EST devices may be issued a certificate from a third-party CA. These vendor certificates were issued during manufacture. Certificate Enrollment Gateway can authenticate the initial enrollment request from these EST devices by validating their vendor certificate. To validate a vendor certificate, Certificate Enrollment Gateway requires a truststore containing the CA certificate chain for the vendor certificate.
The truststore must be stored in one of the following files:
File | Description |
|---|---|
P12 truststore | This file must be a PKCS #12 (P12) file. The file must contain at least one Trusted CA Certificate entry (TrustedCertEntry). |
PEM truststore | The file must be a PEM-formatted file. The file must contain at least one PEM-formatted CA certificate. Each CA certificate must include any BEGIN CERTIFICATE and END CERTIFICATE lines if present. |
To generate a P12 truststore for a vendor certificate using the Java keytool utility
- Obtain the certificate chain for the vendor certificate, from the issuing CA certificate to the root CA certificate.
- Log in to a computer that has Java installed.
For each certificate, enter the following command to generate the P12 truststore file and import certificates into the truststore:
keytool -import-alias <alias> -trustcacerts -file <cert-file> -keystore <truststore>Where:
<alias>is an alias for the certificate. Use a different alias for each certificate you will import.<cert-file>is the path and file name of the certificate.<truststore>is the path and file name of the P12 truststore file. For example,vendor-truststore.p12. The utility will create the file if it does not exist.
For example:
keytool -import-alias cagw-root -trustcacerts -file /tmp/root.cer -keystore /home/user/vendor-truststore.p12- When prompted, enter a password for the truststore.
To generate a PEM truststore for a vendor certificate
- Obtain the certificate chain for the vendor certificate, from the issuing CA certificate to the root CA certificate.
- Open a text editor.
- Create a new file.
Paste the contents of each CA certificate file into the new file, from the issuing CA certificate to the root CA certificate. Each CA certificate must include any BEGIN CERTIFICATE and END CERTIFICATE lines if present. For example:
-----BEGIN CERTIFICATE-----<TLS server certificate in Base64 encoding>-----END CERTIFICATE----------BEGIN CERTIFICATE----<Issuing CA certificate in Base64 encoding>-----END CERTIFICATE----------BEGIN CERTIFICATE----<Root CA certificate in Base64 encoding>-----END CERTIFICATE-----The text file should look similar to the following:
-----BEGIN CERTIFICATE-----MIIDqQYJKoZIhvcNAQcCoIIDmjCCA5YCAQExADALBgkqhkiG9w0BBwGgggN...-----END CERTIFICATE----------BEGIN CERTIFICATE----MIIDejCCAmKgAwIBAgIQQ8e7ock59Y21Mtcy7rGJUDANBgkqhkiG9w0BAQs...-----END CERTIFICATE----------BEGIN CERTIFICATE----MIQ0EgRW50cnkwHhcNMjMwMjA4MTUxNzEwWhcNMzMwMjA4MTU0NzEwWjAyM...-----END CERTIFICATE------ Save and close the file.