Creating additional security certificates

After you install the PowerSC GUI agent on the endpoints and after you install the PowerSC GUI, several shell scripts are provided in the /opt/powersc/uiServer/bin/ directory for creating or importing security certificates.

The following stores are required and are created by one or more of the shell scripts that are run during installation or by the PowerSC administrator:

  • endpointKeystore.jks
  • endpointTruststore.jks
  • serverKeystore.jks
  • serverTruststore.jks
  • signingKeystore.jks

The following table describes each certificate-related shell script that is provided in /opt/powersc/uiServer/bin/ directory and whether it is run automatically as part of the installation or whether it must be run by the system administrator after installation is complete.

Table 1. Certificate shell scripts
Shell script Run by Description
generate_server_keystore_uiServer.sh Runs automatically during installation. This script creates the endpoint truststore, the GUI server truststore, and GUI server keystore. The endpoint truststore contains a self-signed security certificate that references the GUI server.
  • serverKeystore.jks
  • serverTruststore.jks
generate_signing_keystore_uiServer.sh Runs automatically during installation. This script generates a certificate that is used to sign messages.
  • signingKeystore.jks
generate_endpoint_keystore_uiServer.sh Runs automatically during installation. Run this script to generate the endpoint keystore.
  • endpointKeystore.jks
import_well_known_certificate_uiServer.sh Run this script only if you are providing your own well-known certificate. If you already have a certificate .pem file from a well-known certificate authority, you can run this script to create the endpoint truststore, import that certificate, create the GUI server truststore, and create the truststore, and create the GUI server keystore.
convertProfileToBean.sh Run this script only if you converting profiles so that they can be used with PowerSC. Converts profiles that are in XML format and not created using PowerSC to PowerSC format.
certificate_import.sh Run this script only if you are importing the certificate of the openid_provider_hostname specified in the /etc/security/powersc/uiServer/sso.conf.properties file in to the server trusted store. Imports the certificate of the openid_provider_hostname in to the server trusted store. Specify the openid_provider_hostname host name and optionally the port.

Using your own certificate with import_well_known_certificate_uiServer.sh

This section describes how to use your own self-signed or CA-signed certificate with import_well_known_certificate_uiServer.sh if needed for testing purposes. However, it is strongly recommended that you use a server certificate issued by a well-known certificate authority. If you use a server certificate issued by a well-known certificate authority, you can skip this section.

To create a self-signed certificate, perform the following tasks:

  1. Create a certificate and private key pair:
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.pem -out certificate.pem 
    -addext "subjectAltName = DNS:host-short-name"
    Generating a RSA private key
    ...............+++++
    ................+++++
    writing new private key to 'privateKey.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    :
    :
    
  2. Concatenate the public and private keys:
    cat certificate.pem privateKey.pem > serverkeypair.pem
  3. Use the resulting PEM file as input to the import_well_known_certificate_uiServer.sh script:
    /opt/powersc/uiServer/bin/import_well_known_certificate_uiServer.sh ./serverkeypair.pem

To create a new certificate signed by your CA, perform the following steps. This process may require help from your IT team.

  1. Create a private key:
    openssl genrsa -out privateKey.pem 2048
  2. Create a certificate signing request (CSR).
     openssl req -out request.pem -key privateKey.pem -new 
    -addext "subjectAltName = DNS:host-short-name"
  3. Follow your established procedures to sign the CSR with your CA. You should receive the chain of certificates.
  4. Concatenate the certificate chain and private key:
    cat certificate-chain.pem privateKey.pem > serverkeypair.pem
  5. Use the resulting PEM file as input to the import_well_known_certificate_uiServer.sh script:
    /opt/powersc/uiServer/bin/import_well_known_certificate_uiServer.sh ./serverkeypair.pem