Creating certificate authority signed certificates
Read this page to learn the procedure to renew or generate CA-signed certificates.
About this task
This procedure uses the standard Java command-line utility keytool. This tool is natively provided within the Java runtime included with the BigFix Remote Control Server.
This guide supports
managing both modern industry-standard PKCS12 keystores
(.p12) supported by both the Remote Control Server and Broker
components and the legacy JKS Keystores (.jks) which are
only supported on the Remote Control Server.
Before you begin
- Open a command-line window (Command Prompt on Windows™ or Terminal on Linux™).
- Go to the Remote Control Server installation directory.
- Change to the Java runtime binary subdirectory:
- Windows: cd [installdir]\java\jre\bin
- Linux: cd [installdir]/java/jre/bin
- Identify the path, type, and credentials of your
keystore:
To use a
PKCS12Keystore:- Location: Path to your
.p12file (for example, /path/to/keystore/key.p12) - Type:
PKCS12 - Password: Your keystore password
- Alias: Your custom private key entry alias (for example,
default)
To use a
JKSKeystore:- Location: Path to your
.jksfile (for example, /path/to/keystore/key.jks) - Type:
JKS - Password: Your custom keystore password
- Alias: Your custom private key entry alias (for example,
default)
- Location: Path to your
Procedure
-
Create a new keystore and a Certificate Signing Request (CSR)
Run the appropriate command below depending on your operating system and keystore format. This generates a certificate signing request (CSR) from the newly generated keystore and outputs a certreq.pem file.
- For PKCS12 Keystores (
.p12):Note: If you already have a.p12file, you only need to run the second command (-certreq).-
Windows:
- keytool.exe -genkeypair -alias default -keyalg RSA -keysize 2048 -dname "CN=company.local,OU=IT,O=MyCompany Corp,L=Rome,ST=Lazio,C=IT" -ext "SAN=dns:trcserver.local,ip:192.168.1.50" -keystore "C:\path\to\keystore\key.p12" -storetype PKCS12 -storepass "YourPassword"
- keytool.exe -certreq -alias default -file C:\path\to\csr\certreq.pem -keystore "C:\path\to\keystore\key.p12" -storetype PKCS12 -storepass "YourPassword"
-
Linux:
- ./keytool -genkeypair -alias default -keyalg RSA -keysize 2048 -dname "CN=company.local,OU=IT,O=MyCompany Corp,L=Rome,ST=Lazio,C=IT" -ext "SAN=dns:trcserver.local,ip:192.168.1.50" -keystore "/path/to/keystore/key.p12" -storetype PKCS12 -storepass "YourPassword"
- ./keytool -certreq -alias default -file /path/to/csr/certreq.pem -keystore "/path/to/keystore/key.p12" -storetype PKCS12 -storepass "YourPassword"
-
- For JKS Keystores (
.jks):Note: If you already have a.jksfile, you only need to run the second command (-certreq).-
Windows:
- keytool.exe -genkeypair -alias default -keyalg RSA -keysize 2048 -dname "CN=company.local,OU=IT,O=MyCompany Corp,L=Rome,ST=Lazio,C=IT" -ext "SAN=dns:trcserver.local,ip:192.168.1.50" -keystore "C:\path\to\keystore\key.jks" -storetype JKS -storepass "YourPassword" -keypass "YourPassword"
- keytool.exe -certreq -alias default -file C:\path\to\csr\certreq.pem -keystore "C:\path\to\keystore\key.jks" -storetype JKS -storepass "YourPassword" -keypass "YourPassword"
-
Linux:
- ./keytool -genkeypair -alias default -keyalg RSA -keysize 2048 -dname "CN=company.local,OU=IT,O=MyCompany Corp,L=Rome,ST=Lazio,C=IT" -ext "SAN=dns:trcserver.local,ip:192.168.1.50" -keystore "/path/to/keystore/key.jks" -storetype JKS -storepass "YourPassword" -keypass "YourPassword"
- ./keytool -certreq -alias default -file /path/to/csr/certreq.pem -keystore "/path/to/keystore/key.jks" -storetype JKS -storepass "YourPassword" -keypass "YourPassword"
-
The generated certreq.pem file is a base-64 encoded ASCII representation of the certificate request. Submit this file (or copy/paste its textual content) into your Certificate Authority's (CA) certificate signing interface.
