Resolution:
This Knowledge Base article describes how to update certificate stores using external certificate authorities. This article applies to keystore files that use public key certificates from external Certificate Authorities (CAs). If you use, or want to use, self-signed certificates, see Knowledge Base Article #339 - Using Self-signed Certificates.

Examples of external Certificate Authorities include:

    * Verisign
    * Valicert (GoDaddy)
    * Thawte
    * StartCom
    * Comodo

To use an external Certificate Authority to generate your public key certificate, first generate a Certificate Signing Request (CSR) for your GridServer components. The example in this article uses a host named grid1.domain.com as the primary Manager with a Director and Broker running. The example does not include any secondary components as outlined in the Primary -> Secondary failover model.

The command examples in this article assume that they are in your PATH variable and are executable. If this is not the case, or you are unable to verify, use the full path to the command used in the example.

For an explanation of the options used in the keytool command, see http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html.

For an explanation of the part of the dname option passed to keytool, see http://www.ldapman.org/articles/intro_to_ldap.html

   1. Generate a server.keystore file that contains a private key:
      keytool -genKey -keyalg RSA -dname "cn=grid1.domain.com, ou=Organizational Unit, o=Organization,l=City, st=State, c=Country" -alias grid1.domain.com -keypass changeit -keystore server.keystore -storepass changeit -validity 365
   2. Export a Certificate Signing Request (CSR) from keystore file:
      keytool -certreq -alias grid1.domain.com -file grid1.csr -keystore server.keystore -storepass changeit
   3. Submit your CSR to the desired Certificate Authority and obtain your public key certificate.
   4. Obtain your CA's public key certificate(s) and any intermediary certificates required by your CA. You can contact your CA to verify that you have all the required files.
   5. Import your CA public key certificates(s). Repeat this step for intermediary certificates:
      keytool -import -v -trustcacerts -noprompt -storepass changeit -alias cacert -keystore server.keystore -file certficate-authority-ca.cer
   6. Import your public key certificate for grid1.domain.com:
      keytool -import -v -trustcacerts -noprompt -storepass changeit -alias grid1.domain.com -keystore server.keystore -file grid1-public-certificate.cer
   7. Generate the ssl.keystore to be used by GridServer and repeat this step for intermediary certificates:
      keytool -import -v -trustcacerts -noprompt -storepass changeit -alias cacert -keystore ssl.keystore -file certificate-authority-ca.cer
   8. Import your public key certificate into the GridServer keystore, ssl.keystore:
      keytool -import -v -trustcacerts -noprompt -storepass changeit -alias grid1.domain.com -keystore ssl.keystore -file grid1-public-certificate.cer
   9. Export, from the server. keystore, the binary and base64 certificate files required.
      keytool -export -alias grid1.domain.com -keystore server.keystore -storepass changeit -file ssl.crt
      keytool -export -rfc -alias grid1.domain.com -keystore server.keystore -storepass changeit -file ssl.pem
  10. Copy server.keystore and ssl.* to datasynapse/webapps/livecluster/WEB-INF/certs/
  11. Copy ssl.* to datasynapse/webapps/livecluster/engineUpdate/shared/
  12. Copy ssl.* to DSEngine/ for Unix and Engine/ for Windows.
  13. Copy ssl.* to GridServerSDK-platform/config/
  14. On a Win32 driver machine, double click GridServerSDK-win32/config/ssl.crt to install the certificate for .NET driver.