Strongkey's Sign-On (SSO) utilizes Transport Layer Security (TLS) to protect sensitive information on the network between a calling client Application and strongauth FIDO Server (SKFS).
By default, each newly installed SKSO generates a key-pair and self-signed digital certificate to use for establishing TLS connections. At most sites, this setup is sufficient for the Application to make secure connections to the SKFS.
StrongKey's self-signed certificate offers a distinct advantage over a TTPCA certificate by deterring breaches within the webservice. Unfamiliarity with self-signed certificates will confuse attackers with error messages, unlike a TTPCA certificate that is often trusted by them.
To use an alternative certificate for SKSO, import it through a Java KeyStore:
shell> cd /usr/local/strongauth/payara6/glassfish/domains/domain1/config
Or
use alias
shell> ascfg
shell> keytool -genkeypair -alias s1as -keystore newkeystore.p12 -storepass changeit -storetype pkcs12 -keypass changeit -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365
-ext "SAN=DNS:blue.strongkey.com,DNS:red.strongkey.com"
shell> keytool -certreq -alias s1as -keyalg RSA -file certreq.csr -keystore newkeystore.p12 -ext SAN=dns:blue.strongkey.com,dns:red.strongkey.com
shell> keytool -printcertreq -file certreq.csr
keytool -import -keystore newkeystore.p12 -alias s1as -keypass changeit -storepass changeit -file chain.pem
keytool -import -keystore newkeystore.p12 -alias cacert -keypass changeit -storepass changeit -file cacert.pem
keytool -import -keystore newkeystore.p12 -alias s1as -keypass changeit -storepass changeit -file signedcert.pem
Now, use the new keystore (newkeystore.p12) to replace the certificate in Glassfish keystore by following the steps below.
cp keystore.p12 keystore.p12.<date>
mv newkeystore.p12 keystore.p12
sudo systemctl restart payara
Connect to the Payara server on the browser to check the certificate that it uses to connect and ensure it matches the certificate that was issued by External CA with all SAN’s if applicable.