At line 1 changed one line |
Here is an example on how to make a certificate request for an authority. |
!__Starting from the beginning :__ |
\\ |
\\ |
![Use Portecle's GUI to make a Keystore|Portecle] <---click here |
\\ |
\\ |
\\ |
\\ |
\\ |
---- |
!__Renewing a certificate :__ |
\\ |
\\ |
![Use Portecle's GUI to make a Keystore|Portecle] <---click here |
\\ |
\\ |
\\ |
\\ |
\\ |
---- |
Alternate methods for bringing in a cert from another server: |
---- |
*Apache - If you already have a certificate for Apache, follow these [instructions|openssl_key_convert] for converting it. |
---- |
*IIS - If you already have a certificate in IIS, you can export that certificate as a .PFX file and use that certificate directly in CrushFTP. [http://www.digicert.com/ssl-support/pfx-import-export-iis.htm] |
---- |
*OS X Server - Export the private key using keychain. You will need to run keychain using root access to be able to export the certificate. |
{{{ |
sudo "/Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access" |
}}} |
Then use Portecle to add in the missing certificate that go along with the chain to trust the private key's signature. For GoDaddy, that means downloading the valicert, cross and intermediate cert. |
---- |
At line 34 added 6 lines |
These below instructions are complicated and shouldn't be used unless you just can't stand using Portecle for some strange reason. |
|
*Java - When purchasing a certificate from a cert authority, be sure to choose 'Tomcat' for the format. |
|
|
*PART 1 (Command Line) |
At line 4 changed 4 lines |
|
I purchased a cheap chained certificate from godaddy. I chose the "Tomcat" type of certificate as CrushFTP works the same way as tomcat for certificates. I substituted "crushftp" instead of "tomcat" though. It really doesn't matter however. |
|
*PART 1 |
|
At line 11 changed one line |
keytool -genkey -keysize 2048 -alias crushftp -keyalg RSA -keystore crushftp.keystore |
keytool -genkey -keysize 2048 -alias crushftp -keyalg RSA -keystore crushftp.jks |
At line 68 added one line |
[no]: yes |
At line 35 changed 70 lines |
<i>***type "yes" if the above is accurate and correct</i><br/> |
[no]: yes<br/> |
Enter key password for -crushftp-<br/> |
<i>***do yourself a favor and use the same password (just hit return, or re-key it.)</i><br/> |
(RETURN if same as keystore password): <br/> |
<br/> |
</font> |
<b>PART 2</b><br/> |
That was the easy part. You now have a cert waiting to be signed. Now we get a certificate request that we give to GoDaddy to generate our certificate.<br/> |
<br/> |
<i>(" [ " indicates the beginning of a line, and " ] " indicates the end. You should not enter those two characters in terminal though.</i><br/> |
<br/> |
<font size="-2" face="courier"> [ keytool -certreq -keyalg RSA -alias crushftp -file crushftp.csr -keystore crushftp.keystore ] <br/> |
Enter keystore password: <br/> |
<i>***enter your password you used from above.</I><br/> |
<br/> |
</font> |
Now you take this resulting "crushftp.csr" file and copy its contents and paste into GoDaddy's CSR request page.<br/> |
<br/> |
<i>***KEEP your "crushftp.keystore" file! You must have it to finish the steps once you get your certificate from GoDaddy.</i><br/> |
<br/> |
<b>PART 3</b><br/> |
After completing the cert request through GoDaddy, you will be given a link to download your certificate package. This .zip file expands into a folder with the following files:<br/> |
gd_bundle.crt<br/> |
gd_cross_intermediate.crt<br/> |
gd_intermediate.crt<br/> |
www.crushftp.com.crt<br/> |
<br/> |
(Instead of www.crushftp.com.crt, you will have one corresponding to your domain.)<br/> |
You still need one more file. Go to GoDaddy to get their root certificate:<br/> |
https://certificates.starfieldtech.com/Repository.go<br/> |
<br/> |
Download the "valicert_class2_root.crt" file. Place it in the same folder with all the other certificates.<br/> |
<br/> |
Copy in your "crushftp.keystore" file created above in Part 1. Be sure to use a COPY in case anything goes wrong!<br/> |
<br/> |
Now use OS X terminal again to finish building your fully trusted certificate.<br/> |
<br/> |
<i>(" [ " indicates the beginning of a line, and " ] " indicates the end. You should not enter those two characters in terminal though.</i><br/> |
<br/> |
<font size="-2" face="courier"> |
<i>***import the root certificate</i><br/> |
[ keytool -import -alias root -keystore crushftp.keystore -trustcacerts -file valicert_class2_root.crt ] <br/> |
<i>***enter your password from above</i><br/> |
Trust this certificate? [no]: yes<br/> |
<i>***enter "yes"</i><br/> |
Certificate was added to keystore<br/> |
<br/> |
<i>***import the "cross" certificate</i><br/> |
[ keytool -import -alias cross -keystore crushftp.keystore -trustcacerts -file gd_cross_intermediate.crt ] <br/> |
