############################################################################# # # The information in this document is proprietary # to VeriSign and the VeriSign Registry Business. # It may not be used, reproduced or disclosed without # the written approval of the General Manager of # VeriSign Global Registry Services. # # PRIVILEGED AND CONFIDENTIAL # VERISIGN PROPRIETARY INFORMATION # REGISTRY SENSITIVE INFORMATION # # Copyright (c) 2009 VeriSign, Inc. All rights reserved. # ############################################################################## Certificates Description: ------------------------ The directory config/certificates contains the certificate files (Java KeyStore) for the EPP Tool. The following should exist under config/certificates directory to support interfacing with each of the systems (OT&E, Production, EPP SDK): eppsdk.jks and eppsdk.pkcs12 - Java KeyStore containing the self-signed certificate used by the EPP SDK. The EPP SDK can be configured for SSL and the Protocol Tool can connect to the Stub Server using the eppsdk.[jks|pkcs12] file. The top-level directory file eppsdk-filter.properties references eppsdk.jks for both the KeyStore and the TrustStore with the ssl.keystore and ssl.truststore Ant properties. The pkcs12 file can be used by setting the ssl.keystore and ssl.truststore properties to ../certs/eppsdk.pkcs12, and by setting the ssl.keystore.type and the ssl.truststore.type properties to PKCS12. The Keystore passphrase is set to "passphrase". client-cert.jks - Default name for the client certificate Java KeyStore. This file needs to be created for using the EPP Tool against the OT&E and Production systems. The various connection profile files define the ssl properties for the KeyStore since the TrustStore included with the JDK can be used by default for validating the server certificate. Creating client-cert.jks from Key and Certificate .der or .pem Files: ----------------------------------------------------------------------- There are two methods for creating client-cert.jks from a Key and Certificate .der or .pem file, which includes: 1. Create pkcs12 Keystore using openssl 2. Create JKS Keystore using WebLogic 8.1 utility To create the client-cert.pkcs12 file using openssl, do the following. 1. cat client-key.pem client-cert.pem ca-cert.pem | openssl pkcs12 -export -out client-cert.pkcs12 -noiter -nomaciter -name client 2. Configure the -filter.properties file to use client-cert.pkcs12 with the following: a. Set ssl.keystore=../certs/client-cert.pkcs12 b. Set ssl.keystore.type=PKCS12 c. Set ssl.keystore.password and ssl.keystore.key.password to the values used when creating the Keystore d. Set the ssl.truststore properties. These can be empty to use the default JDK Trust Store. When using the JDK keytool, the -storetype pkcs12 must be specified. For example, "keytool -list -v -storetype pkcs12 -keystore client-cert.pkcs12" will display the contents of the Keystore. To create the client-cert.jks file using WebLogic 8.1 utility (ImportPrivateKey), do the following: # Convert .der files to .pem format java -cp $WL_HOME/server/lib/weblogic.jar utils.der2pem client-key.der java -cp $WL_HOME/server/lib/weblogic.jar utils.der2pem client-cert.der # Import client-key.pem and client-cert.pem into client-cert.jks # with the alias client-cert and the passphrases set to # "changeit". java -cp $WL_HOME/server/lib/weblogic.jar utils.ImportPrivateKey client-cert.jks changeit client-cert changeit client-cert.pem client-key.pem