Version 9.6
 —  LoginModules Guide  —

Creating Custom Keys and Certificates

Software AG Common Platform provides a single sign-on service which has predefined keystore (keystore.jks) and truststore (platform_truststore.jks). The predefined keystore and truststore contain default keys used for issuing and validating signed SAML assertions. You can create and modify these keystore and certificates using the certtool tool provided by Software AG Security Infrastructure.

The certtool tool is located in the Software AG_directory\common\bin folder. It is a wrapper of Java keytool and has default options that are used if the user does not provide any custom input.

Notes:

  1. After you create a new certificate and add it to the keystore, you must also update the configuration of the SSOS service for your changes to take effect.
  2. If the keystore file already exists, and you try to generate a new key pair in the same keystore file, a warning is displayed, stating that the file will be overwritten.

Start of instruction setTo use the certtool tool

  1. Using the command prompt, open the following directory: Software AG_directory\ common\bin. You cannot start the tool from a different location on the file system. Depending on the operating system, start the tool using one of the following files:

  2. To generate a key pair, type the following command:

    certtool.bat/sh -generate

    You are prompted to provide a common name (CN) for the certificate.

    The keystore certificate is generated in the location specified by the DEFAULT_PATH option.

  3. To add the newly generated .cer file to the truststore, type the following command:

    certtool.bat/sh -add

    Follow the prompts. The .cer file is added to the location specified by the TRUSTSTORE_FILE option.

  4. To list the keystore contents, type the following command:

    certtool.bat/sh -listkeystore

    Follow the prompts. The keystore contents are listed in the command prompt.

  5. To list the truststore contents, type the following command:

    certtool.bat/sh -listtruststore

    Follow the prompts. The truststore contents are listed in the command prompt.

  6. To delete a certificate from the truststore, type the following command:

    certtool.bat/sh -delete

    You are prompted to provide the alias name of the certificate file to be deleted.

Available Commands

Below is the list of commands available in the certtool.bat/sh file:

Argument Description
-listkeystore

Lists the keystore certificates currently located in the keystore. The default keystore certificate is "default.jks" with a default password "manage".

Note:
The keystore should contain only one keystore certificate which is used for issuing signed SAML assertions.

-listtruststore

Lists the truststore certificates currently located in the truststore. The default certificate is "default_truststore.jks" with a default password "manage".

Note:
The truststore can contain multiple public truststore certificates which are used for validating SAML assertion signatures.

-add

Adds a trusted certificate to the truststore. The "default_truststore.jks" certificate is used if no other certificate is specified.

-delete

Deletes a trusted certificate from the truststore.

-generate

Generates a key pair and exports the public information as a .cer file.

-usage

Prints the available commands.

Available Options

Below is a list of options available in the certtool.bat/sh file.

Caution:
All options in the table below have default values assigned to them. Please note that you are advised to modify them with extreme caution.

Option Description
DEFAULT_PATH

Default path where the certificate stores will be created, for example C:\Software AG\common\conf.

The value is automatically provided when you install the certtool using the Software AG Installer.

KEYTOOL_PATH

Default path to the Software AG Java keytool, for example C:\Software AG\jvm\jvm170_32\bin\keytool.

The value is automatically provided when you install the certtool using the Software AG Installer.

KEYSTORE_KEY_ALIAS

Alias keystore name.

Default value is "default". This value will be used if no other alias is specified.

KEYSTORE_FILE

Value for the name and location of the created keystore certificate.

If no other value is specified, the certtool generates a keystore certificate with the name "default.jks" in C:\Software AG\common\conf.

KEYSTORE_TYPE

The type of the keystore.

Default value is "JKS".

KEYSTORE_PASSWORD

The password for the keystore. The default value is "manage".

TRUSTED_CERT_ALIAS

Alias truststore certificate name.

Default value is "default". This value will be used if no other alias is specified.

TRUSTSTORE_FILE

Value for the name and location of the created truststore.

If no other value is specified, the certtool generates a keystore certificate with the name "default_truststore.jks" in C:\Software AG\common\conf.

TRUSTSTORE_TYPE

The type of the truststore.

Default value is "JKS".

TRUSTSTORE_PASSWORD

The password for the truststore.

Default value is "manage".

X509_FILE

Value for the name and location of the created truststore certificate.

If no other value is specified, the certtool generates a certificate with the name "default.cer" in C:\Software AG\common\conf.

VALIDITY

The validity of the certificate in days.

Default value is "1826".

KEY_ALGORITHM

Specifies the algorithm to be used to generate the key pair.

Default value is "RSA".

SIG_ALGORITHM

Specifies the algorithm that should be used to sign the self-signed certificate. This algorithm must be compatible with KEY_ALGORITHM. Its value is derived from the algorithm of the underlying private key.

For example, if the private key is of type DSA, the value of the SIG_ALGORITHM option is "SHA1withDSA".

KEY_SIZE

Specifies the size of each key to be generated.

Default value is "1024".

Top of page