Certificate management tools

Application Studio has script files in the <install directory>\cli-tools directory for performing certificate imports and maintenance. All events related to use of the tools are written to <install directory>/logs/appStudioCli.log. The scripts are interactive and execute without parameters.

The following topics describe the tools.

Public certificate management

You can use the public certificate management tool to import and manage public key certificates in the Application Studio truststore. Supported file formats are PEM encoded DER (.pem) and binary DER (.cer, .crt, .der) X.509In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates and a certification path validation algorithm. certificates. The script, named manageTrustedCerts.sh, can perform the following functions.

Import

The script can import public key certificate files.

The script prompts for the certificate file to import and an alias to uniquely identify it in the truststore.
The script checks whether the certificate is expired or not yet valid. The script won’t import an expired or invalid certificate.
The script validates whether there already is a certificate in the truststore with the same alias. If so, it won’t import the certificate.

If the preceding validations are met, the X.509 certificate is imported in the truststore.

List

The script can list the details of all public key certificates in the Application Studio truststore. The details include:

The alias of the certificate.
The date when the certificate was imported in the truststore.
The date when the certificate expires.
The first two and the last two characters of the SHA-1In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST. fingerprint of the certificate.

Delete

The script can delete public key certificates in the Application Studio truststore.

The script prompts for the alias of the certificate to delete. If a certificate with the alias exists in the truststore, it is deleted.

Private certificate management

The Apache Tomcat web server used by Application Studio has a self-signed certificate for SSL that was generated during installation. Best practice after installing Application Studio is replacing the default certificate with your own certificate. You can use the managePersonalCerts tool to replace it.

You can use the private certificate management tool to import and manage private-public key pairs and certificates in the Application Studio keystore. The supported file format is P12 (.p12). The script, named managePersonalCerts.sh, can perform the following functions.

Import

The script can import X.509 private key certificate files.

The script prompts for the name of the PKCS #12 file containing the key pair and the password set when the certificate was exported.
The script checks whether the certificate is expired or not yet valid. The script won’t import an expired or invalid certificate.

If the preceding validations are met, the X.509 certificate is imported in the keystore. The certificate is given the default alias of the previous certificate in the keystore (that is, tomcat). Restart Application Studio for Tomcat to use the certificate.

Note The default installation of Application Studio creates a self-signed certificate and keeps it in the keystore under the default alias tomcat. When the managePersonalCerts utility is run, it deletes the existing certificate from the keystore and imports the certificate provided by the user, keeping the alias of the imported certificate the same as before. Hence the newly imported certificate has the same alias as the previous one.

List

The script can display the following details about a certificate in the keystore: alias, serial name and validity dates.