Skip to main content

Registry Integration x509 Certificates How-to

How do I request a new certificate?
  1. Identify what service you need (person/student/account/course/authority/workgroup).
  2. Generate a new key and CSR (see question below).
  3. Submit the CSR via Certificate Manager at https://registrycm.stanford.edu.

    screenshot
  4. Once your certificate request is approved, download the file.

    screenshot

  5. Construct the keystore/.p12 file as needed (see question below).
How do I generate a CSR and a private key?
  • To generate a private key file, run the following commands:

$ openssl genrsa -rand /dev/urandom -out [key file] 2048
example: openssl genrsa -rand /dev/urandom -out mais.key 2048

  • To generate a certificate signing request (CSR) from the private key:
  1. Prepare to provide the following information:
    • Country Name (2 letter code) [GB]:US
    • State or Province Name (full name) [Berkshire]:CA
    • Locality Name (e.g., city) [Newbury]:Stanford
    • Organization Name (e.g., company) [My Company Ltd]:Stanford University
    • Organizational Unit Name (e.g., section) []:your 4-digit org code
    • Common Name (e.g., your name or your server's hostname) []:mais-app
    • Email Address []:mais@stanford.edu
      *Note: Common name should be constructed in this fashion: [org/project]-[application], such as mais-havester
  2. Once you have prepared the above information, run the following commands:
    $ openssl req -new -key [key file] -out [csr file]
    example: openssl req -new -key mais.key -out mais.csr
  3. To verify the CSR, run:
    $ openssl req -text -noout -verify -in [csr file]
    example: openssl req -text -noout -verify -in mais.csr


    screenshot
I downloaded the signed certificate, how do I construct a .p12/keystore file?
  1. Use OpenSSL to construct the file (you will need to create a password with this step):
    $ openssl pkcs12 -export -name [alias name] -in [certificate file] -inkey [key file] -out [p12 file]
    example: openssl pkcs12 -export -name [mais] -in mais.cert -inkey mais.key -out mais.p12
  2. Import the CA cert into a keystore:
    $ keytool -alias registryca -importcert -file cacert.cer -keystore [keystore file]
    example: keytool -alias registryca -importcert -file cacert.cer -keystore mais.jks
  3. Import the .p12 file into a keystore:
    $ keytool -v -importkeystore -srckeystore [p12 file] -srcstoretype PKCS12 -destkeystore [keystore file] -deststoretype JKS
    example: keytool -v -importkeystore -srckeystore mais.p12 -srcstoretype PKCS12 -destkeystore mais.jks -deststoretype JKS
  4. View the keystore:
    $ keytool -v -list -keystore [keystore file] -storepass [keystore password]
    example: keytool -v -list -keystore mais.jks -storepass [mais password]
My certificate isn't working. What should I do?

Verify that your certificate has not expired:

  • Use Keytool to check keystore/jks files
$ keytool -v -list -keystore [keystore file] -storepass [keystore password]
example: keytool -v -list -keystore mais.jks -storepass [keystore password]

Use Keytool to check keystore/jks files
  • Use OpenSSL to check p12 files by exporting the certificate file first, then view

$ openssl pkcs12 -nokeys -clcerts -in [p12 file] -out [certificate file]
example: openssl pkcs12 -nokeys -clcerts -in mais.p12 -out mais.cert

$ openssl x509 -in [certificate file] -noout -text
example:$ openssl x509 -in mais.cert -noout -text


Use OpenSSL to check p12 files

My certificate is expired. What should I do?
  1. Contact the MaIS team to renew your certificate.
  2. Download the certificate when renewed.
  3. Replace certificate in keystore/p12 (see question below).
My certificate has been revoked. What should I do?
  1. Contact the MaIS team to renew your certificate.
  2. Download the certificate when renewed.
  3. Replace certificate in keystore/p12 (see question below).
How do I replace an existing certificate?
  • For keystore files, you will need to import the new certificate with the matching CN into the keystore:

$ keytool -import -alias [alias name] -file [new cert file] -keystore [keystore file]
example: keytool -import -alias [mais] -file mais.cert -keystore mais.jks

  • For p12 files, recreate the .p12 file following these steps:
    1. Back up your old .p12, key, certificate files if needed.
    2. Extract the private-key from your existing .p12 file (if you don't already have a copy):
      ​​$ openssl pkcs12 -nocerts -in [p12 file] -out [key file]
      example: openssl pkcs12 -nocerts -in mais.p12 -out mais.key
    3. Recreate the .p12 file with the new certificate plus the extracted private-key from the last command:
      $ openssl pkcs12 -name [alias name] -export -in [new cert file] -inkey [key file] -out [p12 file]
      example: openssl pkcs12 -name mais -export -in mais.cert -inkey mais.key -out mais.p12

      screenshot
How do I use the downloaded certificate in a browser?
  1. Create a .p12 file from the certificate (see question above).
  2. Import the .p12 file into the browser of your choice.
Where do I download the CA Root certificate?

The CA Root certificate is available at: https://uit.stanford.edu/sites/default/files/certificates/docservice/registryca.cer

Last modified