Desktop Integration Siebel Agent Guide > Generating and Deploying DISA Certificate > Setting Up DISA Environments and Generating DISA Certificates >

CA Signed DISA Certificate Generation and Deployment Process

The DISA installer gathers necessary information and generates a key store file (disa.jks) required for DISA secured communication. The key store file is a repository where DISA private key and public key certificates are stored.

DISA, by default, generates a self-signed certificate for a secure connection with the browser. The default DISA certificate has a basic constraint for security reason - the DISA certificate is restricted to server and client authentication and cannot be used as a Certificate Authority (CA) certificate. However, DISA can use the signed enterprise certificate authority X.509 certificate.

The default self-signed certificate can be replaced with a valid CA signed certificate to match enterprise security policy.

To generate and deploy a CA signed DISA certificate, perform the following tasks:

1. Generate Certificate Signing Request File
2. Send the DISA Certificate Signing Request (CSR) to CA
3. Determine the Certificate Chain
4. Export Certificate from Certificate Path View
5. Import Certificates to DISA Key Store
6. Deploying DISA Using the New Key Store File

Generate Certificate Signing Request File

1. Generate a Certificate Signing Request file from an existing key store file.
2. Run DISA installer to install a copy of the DISA application.
   1. Select the option Generate Keystore and Certificate in the DISA Certificate install step.
   2. Provide correct details about the organization and address in accordance with CA policy.
   3. Clear the option Import Certificate into Trusted Root.
   4. Retain other configurations in the other install steps. Click Next to reach the Install Complete step. Click Finish.
   5. Create a backup of the disa.jks file in DISA installed directory to ensure a safe copy in case the following steps fail.
3. Start a command prompt window; navigate to <DISA_HOME>\DesktopIntSiebelAgent folder using the cd command.
4. Make sure no DISA instance is running. In the command window, run command:

   disa.exe keymgr -certreq -file <path_to_output_csr_file>

   Replace the place holder <path_to_output_csr_file> with the expected .csr file generate location.

   For example:

   disa.exe keymgr -certreq -file disa_to_be_signed.csr

   This command will generate a Certificate Signing Request file named disa_to_be_signed.csr in the current folder.

Send the DISA Certificate Signing Request (CSR) to CA

Send the Certificate Signing Request to CA. CA issues a new X.509 certificate based on the CSR.

For example, disa_signed.cer

NOTE:  Make sure the machine on which the DISA is deployed, the root CA certificate is trusted and the new DISA certificate is valid.

Determine the Certificate Chain

A valid certificate may be trusted through a Certificate Chain.

1. Open a certificate.
2. Navigate to the Certificate Path tab. The certificate chain for the current certificate is displayed.

   The certificate chain may include the certificate path:

   • Root Certificate
   • Intermediate Certificate
   • End Entity Certificate

     NOTE:  For DISA certificates, if there is a root certificate and intermediate certificate in the Certificate Path, they need to be imported to the DISA key store together with the DISA certificate.

Export Certificate from Certificate Path View

1. Select the certificate and click View Certificate in the Certificate window.
2. Navigate to the Details tab and then click Copy to File.
3. Follow the Certificate Export Wizard instructions using the default options.
4. Export the root certificate and any intermediate certificate.

Import Certificates to DISA Key Store

1. Import the root and the intermediate certificate to DISA key store so DISA can use them for the secure connection. The import command is:

   disa.exe keymgr -importcert -file <path_to_certificate> [-alias <alias name>]

2. Replace the place holder <path_to_certificate> with the actual certificate file name and path.

   To import the DISA certificate, the parameter -alias is optional. However, for root and intermediate certificates, the -alias parameter is required to indicate the alias for the certificate.

   • Use the following command to import Root Certificate:

   disa.exe keymgr -importcert -file rootca.cer -alias root

   • Use the following command to import Intermediate Certificate, if any:

   disa.exe keymgr -importcert -file intermediate1.cer -alias intermediate1

   disa.exe keymgr -importcert -file intermediate2.cer -alias intermediate2

   • Use one of the following command to import new DISA Certificate:

   disa.exe keymgr -importcert -file disa_signed.cer

   disa.exe keymgr -importcert -file disa_signed.cer -alias disa

   NOTE:  The DISA certificate must either use the -alias disa or not specify it in the command at all. The other alias for DISA certificate will not be accepted.

Deploying DISA Using the New Key Store File

The new disa.jks file now contains the new certificate.

1. Deploy DISA on other machines using the disa.jks file.
2. Select the installer option Generate Certificate Using Existing Keystore.
3. Clear the option Import Certificate into Trusted Root option.