Generate a mscaproxyclient.jks keystore containing:
- The private key of CA Gateway for client authentication.
- The key’s certificate.
- The certificate’s chain.
See below the required steps.
The following instructions create a Java KeyStore (JKS) with the Java keytool command line utility. Consider using a more secure PKCS#12 type instead.
Generating and certifying the key pair
In a temporary directory under the Microsoft Proxy Server, run the following commands to generate and certify a key pair.
keytool -genkey -noprompt -alias mscaproxyclient -dname "cn=mscaproxy client" -keyalg RSA -keysize 2048 -keystore mscaproxyclient.jks -storepass <STOREPASS> -keypass <KEYPASS>keytool -certreq -alias mscaproxyclient -file mscaproxyclient.csr -keystore mscaproxyclient.jks -storepass <STOREPASS>certreq.exe -f -attrib "CertificateTemplate:ClientAuthentication" -config "<HOST>\<CA>" mscaproxyclient.csr CertChainFileOut mscaproxyclient.p7bDepending on the Microsoft CA setup, you may need to manually approve the request and retrieve the certificate.
See the following table for a description of the main parameters.
Option | Value |
|---|---|
‑attrib | The name of the template authentication template for Microsoft CA you previously created. |
‑config | The keystore configuration in "<HOST>\<CA>" syntax. Where <HOST> is the Microsoft CA’s hostname, and <CA> is the CA name defined when configuring Microsoft CA in CA Gateway. |
‑dname | A valid certificate distinguished name. |
‑keypass | The password of the private key |
‑keystore | The name of the keystore file. Copy this file into the CA Gateway’s server |
‑storepass | The keystore password. |
Importing the keys and the certificate
Import the keys and the certificate into the keystore.
keytool -import -noprompt -alias mscaproxyclient -file mscaproxyclient.p7b -keystore mscaproxyclient.jks -storepass <STOREPASS>Deleting temporary files
Delete the temporary files.
del CertChainFileOutdel CertChainFileOut.rspdel mscaproxyclient.csrdel mscaproxyclient.p7b