Skip to content

Certificate setup

Philip Helger edited this page May 17, 2019 · 13 revisions

This page explains how to create a valid Java keystore (JKS) for usage with OpenPEPPOL SMP. This is surely not the only way, but one that worked for me.

The following prerequisites must be fulfilled to create the certificate:

PKI v3 (starting 2018)

Steps to perform (tested on Windows 7):

  1. Copy all relevant OpenPEPPOL root certificates into a single file called "truststore_xxx.pem" (simply copy pasting in the text editor, one after the other). One for pilot, one for production. Order: ROOT certificate first, than SMP certificate. You may also download them from here: truststore_test_v3.pem or truststore_prod_v3.pem. Than copy the matching file into the directory where the certificate resides. Note: the term "pilot" in the old PKI was changed to "test" in the new PKI.

  2. Perform steps as described in the Enrollment mail. Don't forget the enrollment code you should have received via SMS.

  3. When exporting the certificates from your browser, the following text assumes you are using the password passwd (it is used in the examples below).

  4. Export the private key from the p12 file:

    • SMP Test: openssl pkcs12 -in smp-test.p12 -passin pass:passwd -nocerts -out smp-test.key -passout pass:passwd
    • SMP Production: openssl pkcs12 -in smp-prod.p12 -passin pass:passwd -nocerts -out smp-prod.key -passout pass:passwd
  5. Export the public certificate from the p12 file:

    • SMP Test: openssl pkcs12 -in smp-test.p12 -passin pass:passwd -clcerts -nokeys -out smp-test.cer
    • SMP Production: openssl pkcs12 -in smp-prod.p12 -passin pass:passwd -clcerts -nokeys -out smp-prod.cer
  6. Combine CER (public part) and KEY (private part) into a single PKCS12 keystore using the full chain. This steps requires the truststore files from step 1 (see above). When asked for the key password, use the one from step 4 (passwd if you copy pasted the command).

    • SMP Test: openssl pkcs12 -export -in smp-test.cer -inkey smp-test.key -out smp-test-complete.p12 -name smp-test -passout pass:passwd -certfile truststore_test_v3.pem

    • SMP Production: openssl pkcs12 -export -in smp-prod.cer -inkey smp-prod.key -out smp-prod-complete.p12 -name smp-prod -passout pass:passwd -certfile truststore_prod_v3.pem

    • The outcome of this step are the files smp-test-complete.p12 with alias smp-test and smp-prod-complete.p12 with alias smp-prod.

  7. Convert the PKCS12 keystores to JKS keystores. I'm using the application keytool that is part of the Java JDK (not in JRE!) - again with the password passwd:

    • SMP Pilot: "%java_home%\bin\keytool" -importkeystore -srckeystore smp-test-complete.p12 -srcstoretype PKCS12 -srcstorepass passwd -alias smp-test -destkeystore smp-test.jks -deststorepass passwd -destkeypass passwd
    • SMP Production: "%java_home%\bin\keytool" -importkeystore -srckeystore smp-prod-complete.p12 -srcstoretype PKCS12 -srcstorepass passwd -alias smp-prod -destkeystore smp-prod.jks -deststorepass passwd -destkeypass passwd
    • The outcome of this step are the files smp-test.jks and smp-prod.jks.
  8. Done! Now place the keystore in correct place as outlined in Configuration

PKI v2 (<= 2018)

Steps to perform (tested on Windows 7):

  1. Copy all relevant OpenPEPPOL root certificates into a single file called "truststore_xxx.pem" (simply copy pasting in the text editor, one after the other). One for pilot, one for production. Order: ROOT certificate first, than SMP certificate. You may also download them from here: truststore_pilot.pem (PKI V2) or truststore_prod.pem (PKI V2). Than copy the matching file into the directory where the certificate resides.

  2. Perform steps as described in the PDF (CSR + digital ID retrieval)

  3. Extract the certificate from the digital ID (everything including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) and store it as "xxx.cer" file (where xxx is either smp.pilot or smp.prod in the following examples). Afterwards please ensure that -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- are both in a separate line and that no content is in the same line!

  4. Combine CER (public part) and KEY (private part) into a single PKCS12 keystore, using the password passwd (this password is used in the examples below). This steps requires the truststore files from step 1 (see above)!

    • SMP Pilot: openssl pkcs12 -export -in smp.pilot.cer -inkey smp.pilot.key -out smp.pilot.p12 -name smp.pilot -passout pass:passwd -certfile truststore_pilot.pem

    • SMP Production: openssl pkcs12 -export -in smp.prod.cer -inkey smp.prod.key -out smp.prod.p12 -name smp.prod -passout pass:passwd -certfile truststore_prod.pem

    • The outcome of this step are the files smp.pilot.p12 and smp.prod.p12.

  5. Convert the PKCS12 keystores to JKS keystores. I'm using the application keytool that is part of the Java JDK (not in JRE!) - again with the password passwd:

    • SMP Pilot: "%java_home%\bin\keytool" -importkeystore -srckeystore smp.pilot.p12 -srcstoretype PKCS12 -srcstorepass passwd -alias smp.pilot -destkeystore smp.pilot.jks -deststorepass passwd -destkeypass passwd
    • SMP Production: "%java_home%\bin\keytool" -importkeystore -srckeystore smp.prod.p12 -srcstoretype PKCS12 -srcstorepass passwd -alias smp.prod -destkeystore smp.prod.jks -deststorepass passwd -destkeypass passwd
    • The outcome of this step are the files smp.pilot.jks and smp.prod.jks.
  6. Done! Now place the keystore in correct place as outlined in Configuration

For certificate viewing and analysis I recommend using Portecle - also OSS.

Note: this procedure can be repeated for the AccessPoint certificates as well

You can’t perform that action at this time.