Tuesday, 6 July 2010

Microsoft CA and Certificate chains


I can't believe people struggle so much with this and why there isn't a free tool to convert certificates from a Microsoft CA (pfx to jks) and steps for creating the associated certificate chain.

Get the cert
Pull the certficate from the Microsoft CA and pull it from you browser.
  1. From the Microsoft issued certs list, install in IE. You get to this via the View the status of a pending certificate request link on the MS CA.
  2. Export in pfx format from IE. IE -> Tools -> Internet Options -> Content -> Certificates
  3. Select the certificate and Export
  4. 'Yes. export the private key' and select PKCS #12. Select all check boxes

Import the chain
  1. Download the CA certificate chain from the Microsoft CA
  2. Open the chain and export each part of the chain individually in DER format

Do the techie stuff

--Convert the pfx to jks using Jetty
java -classpath %JETTY_HOME%/jetty-6.1.1/lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import www.mysecuredomain.com.pfx www.mysecuredomain.com.jks

--Verify the key is there
keytool -list -keystore www.mysecuredomain.com.jks

--change the default alias to something more readable
keytool -storepass changeit -keystore www.mysecuredomain.com.jks -changealias -alias longunreadblealphanumericstring -destalias www.mysecuredomain.com

--convert the cer/der to pem
openssl x509 -inform der -in MyCompanyPrimaryRootCA.cer -out MyCompanyPrimaryRootCA.pem

openssl x509 -inform der -in MyCompanyServerAuthenticationPolicyCA.cer -out MyCompanyServerAuthenticationPolicyCA.pem

openssl x509 -inform der -in MyCompanyServerAuthenticationEnterpriseCA.cer -out MyCompanyServerAuthenticationEnterpriseCA.pem

--import the root cert and all other certificates in the chain. The trustcacerts arguement tells keytool that you want to import this as a trusted certificate.

keytool -storepass changeit -keystore www.mysecuredomain.com.jks -import -v -noprompt -trustcacerts -alias MyComanyPrimaryRootCA -file MyComanyPrimaryRootCA.pem

keytool -storepass changeit -keystore www.mysecuredomain.com.jks -import -v -noprompt -trustcacerts -alias MyComanyServerAuthenticationPolicyCA -file MyComanyServerAuthenticationPolicyCA.pem

keytool -storepass changeit -keystore www.mysecuredomain.com.jks -import -v -noprompt -trustcacerts -alias MyComanyServerAuthenticationEnterpriseCA -file MyComanyServerAuthenticationEnterpriseCA.pem

--Check the chain length
keytool -v -list -keystore www.mysecuredomain.com.jks | grep chain
Enter keystore password: changeit
Certificate chain length: 4

--Check the certificates for the chain are all present
keytool -list -keystore www.mysecuredomain.com.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries

mycompanyserverauthenticationenterpriseca, DateStamp, trustedCertEntry,
Certificate fingerprint (MD5): MD5String
mycompanyprimaryrootca, DateStamp, trustedCertEntry,
Certificate fingerprint (MD5): MD5String
mycompanyserverauthenticationpolicyca, DateStamp, trustedCertEntry,
Certificate fingerprint (MD5): MD5String
www.mysecuredomain.com, DateStamp, PrivateKeyEntry,
Certificate fingerprint (MD5): MD5String

Importing the root CA
Import Root CA into browser - you only need the root to be installed in the truststore, or the trusted certificate authorities.
  1. Firefox :: Certificate Manager -> Authorities -> Import...
  2. IE :: Certificates -> Trusted Root Certification Authorities -> Import...
  3. Chrome :: Certificates -> Trusted Root Certification Authorities -> Import...
Happy days.