Versions Compared

Old Version 17

changes.mady.by.user David Walend

Saved on

compared with

New Version 18

changes.mady.by.user David Walend

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The script will ask for a password, which you will be prompted for whenever accessing the private key. Keep this password safe and secure. Additionally, in typical SHRINE setups that do not differentiate between HTTPS and SHRINE signing certificates, the password for this private key must be the same as the password used for the keystore ($KEYSTORE_PASSWORD).

...

After the hub administrator (or CA administrator, if the two entities are separate) approves and signs the certificate, they will send back a signed version of your cert along with the hub's CA cert, as well as the cert used for normal HTTPS communication with the hub. Import all of these into your keystore with the following commands in order:

keytool -import -v -alias shrine-hub-ca -file shrine-hub-ca.pem -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD
keytool -import -v -alias shrine-hub-https -file shrine-hub-https.pem -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD
keytool -import -v -alias $KEYSTORE_ALIAS -file shrine-client-signed.pem -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -keypass $KEYSTORE_PASSWORD -trustcacerts

Make absolutely sure the -alias value in the third and final command  final command exactly matches the alias used for your original certificate! (the one marked as PrivateKeyEntry in the keystore) Otherwise, queries will fail with signature verification errors, since the CA's signature will not be on the exact same keystore entry that SHRINE uses. Upon importing your signed certificate, the following message should appear:

...

After a successful round of imports, verify the contents of the keystore with keytool -list -v -keystore $KEYSTORE_FILE. There should be at least 3 2 entries in the keystore:

  1. Your own PrivateKeyEntry, with an additional certificate chained to it. The "Issuer:" line should reflect information from the hub's CA, not your own.The hub's HTTPS certificate.
  2. The hub's CA signature certificate. The "Owner:" line on this should match the "Issuer:" line on your PrivateKeyEntry's certificate.

In versions before 1.22, you could also include the https cert in the same keystore. 1.22.4 and onward requires a separate keystore for https, with a cert signed by a public CA.

keytool -import -v -alias shrine-hub-https -file shrine-hub-https.pem -keystore $HTTPS_KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD

 

Update shrine.conf and Restart SHRINE

...