Highlighted
Absent Member.
Absent Member.
1792 views

keytool usage comands

I do not have x windows:

I want to do the following:

     --generate a new web cert in the web keystore using manager host name as CN

     -- export the new manager cert from manager keystore

     -- import the new manager cert into the web trust store (cacerts)

Can anyone help me with what commands to use?

Labels (3)
0 Likes
6 Replies
Highlighted
Absent Member.
Absent Member.

Hi Vishal,

Go through the Administrator's Guide for ESM 6.8--> Tools for SSL Configuration Keytoolgui.

All the required commands are part of this Guide.

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hey Vishal -

I know Akshay referred to keytoolgui section of the guide but look on page 80 as it talks about the CLI which is the option you are most likely looking for.

This is assuming you have a new web or keystore as I do not know your environment. 

--generate a new web cert in the web keystore using manager host name as CN

keytool -genkey -dname "CN=host.domain.com, OU=XXXXX,O=XXXXX, L=XXXXX, ST=xx, C=xx" -alias fookey -keypass XXXXX -keystore /some/path -storepass XXXXX -keyalg "RSA"  -keysize 2048 -validity 365

-- export the new manager cert from manager keystore (I am guessing you want a CSR)

keytool -certreq -alias fookey -file /some/path/fookey.csr -keystore /some/path -storepass XXXXX

-- import the new manager cert into the web trust store (cacerts)(assuming you got the CSR signed)

keytool -import -trustcacerts -alias fookey -file /some/path/signedcert.pem -keystore  /some/path -storepass XXXXX

If this answers your question, please mark it as such.

scotty

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Steps in KM1271332 can help you to maintain Manager SSL certificates from a command line with no UI.

-Nellie

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi,

We do not use CSR. What would be the command for that?? My only reason to do this, is that I had used IP address of esm instead of its hostname, while installing it and now i want to change it to hostname.

- Vishal K

Sent from Mobile Phone

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Vishal -

the command to create a CSR (Certificate Signing Request) is noted above.  It sounds like you are doing self signed certificates so I would recommend following Nellie's link KM1271332 for all the other cool creature features of the CLI.

-- export the new manager cert from manager keystore (I am guessing you want a CSR)

keytool -certreq -alias fookey -file /some/path/fookey.csr -keystore /some/path -storepass XXXXX

scotty

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi Vishal,

That KB KM1271332I had shared is for an option of CA-Sighed certificate, which you need to submit your CRS to public CA. Once you receive the assigned Certififcate, you need to insert the issuer's root cert (*.cer) to both manager and Web truststores separately (Manager: /opt/manager/jre/lib/security/cacerts, and web: /opt/web/jre/lib/security/cacerts).

Otherwise, if you just want to issue a self-sign certificate (issued by Arcsight CA, still trust) for your Web server, you need to run a command from your web server/bin as './arcsight webserversetup' as a arcsight user. The last step you need to is to export the Arcsight CA cert from its truststore (/opt/web/jre/lib/security/cacerts) and import it into the manager's truststore (/opt/manager/jre/lib/security/cacerts). You can use KM1270138 (for manager) as a reference.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.