FTASecurity and FTA Activation Service Installed on Different Machines

Use the create-certificate script to create signed certificates using the CA. User can use this script to generate:
  • Multiple certificates for multiple host machines.
  • New certificates used for certificate rotation.
    IMPORTANT:
    Create the signed certificates using the same CA used in FTASecurity.
    IMPORTANT:
    If the FTASecurity and FTA Activation Service are installed on different machines, execute the script to generate certificates with both FTASecurity hostname and FTA Activation Service hostname in the FTASecurity machine.
    IMPORTANT:
    Ensure that proper permissions are provided to access certificates folder.
  1. Execute the following command to create signed certificates using the CA. The create-certificate script takes four arguments:
    create-certificate.cmd <host1.acme-widgets.com> <ca-secret-password> <key-password>
<trust-password>
    • Ensure that the above command is in single line.
    • 1
      st
       argument (
      host1.acme-widgets.com
      ): The fully qualified domain name (FQDN) for the server for which the certificate is being created. The FQDN is used as the file base name for all of the output files related to the certificate.
    • 2
      nd
       argument (
      ca-secret-password
      ): The password used to encrypt the private key for the CA (see create-ca).
    • 3
      rd
       argument (
      keypassword
      ): The password to use for the certificate private key and the Java keystore file.
    • 4
      th
       argument (
      trustpassword
      ): The password to use for the Java truststore file.
    IMPORTANT:
    Do not use the word “password” as a password for generating keys and certificates.
    The following table contains a list of the supported special characters that can be used to create a password for the certificates:
    Supported Special Characters
    ~
    {
    }
    [
    ]
    @
    -
    _
    $
    *
    +
    /
    ?
    :
    .
    NOTE:
    Combinations of 3 supported special characters in a consecutive pattern may cause unexpected results. For example: ${}
    The following table contains a list of the unsupported special characters that can be used to create a password for the certificates:
    Unsupported Special Characters
    |
    <
    >
    &
    !
    \
    `
    #
    %
    blank
    '
    ^
    =
    ;
    (
    )
    ,
    This command will create the directory for the CA and the following certs.
  2. Copy the
    <FTA_Activation_Service_HostName>.p12
     file to the FTA Activation Service server.
    Sign Certificate
    File
    Description
    CERT_ROOT_DIRECTORY/certs/fta_truststore.jks
    A Java truststore file containing the public root certificate for the CA. This is created once.
    CERT_ROOT_DIRECTORY/certs/host-fqdn.crt
    The public key for the host in PEM format
    CERT_ROOT_DIRECTORY/certs/ host-fqdn.csr
    The certificate signing request (CSR) for host’s certificate
    CERT_ROOT_DIRECTORY/certs/ host-fqdn.jks
    The Java keystore contain the host’s private key
    CERT_ROOT_DIRECTORY/certs/ host-fqdn.key
    The host’s private key
    CERT_ROOT_DIRECTORY/certs/ host-fqdn.p12
    The host’s private key in PKCS 12 format. This file is used to create the Java keystore.
    CERT_ROOT_DIRECTORY/certs/ host-fqdn.pem
    This is the certificate chain for the host certificate in PEM format. It is the concatenation of the root public key for the CA and the public key for the host certificate.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.