Using the Java keytool.exe, you can follow the steps below to install a new SSL certificate on your BMC server. Run commands on Command Prompt which is opened with administrator privileges Step 1: Stop the BMC service.
Step 2: Create the new keystore/keypair.
keytool -keystore "path_to\keystore_name.jks" -genkeypair -keyalg RSA -keysize 2048 -validity #of days -dname "cn=domain name, ou=yourOrgUnit , o=yourOrgOrCompany, l=City/locality, st=State/Canton/Province/Land, c=Country_ISO3166-digraph" -alias "domain name" |
DN | Information | Description | Example |
---|
| Validity | Number of days how long keystore is valid. | 365 | CN | Common Name | This is fully qualified domain name that you wish to secure | example.com | o | Organization Name | Usually the legal name of a company or entity and should include any suffixes such as Ltd., Inc., or Corp. | Example Inc | OU | Organizational Unit | Internal organization department/division name | IT | l | Locality | Town, city, village, etc. name | Helsinki | st | State | Province, region, county or state | North Karelia | c | Country | The two-letter ISO code for the country where your organization is located | FI |
(Optional - if "subject alternative name (SAN)" needs to be used):
keytool -keystore "path_to\keystore_name.jks" -ext san=dns:Name1,dns:Name2 -genkeypair -keyalg RSA -keysize 2048 -validity #of days -dname "cn=domain name, ou=yourOrgUnit , o=yourOrgOrCompany, l=City/locality, st=State/Canton/Province/Land, c=Country_ISO3166-digraph" -alias "domain name" |
|
Step 3: Create a new CSR, Certificate Signing Request, for your new keystore/keypair. keytool -keystore "path_to\keystore_name.jks" -certreq -alias domain_name -file "path_to\filename.csr" |
(Optional - if "subject alternative name (SAN)" needs to be used):
keytool -keystore "path_to\keystore_name.jks" -ext san=dns:Name1,dns:Name2 -certreq -alias domain_name -file "path_to\filename.csr" |
|
Step 4: Import the Root CA cert, then the Intermediate CA cert. keytool -keystore "path_to\keystore_name.jks" -importcert -alias rootCA -file "path_to\root.cer" |
keytool -keystore "path_to\keystore_name.jks" -importcert -alias intCA -file "path_to\int.cer" |
Step 5: Import CA-signed certificate and apply the same to the keypair.
keytool -keystore path_to\keystore_name.jks -importcert -alias original_keypair_alias -file path_to\CAsigned.cer |
Step 6: Update the "keystoreFile" and "keystorePass" values in the server.xml file located under "C:\Program Files\Blancco\Blancco Management Console\apache-tomcat\conf" to reflect any changes associated with key/cert. keystoreFile="path_to\keystore_name.jks" keystorePass="keystore password" |
Step 7: Start the BMC service.
|