Manage keys and certificates in Web Help Desk

This section does not apply to deployments enabled with FIPS 140-2 cryptography. See Enable FIPS 140-2 compliant cryptography for information about creating Certificate Authority (CA) and self-signed certificates in a new or existing FIPS deployment.

When a web browser submits an HTTPS request to Web Help Desk, the SSL protocol requires the application to respond with a certificate to verify the authenticity of the server. The certificate contains a public key used for encryption and a digital signature from a Certification Authority (CA). The digital signature indicates which CA verified the authenticity of the server.

Trust certificates signed by CAs

Current Web browsers trust most certificates signed by large CAs (such as Verisign). You can also use certificates signed by smaller CAs. When a web browser does not recognize the CA, it prompts you to confirm your trust in the certificate.

After you confirm your trust, the web browser uses the public key in the certificate to encrypt information sent to Web Help Desk. Web Help Desk uses its private key to decrypt the information. Additionally, Web Help Desk uses its private key to encrypt information sent to the web browser, and the browser uses the public key received in the certificate to decrypt it.

Store keys and certificates

Web Help Desk stores its keys and certificates in a Java KeyStore located at WebHelpDesk/conf/keystore.jks. Porteclé (an open-source utility bundled with Web Help Desk) provides a graphical user interface for administering the keystore on the Windows or Mac OS X platform.

Generate a keypair and CSR

If you do not have a certificate for your server and are using the Windows or Mac OS X platform, use Porteclé to generate a keypair and a Certificate Signing Request (CSR) to send to the CA. When completed, import the CA Reply certificate.

Import a certificate and private key to the keystore

If you have a certificate, import both the certificate and the primary key into the Java Keystore. PorteclĂ© does not allow the private key to be imported by itself. You must combine it with its certificate in a Public-Key Cryptography Standards (PKCS) #12 file (such as P12 or PFX). In each case, the keypair must be aliased as tomcat and both the keypair and the keystore must be protected by the password specified in the KEYSTORE_PASSWORD setting in the whd.conf file.

For more information about working with keys and certificates, see the following resources.