This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Adding a certificate to the Truststore without the private key

Posted on 07-01-2015 01:32 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I'm trying to set up mutual SSL to my backend following this guide.

This requires me to add my backend server's certificate to the truststore, as documented here.

The problem is, here it says 

Create a JAR file with your private key, certificate, and a manifest.
 The JAR file must contain the following files and directories:

/META-INF/descriptor.properties
myCert.pem
myKey.pem

This doesn't make much sense, based on my understanding of SSL.

For my backend server, I don't have the private key, because I don't need to know it, and I should never give it to anyone. I just need to trust the certificate.

When I try to upload the jar without the key, I get the message

Required property : keyFile not found in the descriptor file

How do I upload a certificate to trust without providing the private key?

Solved Solved
1 4 1,966
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
mschreuder
Staff
Reply posted on --/--/---- --:-- AM

The section you have quoted from the docs page KeyStores and TrustStores relates to what you need when preparing to create a KeyStore. You need to do this if you are looking to configure Edge for 2-way SSL to your backend server because Edge also has to present a certificate.

It sounds to me that you are wanting to configure Edge for 1-way SSL to your backend server where just your backend server presents the certificate and if that is the case you can skip over the KeyStore part of that page and scroll down to the section called "Create a truststore".

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
mschreuder
Staff
Reply posted on --/--/---- --:-- AM

The section you have quoted from the docs page KeyStores and TrustStores relates to what you need when preparing to create a KeyStore. You need to do this if you are looking to configure Edge for 2-way SSL to your backend server because Edge also has to present a certificate.

It sounds to me that you are wanting to configure Edge for 1-way SSL to your backend server where just your backend server presents the certificate and if that is the case you can skip over the KeyStore part of that page and scroll down to the section called "Create a truststore".

Jump to Solution

Posted on --/--/---- --:-- AM
mschreuder
Staff
In response to mschreuder
Reply posted on --/--/---- --:-- AM

Hi @tpearson, just checking back, did my answer help you to get your certificate loaded into the truststore? If it did, can you accept the answer or if it's not yet working for you let me know and I'll try to help further.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

OK - after a bit of research it seems clear that the best thing to do is use the pre-provided key/cert pair

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

@tpearson

Try changing the descriptor.properties file entries to something like this:

certFile=myCert.pem

keyFile=myKey.pem

Jump to Solution
0 Likes