JAVA Keytool utility for managaing server certificates

In our current set-up we've a .NET connector server for communication between AD and OIM which is running on Windows 64, for which we'll renew the server certificates. 

Please go through the complete post cause there are multiple fronts to this. 

STEP 1 : Generate a new certificate  :

Now, generate a new CSR and a private key using OPENSSL commands  : 

openssl req -nodes -newkey rsa:2048 -sha256 -keyout private.key -out server.csr

similarly as CSRs generated by keytool utility, you need to align with your CA authority for getting the .cer certificate filegenerated from the above csr file. 

STEP 2  : Find the Certificate store :  

If you're configuring a new connector server  : 

Run the following command from the command prompt:
ConnectorServer.exe /setkey NEW_KEY

This key is used for SSL communication by any client that connects to this .NET Connector Server, you will also need to update this key in the connector server IT resource along with the other properties. 

Open the C:\Program Files (x86)\Identity Connectors\Connector Server\ConnectorServer.exe.Config file for the entry : 
<add key="connectorserver.port" value="8759" /> <add key="connectorserver.usessl" value="true" /> <add key="connectorserver.certificatestorename" value="ConnectorServerSSLCertificate"/>

The certificate store mentioned in the ConnectorServer.exe.Config file must have only one certificate. If there is more than one certificates, then the .NET Connector Server will not start.
Run the following command to view the number of certificates present in the certificate store:
C:\>certutil -viewstoreSTORE_NAME

This will give you a certificate pop-up where you can check if the certiifctae is valid or not. 

STEP 3 : Create a new certificate store or delete the certiifcate from the old store : 

For creating a new certiifcate store use : 
certutil -f -addstore sslstore2019 C:\*****.cer

For verifying a store : 
certutil -verifystore sslstore2017

For deleting a certificate from an existing store : 
certutil -v -delstore Certificate _FQDN

We can cehck the new store from windows MMC console  : 

Log on to the computer that issued the certificate request by using an account that has administrative permissions. Click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in. In the Add/Remove Snap-in dialog box, click Add. Click Certificates, and then click Add. In the Certificates snap-in dialog box, click Computer account, and then click Next. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish. Click Close, and then click OK.

STEP 4 :  Merge the private key and certificate  : 

For a proper ssl handshake, the server is required to have a private key paired with the public key embedded in the certificate. When a client connects, it is presented with the certificate. This allows for validation that the server is who it says it is based on trust of an issuance authority.
The certificate needs to have private key in order to decrypt the data from OIM, or you'll receive  the error : "The server mode SSL must use a certificate with 
the associated private key". 
ConnectorServer.exe Error 0 Error processing request The server mode SSL must use a certificate with the associated private key. at Boolean AcquireServerCredentials(Byte[] ByRef) at System.Net.SecurityStatus GenerateToken(Byte[], Int32, Int32, Byte[] ByRef) at Void ProcessAuthentication(System.Net.LazyAsyncResult) at Void Run() in Server.cs:793

To avoid it, run the below command on windows server : 

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt Breaking down the command: openssl – the command for executing OpenSSL pkcs12 – the file utility for PKCS#12 files in OpenSSL -export -out certificate.pfx – export and save the PFX file as certificate.pfx -inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate. -in certificate.crt – use certificate.crt as the certificate the private key will be combined with. -certfile more.crt – This is optional, this is if you have any additional certificates you would like to include in the PFX file.

This will ask you for a password fpr the private key.

If you get the below ERROR : make sure you're using the right key-cer pair, and not the old key file.
No certificate matches private key

If you get the below ERROR : make sure the certificate was created by CA using base-64 encoded.cer format, and not a DER encoded .cer file.
unable to load certificate

Solution  : Import the certificate through MMC console as it is , and then export it to a  base-64 encoded.cer format. 

STEP 5 : Merge the new .pfx file in to your Personal console and Certificate store used in ConnectorServer.exe.Config file. 

In the Certificates snap-in, expand Certificates, right-click the Personalfolder, point to All Tasks, and then click Import. On the Welcome to the Certificate Import Wizard page, click Next. On the File to Import page, click Browse. In the Open dialog box, click the new certificate, click Open, and then click Next. On the Certificate Store page, click Place all certificates in the following store, and then click Browse. In the Select Certificate Store dialog box, click Personal, click OK, click Next, and then click Finish.

STEP 6 : Import the same certs into all the oim managed server cacerts using keytool -import command. 

ISSUE  : Let's say you've lost the provate key of the cert file, so you can't merge it with a cer file in STEP 4 , for a temporary solution run this  : 

certutil -repairstore my "SerialNumber"

my  :Is the name for 'Personal' store, you can use other certificate store names as well.
SerialNumber : can be found under the certificate details tab. 

You'll get an output like :
================ Certificate 0 ================ Serial Number: 1f000240eb44e292465b2943y86b0000240eb Issuer: CN=xxxx-SUBCA, DC=xxxxnet, DC=xxxx, DC=intranet NotBefore: 24/10/2017 10:52 NotAfter: 24/10/2019 10:52 Subject: E=layerauth.admin@xxxx.com, CN=sasv02om.xxxxnet.xxxx.intranet, OU =ICT, O=xxxx S.p.A, L=San Donato Milanese, S=Milan, C=IT Non-root Certificate Template: xxxx-WebServer-v2 Cert Hash(sha1): 01 f2 cb be 69 7a a3 ee 64 44 02 c7 44 07 4b ee 1b 23 99 0e Key Container = {54F11DE4-608E-4448-88B9-F411EA9A51B3} Unique container name: c99573d8960fcfecd7f2969646d4cd2a_f7356bcf-b93a-44b7-94e e-a9dad59422ba Provider = Microsoft Enhanced Cryptographic Provider v1.0 Private key is NOT exportable Encryption test passed CertUtil: -repairstore command completed successfully.


How to make sure your certificate has the private key attached with it  ?

You'll get the bellow message displayed in the certificate "General" tab : 

What if I had created my CRS using Certutil and not OpnSSL ? 
The following syntax is used for certutil:
certutil –MergePFX certfile.cer certfile.pfx
Since there is no way to specify private key file for –MergePFX parameter you must consider the following requirements:
Private key file MUST have .KEY extension; certificate and private key files MUST have the same base file name (file name excluding extension); certificate and private key file must be placed in the same directory.


How to get OpenSSL in my Windows server  : 

download it from here : 

OpenSSL.org – Binary Distributions

https://wiki.openssl.org/index.php/Binaries

unzip and keep the binarys as well as your .key and .cer file in the same folder where you'll execute the STEP 4. 

Now, I'm definetly no expert on openSSL (doing it for the first time) so here's a few good read to refer to in future  : 

OpenSSL : 

https://wiki.openssl.org/index.php/Command_Line_Utilities   // official page for all the verbs
https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs // myFav
https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/  // goodread

CertUtil : 

https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.10/cc772898%28v%3dws.10%29


AD connector server : 

http://rajnishbhatia19.blogspot.com/2008/05/ad-ssl-handshake-certificate-expired.html
https://support.microsoft.com/en-us/help/822406/clients-cannot-authenticate-with-a-server-after-you-obtain-a-new-certi
https://docs.oracle.com/cd/E52734_01/oim/OMDEV/icf.htm#BABIAAHF
https://docs.oracle.com/cd/E22999_01/doc.111/e20347/deploying-microsoft-active-directory-user-management-connector.htm#CMSAD280 


As always, Thanks for reading !