Manage keys and certificates in Web Help Desk
This section does not apply to deployments enabled with FIPS 140-2 cryptography. See Enable FIPS 140-2 compliant cryptography for information about creating Certificate Authority (CA) and self-signed certificates in a new or existing FIPS deployment.
When a web browser submits an HTTPS request to Web Help Desk, the SSL protocol requires the application to respond with a certificate to verify the authenticity of the server. The certificate contains a public key used for encryption and a digital signature from a Certification Authority (CA). The digital signature indicates which CA verified the authenticity of the server.
Trust certificates signed by CAs
Current Web browsers trust most certificates signed by large CAs (such as Verisign). You can also use certificates signed by smaller CAs. When a web browser does not recognize the CA, it prompts you to confirm your trust in the certificate.
After you confirm your trust, the web browser uses the public key in the certificate to encrypt information sent to Web Help Desk. Web Help Desk uses its private key to decrypt the information. Additionally, Web Help Desk uses its private key to encrypt information sent to the web browser, and the browser uses the public key received in the certificate to decrypt it.
Store keys and certificates
Web Help Desk stores its keys and certificates in a Java KeyStore located at <WebHelpDesk>/conf/keystore.jks. Porteclé (an open-source utility bundled with Web Help Desk) provides a graphical user interface for administering the keystore on the Windows or Mac OS X platform.
Generate a keypair and CSR
If you do not have a certificate for your server and are using the Windows or Mac OS X platform, use Porteclé to generate a keypair and a Certificate Signing Request (CSR) to send to the CA. When completed, import the CA Reply certificate.
Import a certificate and private key to the keystore
If you have a certificate, import both the certificate and the primary key into the Java Keystore. Porteclé does not allow the private key to be imported by itself. You must combine it with its certificate in a Public-Key Cryptography Standards (PKCS) #12 file (such as P12 or PFX). In each case, the keypair must be aliased as tomcat and both the keypair and the keystore must be protected by the password specified in the KEYSTORE_PASSWORD
setting in the whd.conf
file.
For more information about working with keys and certificates, see the following resources.
- Use default keypair aliases and passwords
- Add certificate chains
- Replace self-signed certificates with CA certificates
- Generate a new certificate
- Add a Certificate Authority to an embedded Java CA certificate keystore
- Import an existing certificate
- Export a certificate and private key
- Certificate troubleshooting tips