(CR #535090) The “Set-certificate” section of Chapter 11, “Managing Keys and Certificates” does not provide sufficient information. You must run a setup procedure before you can use the set-certificate script.
If necessary, install the certificate authority (CA) root certificate into the server’s truststore. This enables the server to trust the client’s certificate.
By default, some CA root certificates are preinstalled, but you may need to add one or more for testing purposes.
If the root certificate is not preinstalled, obtain a root certificate from the certificate authority.
Copy the certificate text, including BEGIN and END lines, and save in a file named root.crt in $DJC_HOME/Repository/Security/truststore.jks.
... -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
The administrative user must install root certificates into the server’s truststore. To execute:
keytool -import -alias cacert.org -file root.crt -keystore $DJC_HOME/Repository/Security/truststore.jks
Obtain client certificates.
Request the client certificates from the CA. Follow the instructions provided at this Web site to complete the request.
Click Install Your Certificate to install the certificates into your Web browser.
For nonbrowser clients (including IIOPS), export the certificate from the browser with a private key in PKCS #12 format, then import into client’s certificate keystore as appropriate.
Use the keytool command to perform these tasks. For more details about the keytool command, see “Managing keys and certificates on EAServer” in Chapter 11, “Managing Keys and Certificates.”
Obtain the certificate in RFC 1421-form (Base64-encoded X.509). Use the keytool -help command.
For other cases, consult with your CA to determine how to obtain the RFC 1421-form of certificate.
In root.txt, copy the certificate text, including BEGIN and END lines, and save in a file named root.crt in $DJC_HOME/Repository/Security/truststore.jks on the client side.
This is to set up client’s trust certification.
The administrative user must register this certificate with an EAServer user using:
set-certificate test -file test.crt