Access Keys:
Skip to content (Access Key - 0)

Log In

Generate Entrust Certificates


The following images are thumbnails.  Click on an image to enlarge.

1) The Entrust site is IE browser specific.  If your servers are Linux or Solaris based several files will need to be moved from and to your Windows machine to your server machine.
Go to: https://evaladminservices.managed.entrust.com/cda-cgi/clientcgi.exe?action=start
On the left – Select CA Certificates \ Install

2) When this pop-up window appears, select Open

3) The certificate details for the DComRootCA will be displayed. Select “Install Certificate…”

4) Navigate through the Wizard, Select Next

5) Select the option to “Place all certificates in the following store”
Then Browse to select “Trusted Root Certification Authorities”

6) The confirmation window will show your setting. Select Finish.

7) Confirm the installation, by selecting “Yes”.

8) Then acknowledge the import by clicking “OK”.

9) To verify the installation of the certificate, select the “Tools” dropdown, then “Internet Options” to bring up the Internet Options pop-up window. Select the Content tab.

10) Select the “Certificates” button to bring up the Certificates pop-up. Select the Trusted Root Certification Authorities tab, and confirm the presence of the DComRootCA certificate in the list.
You may now Close and exit the pop-ups.

11) To be able to generate your Web Certificate you will email to Adrian Anderson [Adrian.Anderson@hhs.gov] your full computer name to use as your domain name. This will be something like: “SC075311.cs.myharris.net”. They will return to you in 2 separate emails an Authorization Code and a Reference Number which you will then use to create your signed certificate.

12) Create a work area such as: C:\Sun\AppServer\certificaterequests
Create your gateway.jks keystore in this work directory. For your domain name you must use the Reference Number provided to you as the common name, “nhin-test” as the organizational unit, and “entrust” as the organization:

keytool -genkey -alias gateway -keyalg RSA -keypass changeit -storepass changeit -validity 365 -keystore gateway.jks -dname "cn=35005717 ou=nhin-test o=entrust"

13) Confirm the contents of your gateway.jks keystore:

keytool -list -v -keystore gateway.jks > gatewayList

Note: You’ll be prompted for the keystore password (changeit)

14) Generate the certificate signing request:

keytool -certreq -keyalg RSA -alias gateway -storepass changeit -file server.csr -keystore gateway.jks

15) Verify this certificate request:

16) From the Entrust web site: https://evaladminservices.managed.entrust.com/cda-cgi/clientcgi.exe?action=start Select the “Create Certificate from PKCS#10 Request”
Enter in your Reference Number, Authorization Code, and put the text from your Certificate Request (self-signed certificate that was created earlier) into the text box.
Select “Submit Request”

17) This will generate your Web Server Certificate.
Select Download to save the servercert.bin file

18) Confirm your Web Server Certificate is a NetscapeCertType that provides both SSL Client and SSL Server capabilities

keytool -printcert -file servercert.bin > certDetails

19) On the left hand side of the window select “Install” in the CA Certificates area. Select the “Save” button to save the cacert.crt file.

20) On the left hand side of the window select “Display list” in the Cross-Certificates area.
Select the complete text from "BEGIN CERTIFICATE" to "END CERTIFICATE". Copy this into a file called cross.crt.

21) Create a backup of your cacerts.jks file. Make a copy of this file in your C:\Sun\AppServer\certificaterequests work directory. Then import the entrust root certificate, the intermediate cross certificate, and the web server certificate into the truststore:

keytool -import -v -trustcacerts -alias entrust -file cacert.crt -keystore cacerts.jks -keypass changeit -storepass changeit
keytool -import -v -trustcacerts -alias entrust-cross -file cross.crt -keystore cacerts.jks -keypass changeit -storepass changeit
keytool -import -v -trustcacerts -alias gateway -file servercert.bin -keystore cacerts.jks -keypass changeit -storepass changeit

After viewing the certificate and confirming the Owner references DComRootCA, type yes to trust this certificate.
Continue to insert the intermediate certificate and then your machine specific certificate.

22) Confirm the contents of your cacerts.jks keystore includes the gateway cert:

keytool -list -keystore cacerts.jks > cacertsList

Note: You may not have 40 entries, it all depends on what certificates are in your truststore at that point in time.

23) The gateway.jks keystore will need all three certificates added in order to form the Chain of Trust. First import the root certificate:

keytool -import -v -trustcacerts -alias entrust -file cacert.crt -keystore gateway.jks -keypass changeit -storepass changeit

Confirm the DComRootCA owner and type yes to accept this certificate.

24) Next import the Intermediate certificate authority:

keytool -import -v -trustcacerts -alias entrust-cross -file cross.crt -keystore gateway.jks -keypass changeit -storepass changeit

25) Finally import the Web Server Certificate:

keytool -import -v -trustcacerts -alias gateway -file servercert.bin -keystore gateway.jks -keypass changeit -storepass changeit

26) Verify the contents of the gateway.jks keystore:

keytool -list -keystore gateway.jks

27) Make sure your Glassfish Application Server is stopped, then navigate to your domain configuration directory (i.e. C:\Sun\AppServer\domains\domain1\config) and make sure you have a backup of your domain.xml and your cacerts.jks files. Now copy the gateway.jks and the cacerts.jks from your certificate work directory into the domain configuration directory.

28) Edit the domain.xml file to set up to use the new certificates.
a. Find all occurrences of s1as and replace with gateway.

b. Set the jvm-options to use the new keystores:

Windows:

<jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/gateway.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStoreType=JKS</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStoreType=JKS</jvm-options>
<jvm-options>-DSERVER_KEY_ALIAS=gateway</jvm-options>
<jvm-options>-DCLIENT_KEY_ALIAS=gateway</jvm-options>

Solaris:

<jvm-options>-Djavax.net.ssl.keyStore=/nhin/SUNWappserver/domains/domain1/config/gateway.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStore=/nhin/SUNWappserver/domains/domain1/config/cacerts.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStoreType=JKS</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStoreType=JKS</jvm-options>
<jvm-options>-DSERVER_KEY_ALIAS=gateway</jvm-options>
<jvm-options>-DCLIENT_KEY_ALIAS=gateway</jvm-options>

c. Enable 2-way SSL and turn on extra logging if desired:

<jvm-options>-Dcom.sun.jbi.httpbc.enableClientAuth=true</jvm-options>
<jvm-options>-Djavax.net.debug=ssl</jvm-options>

29) Restart Glassfish to verify jvm settings and keystores.
Adaptavist Theme Builder (3.3.3-conf210) Powered by Atlassian Confluence 3.0.2, the Enterprise Wiki.
Free theme builder license