<i>***enter your password from above</i><br/> |
<br/> |
<i>***import the "intermediate" certificate</i><br/> |
[ keytool -import -alias intermed -keystore crushftp.keystore -trustcacerts -file gd_intermediate.crt ] <br/> |
<i>***enter your password from above</i><br/> |
<br/> |
<i>***finally import your signed certificate which updates your pre-existing unsigned certificate</i><br/> |
[ keytool -import -alias crushftp -keyalg RSA -keystore crushftp.keystore -trustcacerts -file www.crushftp.com.crt ] <br/> |
<i>***substitute your certificates name instead of "www.crushftp.com.crt"</i><br/> |
<i>***enter your password from above</i><br/> |
<br/> |
</font> |
Now the resulting crushftp.keystore is a complete signed certificate chain. Place this file where ever you like, but that might as well be in the CrushFTP folder. Then go to the preferences of CrushFTP. Choose encryption on the left, then SSL. Browse and locate your crushftp.keystore file.<br/> |
<br/> |
For the passwords, enter in the password you used above everywhere. Set both the keystore password and the cert password. They should be the same as long as you followed directions above.<br/> |
<br/> |
Lastly, either restart CrushFTP, or choose stop all servers, start all servers to make the server items load the new certificate.<br/> |
<br/> |
If you already have a certificate for Apache, you may be able to convert it to a Java keystore and use it with CrushFTP. I provide this information untested, but it in theory looks like it would work.<br/> |
<a href="http://www.ks.uiuc.edu/Research/biocore/localServer/install/installCert.shtml">Install Apache Cert</a><br/> |
Type "yes" if the above is accurate and correct. |
|
{{{ |
Enter key password for -crushftp- |
(RETURN if same as keystore password): |
}}} |
Do yourself a favor and use the same password (just hit return, or re-key it.) |
---- |
*PART 2 |
|
You now have a self singed cert waiting to be signed by a certificate authority. Now we get make a certificate request that we give to GoDaddy to sign. |
|
{{{ |
keytool -certreq -keyalg RSA -alias crushftp -file crushftp.csr -keystore crushftp.jks |
|
Enter keystore password: |
}}} |
Enter your password you used from above. |
|
Now you take this resulting "crushftp.csr" file and copy its contents and paste into GoDaddy's CSR request page. |
---- |
*PART 3 |
|
WARNING! Keep your "crushftp.jks" file! (Make a backup of it just in case you make a mistake in step 3.) You must have this original keystore file to apply the signed certificate GoDaddy gives back. |
|
After completing the cert request through GoDaddy, you will be given a link to download your certificate package. This .zip file expands into a folder with the following files: |
{{{ |
gd_bundle.crt |
gd_cross_intermediate.crt |
gd_intermediate.crt |
www.crushftp.com.crt |
}}} |
|
(Instead of www.crushftp.com.crt, you will have one corresponding to your domain.) |
|
You still need one more file. Go to GoDaddy to get their root certificate: |
[https://certs.godaddy.com/anonymous/repository.seam] |
|
Download the "valicert_class2_root.crt" file. Place it in the same folder with all the other certificates. |
|
Copy in your "crushftp.keystore" file created above in Part 1. Be sure to use a COPY in case anything goes wrong, you can go back to your backup you made! |
|
|
Now a few more command lines to finish building your fully trusted certificate. The password is the one from part 1. |
|
{{{ |
keytool -import -alias root -keystore crushftp.jks -trustcacerts -file valicert_class2_root.crt |
Trust this certificate? [no]: yes |
Certificate was added to keystore |
keytool -import -alias cross -keystore crushftp.jks -trustcacerts -file gd_cross_intermediate.crt |
Trust this certificate? [no]: yes |
Certificate was added to keystore |
keytool -import -alias intermed -keystore crushftp.jks -trustcacerts -file gd_intermediate.crt ] |
Trust this certificate? [no]: yes |
Certificate was added to keystore |
}}} |
Finally import your signed certificate which updates your pre-existing unsigned certificate. |
{{{ |
keytool -import -alias crushftp -keyalg RSA -keystore crushftp.jks -trustcacerts -file www.crushftp.com.crt |
}}} |
(Substitute your certificate's name instead of "www.crushftp.com.crt".) |
---- |
Now the resulting crushftp.keystore is a complete signed certificate chain. Place this file in the CrushFTP folder. Then go to the preferences of CrushFTP. Choose encryption on the left, then SSL. Browse and locate your crushftp.keystore file. |
|
For the passwords, enter in the password you used above everywhere. Set both the keystore password and the cert password. They should be the same as long as you followed directions above. |
|
Lastly, either restart CrushFTP, or choose stop all servers, start all servers to make the server items load the new certificate. |