Version History

Version#	Date	Modified By	Description of Modification
1.0	03/06/2014	Christopher May	Initial version

Introduction

Motivation & Scope

Members of the eHealth Exchange secure their communications using x.509 certificates whose chain of trust begins with the same Root Certificate Authority (CA), thus facilitating trust between organizations without the need to exchange certificates. For this reason, an organization must be able to import certificates forming a chain of trust when joining the community as well as when a new Root CA is introduced to the Exchange. This document covers the procedures and common troubleshooting steps to streamline that process.

Document Audience

This document is intended for technical users who are familiar with basic public-key infrastrucure (PKI) and x.509 concepts.

Prerequisites

The following tools are used throughout this document:

Portecle, or another keystore / certificate manipulation tool (e.g., Keystore Explorer).
openssl - on Linux, this can be installed via the distro's package manager; on Windows, the openssl package can be added to Cygwin or installed as a standalone binary.
keytool - part of the Java Development Kit (JDK).

Portecle

Portecle is a free GUI application for managing keystores and x.509 certificates. This section is a short primer on the subset of Portecle's functionality necessary to import the chain of trust certificates, omitting steps that can be performed using only keytool or openssl.

Start Portecle

java -jar portecle.jar

Examine Stand-Alone Certificates

Select Examine --> Examine Certificate (keyboard shortcut: Ctrl+E).
Locate and select the relevant certificate file (select Files of Type "All Files" if the certificate's file extension is being filtered by default, e.g., .p7c and .der).
Click Examine (keyboard shortcut: Enter).
To view x.509 extensions, click Extensions (keyboard shortcut: Alt+E). The following extensions will be referenced in this document:
1. Subject Key Identifier (SKI) - provides a means of uniquely identifying that the current certificate contains a particular public key.
2. Authority Key Identifier (AKI) - provides a means of uniquely identifying the public certificate whose corresponding private key was used to sign the current certificate.
3. Authority Information Access (AIA) - indicates how to access CA information and services for the issuer of the current certificate.

Note: When viewing an extension, the value will be listed under "Extension Value" at the bottom half of the window.

Note: If the loaded file contains multiple certificates, navigate between them using the left and right arrows along the top (keyboard shortcuts: Alt+← / Alt+→).

Note: Although keytool and openssl can also be used to examine certificates, this step was included because Portecle is the only tool of the three that can export a PEM-encoded certificate based on the information examined from a PKCS#7 file containing multiple certificates. For reference, below is a non-exhaustive list of commands to examine certificates:

keytool -printcert -v -file <certfile.p7c>
(PKCS#7): openssl pkcs7 -inform DER -text -print_certs -in <certfile.p7c>
(PEM-encoded) openssl x509 -text -print_certs -in <certfile.pem>

Export the PEM-encoded Certificate

While examining a certificate:

Click PEM Encoding (keyboard shortcut: Alt+P).
Click Save (keyboard shortcut: Alt+S).
Enter the file name, INCLUDING the .pem extension (this must be added manually, despite the Files of Type default of "PEM Files (*.pem)".
Click Save (keyboard shortcut: Enter).
Click OK (keyboard shortcut: Enter) to resume examining the certificate.

Note: A good rule of thumb for naming certificate files is to use information from the Subject's OU (e.g., if the Subject is "OU=Entrust NFI Test Shared Service Provider, OU=Certification Authorities, O=Entrust, C=US", a good file name might be "NFI-Test.pem").

Locate CA Certificate via AIA