Creating certificate authority signed certificates

Read this page to learn the procedure to renew or generate CA-signed certificates.

About this task

The process of obtaining a CA-signed certificate requires the creation of a Certificate Signing Request (CSR) that must be provided to the Certificate Authority. The CA will return a signed certificate that then needs to be imported into the keystore.

This procedure uses the standard Java command-line utility keytool. This tool is natively provided within the Java runtime included with the BigFix Remote Control Server.

This guide supports managing both modern industry-standard PKCS12 keystores (.p12) supported by both the Remote Control Server and Broker components and the legacy JKS Keystores (.jks) which are only supported on the Remote Control Server.

Before you begin

  1. Open a command-line window (Command Prompt on Windows or Terminal on Linux).
  2. Go to the Remote Control Server installation directory.
  3. Change to the Java runtime binary subdirectory:
    • Windows: cd [installdir]\java\jre\bin
    • Linux: cd [installdir]/java/jre/bin
  4. Identify the path, type, and credentials of your keystore:

    To use a PKCS12 Keystore:

    • Location: Path to your .p12 file (for example, /path/to/keystore/key.p12)
    • Type: PKCS12
    • Password: Your keystore password
    • Alias: Your custom private key entry alias (for example, default)

    To use a JKS Keystore:

    • Location: Path to your .jks file (for example, /path/to/keystore/key.jks)
    • Type: JKS
    • Password: Your custom keystore password
    • Alias: Your custom private key entry alias (for example, default)
If you want to reuse the Remote Control server default keystore, you can check its path in the [installdir]/wlp/usr/servers/trcserver/ssl.xml file.
Note: To prevent issues during component upgrades, do not store your certificates and keystores inside the component installation folders.

Procedure

  1. Create a new keystore and a Certificate Signing Request (CSR)

    Run the appropriate command below depending on your operating system and keystore format. This generates a certificate signing request (CSR) from the newly generated keystore and outputs a certreq.pem file.

    • For PKCS12 Keystores (.p12):
      Note: If you already have a .p12 file, you only need to run the second command (-certreq).
      • Windows:
        1. keytool.exe -genkeypair -alias default -keyalg RSA -keysize 2048 -dname "CN=company.local,OU=IT,O=MyCompany Corp,L=Rome,ST=Lazio,C=IT" -ext "SAN=dns:trcserver.local,ip:192.168.1.50" -keystore "C:\path\to\keystore\key.p12" -storetype PKCS12 -storepass "YourPassword"
        2. keytool.exe -certreq -alias default -file C:\path\to\csr\certreq.pem -keystore "C:\path\to\keystore\key.p12" -storetype PKCS12 -storepass "YourPassword"
      • Linux:
        1. ./keytool -genkeypair -alias default -keyalg RSA -keysize 2048 -dname "CN=company.local,OU=IT,O=MyCompany Corp,L=Rome,ST=Lazio,C=IT" -ext "SAN=dns:trcserver.local,ip:192.168.1.50" -keystore "/path/to/keystore/key.p12" -storetype PKCS12 -storepass "YourPassword"
        2. ./keytool -certreq -alias default -file /path/to/csr/certreq.pem -keystore "/path/to/keystore/key.p12" -storetype PKCS12 -storepass "YourPassword"
    • For JKS Keystores (.jks):
      Note: If you already have a .jks file, you only need to run the second command (-certreq).
      • Windows:
        1. keytool.exe -genkeypair -alias default -keyalg RSA -keysize 2048 -dname "CN=company.local,OU=IT,O=MyCompany Corp,L=Rome,ST=Lazio,C=IT" -ext "SAN=dns:trcserver.local,ip:192.168.1.50" -keystore "C:\path\to\keystore\key.jks" -storetype JKS -storepass "YourPassword" -keypass "YourPassword"
        2. keytool.exe -certreq -alias default -file C:\path\to\csr\certreq.pem -keystore "C:\path\to\keystore\key.jks" -storetype JKS -storepass "YourPassword" -keypass "YourPassword"
      • Linux:
        1. ./keytool -genkeypair -alias default -keyalg RSA -keysize 2048 -dname "CN=company.local,OU=IT,O=MyCompany Corp,L=Rome,ST=Lazio,C=IT" -ext "SAN=dns:trcserver.local,ip:192.168.1.50" -keystore "/path/to/keystore/key.jks" -storetype JKS -storepass "YourPassword" -keypass "YourPassword"
        2. ./keytool -certreq -alias default -file /path/to/csr/certreq.pem -keystore "/path/to/keystore/key.jks" -storetype JKS -storepass "YourPassword" -keypass "YourPassword"

    The generated certreq.pem file is a base-64 encoded ASCII representation of the certificate request. Submit this file (or copy/paste its textual content) into your Certificate Authority's (CA) certificate signing interface.