- For PKCS12 Keystores (
-
Import Intermediate and Root Certificates
Note: Skip this step if your CA returns the signed certificate along with the certificate chain in a single cryptographic PKCS7 file (If your CA returns the signed certificates as separate individual files (e.g.,
.p7b) or PEM file (.crt,.pem). In this case,keytoolautomatically handles the entire chain import during step 3.root.crtandintermediate.crt), you must import them into the keystore first, before importing your issued server certificate. This establishes the chain of trust. Use unique aliases for these certificates.- For PKCS12 Keystores (
.p12):-
Windows:
-
keytool.exe -importcert -trustcacerts -alias caroot -file C:\path\to\root.crt -keystore "C:\path\to\keystore\key.p12" -storetype PKCS12 -storepass YourPassword -noprompt
-
keytool.exe -importcert -trustcacerts -alias cainter -file C:\path\to\intermediate.crt -keystore "C:\path\to\keystore\key.p12" -storetype PKCS12 -storepass YourPassword -noprompt
-
-
Linux:
-
./keytool -importcert -trustcacerts -alias caroot -file /path/to/root.crt -keystore /path/to/keystore/key.p12 -storetype PKCS12 -storepass YourPassword -noprompt
-
./keytool -importcert -trustcacerts -alias cainter -file /path/to/intermediate.crt -keystore /path/to/keystore/key.p12 -storetype PKCS12 -storepass YourPassword -noprompt
-
-
- For JKS Keystores (
.jks):-
Windows:
-
keytool.exe -importcert -trustcacerts -alias caroot -file C:\path\to\root.crt -keystore "C:\path\to\keystore\key.jks" -storetype JKS -storepass YourPassword -noprompt
-
keytool.exe -importcert -trustcacerts -alias cainter -file C:\path\to\intermediate.crt -keystore "C:\path\to\keystore\key.jks" -storetype JKS -storepass YourPassword -noprompt
-
-
Linux:
-
./keytool -importcert -trustcacerts -alias caroot -file /path/to/root.crt -keystore /path/to/keystore/key.jks -storetype JKS -storepass YourPassword -noprompt
-
./keytool -importcert -trustcacerts -alias cainter -file /path/to/intermediate.crt -keystore /path/to/keystore/key.jks -storetype JKS -storepass YourPassword -noprompt
-
-
Note: If you have more certificates in the chain repeat the same command with additional alias names. Keep in mind that caroot and cainter are just labels and they can be whatever text strings you want. - For PKCS12 Keystores (
-
Receive the CA Signed Certificate
The CA may return the signed certificate in different formats. It can return a PEM file (base-64 encoded ASCII representation of the certificate with a
.pemor.crtextension) or it may return the certificate chain in a cryptographic PKCS7 format with a.p7bextension.Regardless of the format, use the -importcert command to import the signed certificate back into the keystore under the exact same alias.
- For PKCS12 Keystores (
.p12):-
Windows:
keytool.exe -importcert -alias default -file C:\path\to\received\cert.pem -keystore "C:\path\to\keystore\key.p12" -storetype PKCS12 -storepass YourPassword
-
Linux:
./keytool -importcert -alias default -file /path/to/received/cert.pem -keystore /path/to/keystore/key.p12 -storetype PKCS12 -storepass YourPassword
-
- For JKS Keystores (
.jks):-
Windows:
keytool.exe -importcert -alias default -file C:\path\to\received\cert.pem -keystore "C:\path\to\keystore\key.jks" -storetype JKS -storepass YourPassword
-
Linux:
./keytool -importcert -alias default -file /path/to/received/cert.pem -keystore /path/to/keystore/key.jks -storetype JKS -storepass YourPassword
-
Note: If your CA provided a.p7bfile instead of an.crt/.pemfile, simply swap out the path in the-fileflag with the path to your.p7bfile. - For PKCS12 Keystores (
Results
.p12 or .jks file is
immediately updated with the CA-signed certificate. If a .p7b file was
used, keytool will automatically unpack and establish the root and intermediate
certificate trust chain alongside your public key.