For EST enrollment, Certificate Enrollment Gateway requires an SSL certificate to terminate SSL connections coming from EST clients. To validate the EST SSL certificate, Certificate Enrollment Gateway requires a truststore containing the CA certificate chain for the SSL certificate, from the Issuing CA to the root CA.
The truststore for the EST SSL certificate must be stored in one of the following files:
File | Description |
|---|---|
P12 truststore | This file must be a PKCS #12 (P12) file. The file must contain at least one Trusted CA Certificate entry (TrustedCertEntry). |
PEM truststore | The file must be a PEM-formatted file. The file must contain at least one PEM-formatted CA certificate. Each CA certificate must include any BEGIN CERTIFICATE and END CERTIFICATE lines if present. |
To generate a P12 truststore for the EST SSL certificate using the Java keytool utility
- Obtain the CA certificate chain for the EST SSL certificate, from the issuing CA certificate to the root CA certificate.
- Log in to a computer that has Java installed.
For each certificate, enter the following command to generate the P12 truststore file and import certificates into the truststore:
keytool -import-alias <alias> -trustcacerts -file <cert-file> -keystore <truststore>Where:
<alias>is an alias for the certificate. Use a different alias for each certificate you will import.<cert-file>is the path and file name of the certificate.<truststore>is the path and file name of the P12 truststore file. For example,est-truststore.p12. The utility will create the file if it does not exist.
For example:
keytool -import-alias cagw-root -trustcacerts -file /tmp/root.cer -keystore /home/user/est-truststore.p12- When prompted, enter a password for the truststore.
To generate a PEM truststore for the EST SSL certificate
- Obtain the CA certificate chain for the EST SSL certificate, from the issuing CA certificate to the root CA certificate.
- Open a text editor.
- Create a new file.
Paste the contents of each CA certificate file into the new file, from the issuing CA certificate to the root CA certificate. Each CA certificate must include any BEGIN CERTIFICATE and END CERTIFICATE lines if present. For example:
-----BEGIN CERTIFICATE-----<TLS server certificate in Base64 encoding>-----END CERTIFICATE----------BEGIN CERTIFICATE----<Issuing CA certificate in Base64 encoding>-----END CERTIFICATE----------BEGIN CERTIFICATE----<Root CA certificate in Base64 encoding>-----END CERTIFICATE-----The text file should look similar to the following:
-----BEGIN CERTIFICATE-----MIIDqQYJKoZIhvcNAQcCoIIDmjCCA5YCAQExADALBgkqhkiG9w0BBwGgggN...-----END CERTIFICATE----------BEGIN CERTIFICATE----MIIDejCCAmKgAwIBAgIQQ8e7ock59Y21Mtcy7rGJUDANBgkqhkiG9w0BAQs...-----END CERTIFICATE----------BEGIN CERTIFICATE----MIQ0EgRW50cnkwHhcNMjMwMjA4MTUxNzEwWhcNMzMwMjA4MTU0NzEwWjAyM...-----END CERTIFICATE------ Save and close the file.