Quantcast

Certificate renewal

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Certificate renewal

sc000ter
Hello,

We have a working install of CONNECT 4.4.1 on GF and have been up for almost a year.  It is time for us to renew our certificate.

We are not using NSS just the normal Java keystores, etc.

I am not sure exactly what needs to happen here.  I understand I need to generate a CSR but do I need to generate a new private key as well?

Do I generate a new key / CSR using the instructions here? https://connectopensource.atlassian.net/wiki/display/CONNECTWIKI/Certificate+Setup

Or can I just just use a command like this?
keytool -genkeypair \
        -alias domain \
        -keyalg RSA \
        -keystore keystore.jks

I normally have a sys admin do the CSR but this is the only Java box in an MS shop and I'm responsible for it.

I found keytool commands here:
https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores

I just don't want to end up going down the road of generating a CSR, getting a renewed cert and then find out that GF/CONNECT can't use it.

FYI, we had a consultant help us get CONNECT installed.  I have replaced the certs of the party (esMD) we are connecting with so I am familiar with working with the key tool command.  I just need a little specific direction.

Thanks for answering my completely nooby question.
--Brian

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificate renewal

Sovann Huynh
Administrator
Hi Brian, take a look at this page we've set up:

https://connectopensource.atlassian.net/wiki/display/CONNECTWIKI/New+process+for+importing+eHealth+Exchange+chain+of+trust
Sovann
CONNECT Product Team Member
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificate renewal

Sovann Huynh
Administrator
To answer your question about CSR more specifically, local keytool commands will not suffice. You will need to go to the Entrust website.
Sovann
CONNECT Product Team Member
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificate renewal

sc00ter
Sovann,

I understand I will need to send the CSR to Entrust to get new certificates.  

My question was, do I need to blow away my Private Key that we made last year in order to generate a new CSR.  Looking at the gateway.jks keystore I see that the validity is set at 365 so I would not be able to use that for a CSR, correct?

I did look at the page you shared.

We use the same certs in test as well as Production, so does that mean I have to move the gateway.jks file from my test environment to Production as well?

Do I also need to e-mail ONC.ExchangeInfo@hhs.gov to get our reference number and auth code?

Thank you for helping me out.
--Brian
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Certificate renewal

sc00ter
In reply to this post by Sovann Huynh
I generated a new key pair and was able to generate the CSR.

My System admin then used that to get our new certs from Entrust.

I now have you new cert chain.

Do, I just install it into our store referenced in the signature.properties file and cacerts.jks?
Loading...