Skip to main content
Code42 Support

Create a signed keystore with the KeyStore Explorer

Applies to:
  • CrashPlan PROe

Overview

Every Code42 server includes a self-signed SSL certificate to support secure https connections. This approach is secure, but browsers generate warnings and require visitors to allow exceptions. To eliminate those browser warnings, configure your Code42 server to provide an SSL certificate signed by a trusted certificate authority (CA). This article describes how to use KeyStore Explorer to manage certificates and keystores.

The following articles describe other tools for managing certificates and keystores:

  • Linux administrators typically use OpenSSL.
  • Windows administrators typically rely on the Java keytool.

SSL certificates and Java keystore files

The Code42 server accepts SSL certificates bundled together in a Java KeyStore file. The keystore contains:

  • The SSL certificate and the public and private key for the Code42 server
  • A certificate from the CA who signed the Code42 server SSL certificate
  • Intermediate certificates that establish a chain of trust between the CA and the Code42 server SSL certificate

Create the keystore using a utility such as KeyStore Explorer before applying it to the Code42 server from the administration console.

Before you begin

  1. Navigate to Settings > Server.
  2. From the action menu, choose Dump Database.

Considerations

  • This article applies to on-premises Code42 environments only and is not intended for Code42 cloud environments.
  • For multi-server Code42 environments, we recommend applying this process to all Code42 servers.
  • You must have the Administrator or SYSADMIN role to install an SSL certificate on your Code42 server.
  • This article assumes you are familiar with the following:
  • The command-line utility OpenSSL is required if you are running Linux or OS X and want to reuse existing key materials.

Assistance with creating your keystore
Assistance with the handling of a certificate signing request (CSR) or creating your keystore is beyond the scope of Customer Champions. For assistance, please contact Sales.

Keystore terminology

  • Certificate: An electronic document used to prove the ownership of a public key. 
    • CA-Signed Certificate: A certificate authority (CA) electronically signs a certificate to affirm that a public key belongs to the owner named in the certificate. Someone receiving a signed certificate can verify that the signature does belong to the CA, and determine whether anyone tampered with the certificate after the CA signed it.
    • Certificate Chain: One signed certificate affirms that the attached public key belongs to its owner. A second signed certificate affirms the trustworthiness of the first signer, a third affirms the second, and so on. The top of the chain is a self-signed but widely trusted root certificate.
    • Root Certificate: A certificate trusted to end a certificate chain. Operating systems and web browsers typically have a built-in set of trusted root certificates. When your server sends a chain of certificates and one of them matches one of a browser's trusted root certificates, then the browser trusts your server. When the browser encrypts data with your public key, the browser is assured that only your server can read it.
    • Self-Signed Certificate: A file that contains a public key and identifies who owns that key and its corresponding private key.
  • Key: A unique string of characters that provides essential input to a mathematical process for encrypting data.
  • Key Pair: A public encryption key and a private encryption key, in a matched set.
  • Keystore: A file that holds a combination of keys and certificates. File formats:
  • Java Keystore: A binary file format for use by Java applications (like the Code42 server). Typical file names are .keystore and *.jks
  • PKCS: A binary file format typically associated with Windows systems. Typical file names are *.pkcs, *.p12, *.p7b, *.pfx
  • PEM: An ASCII text file that holds keys, certificates, or both. PEM files are common on Linux systems and Apache. Typical file extensions are *.pem, *.key, *.csr, and *.cert. To identify a PEM file, open it with a console or text editor. If you see ASCII text, it's a PEM file.
  • Public Key: Allows a sender (client or server) to encrypt a message for a specific recipient (server or client). When your server sends a browser its public key, the browser can encrypt messages that only your server can read, because only your server has the matching private key.

Build the keystore

Building a Java KeyStore is the first step in configuring your Code42 server to use your own CA-signed SSL certificate. If you have an existing private key and corresponding X.509 certificate (referred to collectively as key materials), you can reuse them. You can also start from scratch, creating new key materials as needed. The steps are different, depending on what existing key materials you have:

Build a keystore without existing key materials

Keypass and storepass parameters
You must use the same password for the keystore and the private key. You can use any string you want for these parameters, but they must both be set to the same value.

Follow the steps below if you have no private keys or certificates from a CA and need to create them from scratch.

Step 1: Create a keystore, key pair, and certificate

  1. Start KeyStore Explorer.
  2. Choose Create a new KeyStore.
  3. From New KeyStore Type, choose JKS.
  4. Click OK.
    KeyStore Explorer New KeyStore Type dialog
  5. Generate a key pair:
    1. Select Tools > Generate Key Pair.
    2. In Generate Key Pair, choose the following algorithm selection options:
      • RSA
      • Key Size: 4096
        KeyStore Explorer Generate Key Pair dialog
    3. Click OK.
      Generating Key Pair dialog appears, then disappears after key is generated.
    4. From Generate Key Pair Certificate, click the Edit name icon KeyStore Explorer Edit name icon.
    5. Complete the Name fields:
      • For the Common Name (CN) use the Fully Qualified Domain Name (FQDN) of your server. For example: master-server.example.com
        KeyStore Explorer Name dialog
    6. Click OK.
    7. In Generate Key Pair Certificate, click OK.
    8. In New Key Pair Entry Alias, enter an alias for the key pair.
      The alias is pre-set to the CN set in the Name dialog.
    9. Click OK.
    10. In New Key Pair Entry Password, enter a password, and click OK.
      The Generate Key Pair dialog displays "Key Pair Generation Successful".
Key pair entry password
Save this password, and use it as the password for the entire keystore in step 7 below.
  1. Click OK.
    The new key pair is displayed in the KeyStore Explorer window.KeyStore Explorer new key pair created
  2. Save the keystore:
    1. From the KeyStore Explorer menu, select File > Save.
      The Set KeyStore Password dialog appears.
    2. Enter a password for the keystore. This password must be the same as the password for the key pair generated in step 5 above.
    3. Click OK.
      The Save KeyStore As dialog appears.
    4. Enter the name of the keystore.
      This format is suggested for easy identification of your keystores: fqdn_domain_com.jks
    5. Click Save.
      Your keystore file is saved to your computer.

