Registry Integration x509 Certificates How-to

1. Identify what service you need (person/student/account/course/authority/workgroup).
2. Generate a new key and CSR (see question below).
3. Submit the CSR via Certificate Manager at https://registrycm.stanford.edu.
   
   

4. Once your certificate request is approved, download the file.
   
   

5. Construct the keystore/.p12 file as needed (see question below).

• To generate a private key file, run the following commands:

$ openssl genrsa -rand /dev/urandom -out [key file] 2048
example: openssl genrsa -rand /dev/urandom -out mais.key 2048

• To generate a certificate signing request (CSR) from the private key:

1. Prepare to provide the following information:
   • Country Name (2 letter code) [GB]:US
   • State or Province Name (full name) [Berkshire]:CA
   • Locality Name (e.g., city) [Newbury]:Stanford
   • Organization Name (e.g., company) [My Company Ltd]:Stanford University
   • Organizational Unit Name (e.g., section) []:your 4-digit org code
   • Common Name (e.g., your name or your server's hostname) []:mais-app
   • Email Address []:mais@stanford.edu
     *Note: Common name should be constructed in this fashion: [org/project]-[application], such as mais-havester
2. Once you have prepared the above information, run the following commands:
   $ openssl req -new -key [key file] -out [csr file]
   example: openssl req -new -key mais.key -out mais.csr
3. To verify the CSR, run:
   $ openssl req -text -noout -verify -in [csr file]
   example: openssl req -text -noout -verify -in mais.csr
   
   

1. Use OpenSSL to construct the file (you will need to create a password with this step):
   $ openssl pkcs12 -export -name [alias name] -in [certificate file] -inkey [key file] -out [p12 file]
   example: openssl pkcs12 -export -name [mais] -in mais.cert -inkey mais.key -out mais.p12
2. Import the CA cert into a keystore:
   $ keytool -alias registryca -importcert -file cacert.cer -keystore [keystore file]
   example: keytool -alias registryca -importcert -file cacert.cer -keystore mais.jks
3. Import the .p12 file into a keystore:
   $ keytool -v -importkeystore -srckeystore [p12 file] -srcstoretype PKCS12 -destkeystore [keystore file] -deststoretype JKS
   example: keytool -v -importkeystore -srckeystore mais.p12 -srcstoretype PKCS12 -destkeystore mais.jks -deststoretype JKS
4. View the keystore:
   $ keytool -v -list -keystore [keystore file] -storepass [keystore password]
   example: keytool -v -list -keystore mais.jks -storepass [mais password]

Verify that your certificate has not expired:

• Use Keytool to check keystore/jks files

$ keytool -v -list -keystore [keystore file] -storepass [keystore password]
example: keytool -v -list -keystore mais.jks -storepass [keystore password]

• Use OpenSSL to check p12 files by exporting the certificate file first, then view

$ openssl pkcs12 -nokeys -clcerts -in [p12 file] -out [certificate file]
example: openssl pkcs12 -nokeys -clcerts -in mais.p12 -out mais.cert

$ openssl x509 -in [certificate file] -noout -text
example:$ openssl x509 -in mais.cert -noout -text

​

• If the certificate is revoked, contact the MaIS team.

1. Contact the MaIS team to renew your certificate.
2. Download the certificate when renewed.
3. Replace certificate in keystore/p12 (see question below).

1. Contact the MaIS team to renew your certificate.
2. Download the certificate when renewed.
3. Replace certificate in keystore/p12 (see question below).

• For keystore files, you will need to import the new certificate with the matching CN into the keystore:

$ keytool -import -alias [alias name] -file [new cert file] -keystore [keystore file]
example: keytool -import -alias [mais] -file mais.cert -keystore mais.jks

• For p12 files, recreate the .p12 file following these steps:
  1. Back up your old .p12, key, certificate files if needed.
  2. Extract the private-key from your existing .p12 file (if you don't already have a copy):
     ​​$ openssl pkcs12 -nocerts -in [p12 file] -out [key file]
     example: openssl pkcs12 -nocerts -in mais.p12 -out mais.key
  3. Recreate the .p12 file with the new certificate plus the extracted private-key from the last command:
     $ openssl pkcs12 -name [alias name] -export -in [new cert file] -inkey [key file] -out [p12 file]
     example: openssl pkcs12 -name mais -export -in mais.cert -inkey mais.key -out mais.p12
     ​
     

1. Create a .p12 file from the certificate (see question above).
2. Import the .p12 file into the browser of your choice.

• FireFox
  ​Options > Certificates Tab > View Certificates > Import
• Chrome
  Settings > Show Advanced Settings > HTTPS/SSL > Manage Certificates > Import
• Internet Explorer (IE)
  ​Import or export certificates and private keys
• Safari (Mac)
  ​Applications > Utilities > Keychain Access > Login > My Certificates
• Safari (Windows)
  ​Safari on Windows uses the certificates installed via Internet Explorer (IE).

The CA Root certificate is available at: https://uit.stanford.edu/sites/default/files/certificates/docservice/registryca.cer