Obtaining an RA Certificate to Store in a Java KeyStore File

You can store your RA A Registration Authority (RA) is an authority in a network that verifies user requests for a digital certificate and instructs the CA to issue it. An RA is part of a PKI, a networked system that enables companies and users to exchange information safely and securely. certificate in an HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system. or a software-based Java KeyStore.

Store the RA Certificate in an HSM

To create and store the SSL credentials In the context of ActivID, a credential is a collection of one or more credential elements that together provide some form of digitally provable identity. In the context of PIV, a credential refers to the completed PIV card itself. in an HSM, you can use the HSM Credentials management feature in the ActivID CMS Configuration tab.

  1. Log on to the ActivID CMS Operator Portal with an ActivID CMS Administrator certificate.

  2. Go to the Configuration tab, and then click HSM Credentials.

  3. Click Generate Key.

  4. Enter the:

    • Key Alias

    • Key Length – Symantec requires the key size to be 2048-bit.

    • Certificate Subject Common Name (CN)

  5. Click Generate to generate the key.

  6. Click Done.

    In the credentials list, your new credentials appear with the Certificate Type as Self Signed.

  7. Click Get CSR to get the content of the Certificate Signing request.

  8. Copy the CSR to the machine that has access to the PKI Manager:

    1. Copy the contents of the CSR to your system clipboard.

    2. Access the PKI Manager and select Get RA certificate.

    3. Paste the contents of your clipboard into the Request field and click Submit.

    4. When prompted, download the RA-Certificate.p7b certificate file.

  9. Return to the HSM Credentials tab, and click Attach Certificate.

  10. Click Browse to locate the RA-Certificate.p7b certificate file that you downloaded in the previous step.

  11. Click Continue.

    The file uploads and a success message appears.

  12. Click Done.

    In the credentials list, the RA certificate appears with the Certificate Type as Custom (instead of Self Signed).

    The subject DN of the certificate was customized by the Symantec CA.

  13. Restart the CMS Server service before using this new certificate.

Store the RA Certificate in a Java KeyStore File

You must use the Java keytool to generate the keys, and import them into your KeyStore. For details, refer to Symantec technical documentation.

To store your RA certificate in a software-based Java KeyStore:

  1. Generate a key pair as follows:

    Copy 
    keytool -genkey -alias pki_ra -keyalg RSA -keysize 2048 -sigalg
    SHA1withRSA -dname "CN=<common name>" -keypass <password>
    -keystore <keystore name> -storepass <password>

  2. Generate a CSR as follows:

    Copy 
    keytool -certreq -alias pki_ra -sigalg SHA1withRSA -file
    pki_raCSR.req -keypass <password> -keystore <keystore name>
    -storepass <password>

  3. Copy the pki_raCSR.req file to the machine that has access to the PKI Manager.

    • Open the pki_raCSR.req file in a text editor, and copy the contents of the file to your system clipboard.

    • Access PKI Manager, and select Get RA certificate from the Tasks icon at the bottom of the screen.

    • Paste the contents of your clipboard into the Request field and click Submit.

    • When prompted, download the cert.p7b certificate file.

  4. Copy the cert.p7b certificate file to a temporary directory on the machine where the key pair was generated.

  5. Import the certificate into your KeyStore by using the following command:

    Copy 
    keytool -import -alias pki_ra -file cert.p7b -noprompt -keypass
    <password> -keystore <keystore name> -storepass <password>

  6. The root and issuing CAs for the RA certificate are located in the Certificates folder in the Symantec PKI Web Services package which can be downloaded by clicking on the Symantec PKI Resources icon in the lower left corner of the PKI Manager.

    You should import these CAs as trusted root CAs into the KeyStore using the appropriate command. This guarantees that the RA certificate you install is trusted correctly.

    • For intermediate CAs:

    Copy 
    keytool -import -trustcacerts -alias pki_ca -file RAintermegiateCA.cer -keystore <keystore name> -storepass <password>

    • For root CAs:

    Copy 
    keytool -import -trustcacerts -alias root -file RAroot.cer -keystore <keystore name> -storepass <password>

  7. Save the certificates in the ActivID CMS directory (C:\Program Files\HID Global\Credential Management System\certificates).