Extracting AhsayOBS Wildcard SSL certificate
Overview
If your AhsayOBS server uses a wildcard SSL certificate (e.g. *.yourdomain.com) and you are interested in using a custom domain for your MyClient installation, the following instructions may help in retrieving your wildcard certificate from the AhsayOBS Java Keystore.
Support method
Attach the AhsayOBS keystore file to a support ticket, and we can extract the certificate for you.
Portecle GUI method
To extract the private key from your AhsayOBS keystore file, we recommend using the free software Portecle. This software is cross-platform java.
- Launch the applet from the website and browse to your AhsayOBS keystore file.
- Right-click the 'tomcat' certificate and choose 'export', selecting "Private Key and Certificates" in PEM format. The resulting file contains the private key. If you choose to encrypt the resulting output file, please supply us with the password along with the generated output file.
OpenSSL / keytool method
If you would rather use command-line utilities, or if your Linux AhsayOBS server does not use a GUI, you may extract the private key and certificates using keytool (bundled with java) and OpenSSL:
/path/to/java/jre6/bin/keytool -importkeystore -srckeystore /path/to/AhsayOBS/conf/keystore -destkeystore ~/output.p12 -deststoretype PKCS12
Enter a password (e.g. "changeit") for the produced temporary .p12 file, and supply the encryption key for the keystore (default "changeit"). This may produce a series of errors about keytool being unable to export CA certificates - this is fine, however ensure that the line "Entry for alias tomcat successfully imported" appears.
If you can supply us with the produced .p12 file, we can then proceed with installation of the SSL certificate. Otherwise you can extract the private key and certificates in ordinary human-readable PEM format with OpenSSL:
openssl pkcs12 -in ~/output.p12 -out ~/output.pem -nodes
As the .p12 file contains both parts of the matching pair, you could add -nocerts to the OpenSSL command to output only the private key, or add -nokeys to output only the certificate and chain.