Hi @woprhowe ,
I hope you are raising this question in relation to IFS applications and configuring IFS with the new certificate. If so, you will have to re-configure the IFS application again when there is a change in certificate. Regarding creating the certificate to include the code signing certificate, I think you will have to create a new CSR as well.
Thanks,
Kasun
Is there a tool in IFS to create the CSR, or does that have to be done using another tool such as the Windows Certificate store?
Is there a tool in IFS to create the CSR, or does that have to be done using another tool such as the Windows Certificate store?
No there’s in no tool in IFS IFS to create a a CSR in ifs, but the IFS installer provides the capability to create a self signed certificate which can be used for code signing from the installer. But I hope you are raising this question with regards to a PROD where using a self-signed cert is not recommended.
This is a “non-production” environment, but that last time we tried a self-signed cert, it failed when applying UPD. Are there any more detailed instructions on how to perform the update? I have searched https://docs.ifs.com/techdocs/, these instructions do not seem very detailed. I have checked with my CA, and they have no knowledge of IFS. When I download the new cert, I get two (2) .crt files and one .pem file. I have tried using the Java “keytool”, but this seem to only “import” and I cannot export the p12 file from the keystore.
This is a “non-production” environment, but that last time we tried a self-signed cert, it failed when applying UPD. Are there any more detailed instructions on how to perform the update?
Are you requesting more information regarding how to install the IFS UPD with a self -signed certificate? If yes, the installation instruction document provided with the Update should cover the installation instructions in detail.
I have searched https://docs.ifs.com/techdocs/, these instructions do not seem very detailed. I have checked with my CA, and they have no knowledge of IFS. When I download the new cert, I get two (2) .crt files and one .pem file. I have tried using the Java “keytool”, but this seem to only “import” and I cannot export the p12 file from the keystore.
You do not have to manually import the certificate to java keystores unless there is a special scenario like a integration scenario. Usually the self-signed certificate creation and importing should be handled by the installer itself when used. for a vendor certificate to be used with IFS, a domain certificate with code signing should be used and I think there are some topics around that topic already in IFS community, I will try to search and post some for your reference.
Edit:
Here are some topics:
- SSL Certificate are no longer issued for Code Signing Since June 2021. | IFS Community
- Questions regarding SSL Certificates -App10: | IFS Community
In case if you don’t have access to 2. :
Q:
One of our customers has following questions.
"I am being told that you cannot have one certificate that does both. The X.509 standard does not allow
that. According to the X.509 certificate specification, you cannot use a certificate for a purpose other than what is specified.
You can only specify a certificate for HTTPS or code signing, not both.
That being said, which of these options can be done:
1. Purchase a SSL Certificate for HTTPS web encryption, and generate a test certificate for code signing to send to F1Mage.
2. Purchase a SSL Certificate for both HTTPS and Code Signing.."
A:
Some of the CA sites let you select attributes, and there is one for code signing. Sometimes they work without that though, note this this is IFS dependent.
I have read through all of the referenced material and still find myself wanting more detail. One post references:
But there is not enough information to effectively run the script “update_http_certificates”. I am positive that I have the correct password for the .pfx file contains my certificate, yet it produces the error ”WARNING: Unable to update truststore! java.io.IOException: Keystore was tampered with, or password was incorrect
update_certs finsihed with errors!” It prompts for “OHS password”, then it prompts for “Password”, are these the password that I created when I exported the certificate and private key to the .pfx file? I wish that the IFS documentation would explain each prompt to clarify what entry is expected.