  2. Import Intermediate and Root Certificates
    Note: Skip this step if your CA returns the signed certificate along with the certificate chain in a single cryptographic PKCS7 file (.p7b) or PEM file (.crt, .pem). In this case, keytool automatically handles the entire chain import during step 3.
    If your CA returns the signed certificates as separate individual files (e.g., root.crt and intermediate.crt), you must import them into the keystore first, before importing your issued server certificate. This establishes the chain of trust. Use unique aliases for these certificates.
    • For PKCS12 Keystores (.p12):
      • Windows:
        1. keytool.exe -importcert -trustcacerts -alias caroot -file C:\path\to\root.crt -keystore "C:\path\to\keystore\key.p12" -storetype PKCS12 -storepass YourPassword -noprompt

        2. keytool.exe -importcert -trustcacerts -alias cainter -file C:\path\to\intermediate.crt -keystore "C:\path\to\keystore\key.p12" -storetype PKCS12 -storepass YourPassword -noprompt

      • Linux:
        1. ./keytool -importcert -trustcacerts -alias caroot -file /path/to/root.crt -keystore /path/to/keystore/key.p12 -storetype PKCS12 -storepass YourPassword -noprompt

        2. ./keytool -importcert -trustcacerts -alias cainter -file /path/to/intermediate.crt -keystore /path/to/keystore/key.p12 -storetype PKCS12 -storepass YourPassword -noprompt

    • For JKS Keystores (.jks):
      • Windows:
        1. keytool.exe -importcert -trustcacerts -alias caroot -file C:\path\to\root.crt -keystore "C:\path\to\keystore\key.jks" -storetype JKS -storepass YourPassword -noprompt

        2. keytool.exe -importcert -trustcacerts -alias cainter -file C:\path\to\intermediate.crt -keystore "C:\path\to\keystore\key.jks" -storetype JKS -storepass YourPassword -noprompt

      • Linux:
        1. ./keytool -importcert -trustcacerts -alias caroot -file /path/to/root.crt -keystore /path/to/keystore/key.jks -storetype JKS -storepass YourPassword -noprompt

        2. ./keytool -importcert -trustcacerts -alias cainter -file /path/to/intermediate.crt -keystore /path/to/keystore/key.jks -storetype JKS -storepass YourPassword -noprompt

    Note: If you have more certificates in the chain repeat the same command with additional alias names. Keep in mind that caroot and cainter are just labels and they can be whatever text strings you want.
  3. Receive the CA Signed Certificate

    The CA may return the signed certificate in different formats. It can return a PEM file (base-64 encoded ASCII representation of the certificate with a .pem or .crt extension) or it may return the certificate chain in a cryptographic PKCS7 format with a .p7b extension.

    Regardless of the format, use the -importcert command to import the signed certificate back into the keystore under the exact same alias.

    • For PKCS12 Keystores (.p12):
      • Windows:

        keytool.exe -importcert -alias default -file C:\path\to\received\cert.pem -keystore "C:\path\to\keystore\key.p12" -storetype PKCS12 -storepass YourPassword

      • Linux:

        ./keytool -importcert -alias default -file /path/to/received/cert.pem -keystore /path/to/keystore/key.p12 -storetype PKCS12 -storepass YourPassword

    • For JKS Keystores (.jks):
      • Windows:

        keytool.exe -importcert -alias default -file C:\path\to\received\cert.pem -keystore "C:\path\to\keystore\key.jks" -storetype JKS -storepass YourPassword

      • Linux:

        ./keytool -importcert -alias default -file /path/to/received/cert.pem -keystore /path/to/keystore/key.jks -storetype JKS -storepass YourPassword

    Note: If your CA provided a .p7b file instead of an .crt/.pem file, simply swap out the path in the -file flag with the path to your .p7b file.

Results

The .p12 or .jks file is immediately updated with the CA-signed certificate. If a .p7b file was used, keytool will automatically unpack and establish the root and intermediate certificate trust chain alongside your public key.
Important Configuration Reminder for Remote Control Server Certificates: If you replaced the default keystore file with a custom file, don’t forget to update the server configuration. Refer to the Using an existing keystore page for details. Also, if you are planning to update your Remote Control server instance, don’t forget to select this certificate instead of regenerating a new one.
Security Warning: The keystore contains the private key for the certificate, and this must always be kept secure. It is highly recommended that the original copy or a backup of the keystore is stored on an encrypted, secure storage medium.