Step 2: Generate and send certificate signature request

  1. Right-click the key pair entry.
  2. Choose Generate CSR.
    The Generate CSR dialog appears.KeyStore Explorer Generate CSR dialog
  3. (Optional) Enter additional values.
  4. Click OK.
    The CSR Generation Successful dialog appears.
  5. Click OK.
  6. Send the generated CSR file to your certificate authority.

Step 3: Import signed certificates to your keystore

  1. Select Tools > Import Trusted Certificate.
    The Imported Trusted Certificate dialog appears.
    KeyStore Explorer Import Trusted Certificate dialog
  2. Import your certificates starting with the root then followed by the intermediate(s). 
    1. Select a certificate.
    2. Click Import.
      The Import Trusted Certificate dialog appears.
    3. Click OK.
      The Certificate Details for File 'root.crt' dialog appears.
    4. Confirm the details of your certificate, then click OK.
      The Import Trusted Certificate dialog appears.
    5. When prompted "Do you want to accept the certificate as trusted?", click Yes.
    6. In Trusted Certificate Entry Alias, enter an alias for the certificate, then click OK.
      The Trusted Certificate Import Successful message appears.
    7. Click OK.
    8. Repeat these steps for the remaining intermediate certificates.
  3. Right click on the key pair in your keystore, and choose Import CA Reply.
  4. From Import CA Reply, select the signed server certificate in X.509 format, and click Import.
    The X.509 certificates often have the file extension crt, cer, or der.

Your keystore file is complete and ready to be imported into your Code42 server.

Reuse existing key materials (Linux and OS X)

Follow these steps to reuse an existing private key/certificate combination from another application if you are running on Linux or OS X. These instructions assume that both your private key and certificate are PEM-formatted.

The following steps require the use of the command-line utility OpenSSL.

  1. Convert the PEM-formatted private key into a PKCS8-formatted key with the following command:
    openssl pkcs8 -topk8 -nocrypt -outform DER -in mykey.pem -out mykey.pkcs8
    
  2. Start the KeyStore Explorer application.
  3. Choose Create a new KeyStore from the quick start menu.
  4. From New KeyStore Type, choose JKS.
  5. Click OK.
    KeyStore Explorer New KeyStore Type dialog
  6. From the menu bar, select Tools > Import Key Pair.
    KeyStore Explorer Tools Import Key Pair
  7. From Import Key Pair Type, select PKCS #8.
    KeyStore Explorer Import Key Pair Type
  8. From Import PKCS #8 Key Pair, import the key pair as follows: KeyStore Explorer PKCS8 Key Pair import dialog
    1. If the private key file is encrypted, enter the decryption password in Decryption Password.
    2. In PKCS #8 Private Key File, enter the path to the private key file in PKCS # 8 format, or click Browse to navigate to the file.
    3. In Certificate(s) File, enter the path to the X.509 certificate file in PEM or DER format, or click Browse to navigate to the file.
    4. Click Import.
    5. In New Key Pair Entry Alias, enter an alias for the key pair.
    6. Click OK.
    7. In New Key Pair Entry, enter a password for the key pair.
      The Key Pair Import Successful dialog appears.
    8. Click OK.
    9. Select File > Save from the menu bar.
    10. In Set KeyStore Password, enter a keystore password, and click OK.
      KeyStore Explorer Set KeyStore password dialog
    11. In Save KeyStore As, enter the name of your new keystore file. Give the file the .jks file extension.
    12. Click Save.

Your keystore file is complete and ready to be imported into your Code42 server.

Reuse existing key materials (Windows)

Follow these steps to reuse an existing private key/certificate combination from another application if you are running on Windows. Key materials on Windows platforms are typically stored in a PKCS12 keystore file. The KeyStore Explorer can convert a PKCS12 keystore file to a JKS file using the steps below.

  1. Start the KeyStore Explorer application.
  2. Select File > Open from the menu bar.
  3. Navigate to and select the PKCS12 file that you want to convert.
  4. Click Open.
  5. In Unlock KeyStore, enter the password for the keystore file and click OK.
    Unlock keystore dialog
  6. Select File > Save As from the menu bar.
  7. Enter a name with the .jks file extension for the new keystore.
  8. Click Save.
  9. Select Tools > Change Type > JKS from the menu bar.
    Change type dialog
  10. From Change KeyStore Type, click OK.
    The Change KeyStore Type dialog displays "Change KeyStore type Successsful".
  11. Click OK.
  12. Select File > Save.
    The keystore file is saved in JKS format.

Your keystore file is complete and ready to be imported into your Code42 server.

Configure the Code42 server to use the keystore

You can create a signed keystore that contains an SSL certificate that can be used for secure access to the administration console. After creating the keystore, enter it in your Code42 server.

  1. Sign in to the administration console.
  2. Go to Settings > Security > Keys.
  3. Click Import Keystore.
  4. Click Choose File.
  5. Navigate to the location where your keystore was saved and select your keystore.
  6. Enter your keystore Password.
  7. Click Save.
  8. Restart the Code42 server service.
  • Was this article helpful?