Versions Compared

Old Version 8

changes.mady.by.user David E Tanner

Saved on

compared with

New Version Current

changes.mady.by.user David E Tanner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

This document addresses only how to create a Java keystore which will contain an M.I.T. CA certificate. This is NOT a tutorial on Java keystores.

PREREQUISITES

Panel

Before you begin, you must have the following:

indent
1
1
* a Java JDK is installed on your workstation.
Panel
indent
1
1
Please note the following:\\
\\
# MIT Server Certificates are signed (issued by) the MIT CA (Certificate Authority) certificate, which can be found at [http://ca.mit.edu/mitca.crt|http://ca.mit.edu/mitca.crt]\\
\\
System that are presented with a Server Certificate need to verify that the  certificate has been signed by the MITCA certificate. In order to do this, the system that is receiving the certificate need to have the MIT CA certificate in their trusted root store. This is the reason that MIT users must typically install in the MI CA cert in their browser root store.\\
\\
# MIT Application Certificates, and MIT User Certificates, are signed (issued by) the MIT Client CA (Certificate Authority) certificate, which can be found at [http://ca.mit.edu/mitClient.crt|http://ca.mit.edu/mitClient.crt]\\
\\
System that are presented with an MIT Application Certificate need to verify that the  certificate has been signed by the MIT Client CA v1 certificate. In order to do this, the system that is receiving the Application Certificate during authentication needs to have the MIT Client CA v1 certificate in their trusted root store. Failure to install the correct certificate in the trusted root store will at best result in a warning. The typical result is a complete, and silent, failure. At times, people have installed the MIT CA certificate, instead of the MIT Client CA v1 certificate and encountered these errors.\\
\\
In general the MIT CA certificate must be installed on machines where users' browsers reside, but the MIT Client CA v1 certificate must be installed on servers, in addition to the server's specific Application certificate or Server certificate. There is also a growing trend that requires a user's browser to have the MIT Client CA v1 certificate installed before the user can create and install an MIT user certificate. \\
\\

1. How to create a Server Trust Store.

Panel

You will need to obtain the MIT CA and the MIT Client CA certificates.

For the MIT CA certificate, go to: http://ca.mit.edu/mitca.crt and down load and save the certificate.
For the MIT Client CA certificate, go to: http://ca.mit.edu/mitClient.crt and down load and save the certificate.

To create the server trust store, use the following command lines:

    keytool -import -keystore serverTrustStore.jks -alias mitca -file mitca.cer
    keytool -import -keystore serverTrustStore.jks -alias mitclientca -file mitClient.cer

When prompted for a password, use a password that is well known to you.  Don't forget this password because you will need it when configuring an application to use this keystore.

Answer yes when prompted for Trust this certificate? [no]:

The serverTrustStore.jks should now contain only the mitca and mitclientca certificates.  You can verify this by using the following command line:

    keytool -list -keystore serverTrustStore.jks

And you should get something similar to:

    Your keystore contains 2 entry

    mitca, Sep 20, 2007, trustedCertEntry,
    Certificate fingerprint (MD5): F6:F0:04:3B:10:F9:5C:CE:0B:9E:0C:A0:DA:36:93:2A
    mitclientca, Aug 30, 2007, trustedCertEntry,
    Certificate fingerprint (MD5): CF:41:AB:E1:03:6D:F8:21:37:55:62:C1:EF:18:71:96