYSTORE_PASSWORD>
    3. Generate a signing request to get a CA-signed certificate. The following command generates signing request file in format, server_cert.csr. 
      keytool -certreq -alias <CERT_ALIAS> -ext BC=ca:true -keyalg RSA -keysize 4096 
-sigalg SHA512withRSA -validity 3650 -file "server_cert.csr" -keystore <KEYSTORE>
-storepass <KEYSTORE_PASSWORD>
    4. Secure the CA-signed server certificate. If you are using an external CA, then send the signing request file to your CA to receive your signed server certificate. Alternatively, if you have generated CA, then execute the command below to sign your certificate:
      • Sign the certificate with the generated CA in the CA Keystore using the generated csr file
      keytool -gencert -alias <CA_ALIAS> -validity 3650 -sigalg SHA512withRSA -infile 
"server_cert.csr" -outfile "server_signed.crt" -rfc -keystore <CA_KEYSTORE> -storepass
<KEYSTORE_PASSWORD>
      • Import the signed certificate into your KeyStore
      keytool -importcert -alias <CERT_ALIAS> -file server_signed.crt -keystore <KEYSTORE>
-storepass <KEYSTORE_PASSWORD>
    You have successfully set up your KeyStore.

    To configure the KeyStore in Control Center Director, see Configuring Control Center Director.