Textkernel Search + Match: Portal Certificate Creation
Overview
Textkernel Search + Match: Setup and Configuration Guide for general configuration information.
is provided through the . This article details the certificate types, certificate validation, and certificate creation used in the Configuration. This article does not cover the process of signing a certificate. SeeCertificate Types
Each
JSON Web Token (JWT) sent from a to a portal environment contains 3 certificates:- Signing certificate: This is created in a and used to sign the JWT. The common name (CN) is arbitrary.
- Intermediate certificate: This is issued by and used to sign the signing certificate. The common name is BH4Force Partner Services Intermediate CA.
- Root certificate: This is issued by and used to sign the intermediate certificate. It is stored in the portal in order to validate a certificate chain in JWT. The common name is BH4Force Partner Services Root CA. The key identifier is f52ce70c1948b6d0e0a91c0c8535a5dbd428f4ab.
Certificate Validation
When the
authentication service receives a JWT, it validates the certificates it contains. The certificates must comply with these rules:- They represent a valid certificate chain, meaning the signing certificate must be signed with the intermediate certificate, which is signed with the root certificate.
- The root certificate is one of root certificates stored in the portal.
- The issuer (iss) JWT field contains the common names of the signing and intermediate certificates separated by a colon (:). For example, if the common name of the signing certificate is Textkernel Portal Certificate, then the iss value is Textkernel Portal Certificate:BH4Force Partner Services Intermediate CA.
- The iss value provided in the JWT matches the issuer specified in the portal environment (account) configuration. The name of the portal account is specified in the Account Name field of the Configuration custom metadata type record.
Managing Certificates
Keep the following in mind when managing
signing certificates:- Each account has only one issuer set in the configuration. It is not possible to use two different signing certificates with distinct common names in two different s to log in to the same portal account.
- The same signing certificate can be used in different s to log in to the same portal account.
- Different signing certificates can be used in different s to log in to the same portal account as long as their common names are the same.
- To use one signing certificate in several s, create a certificate in one and then import it into the other s via a JKS file.
Create a New Signing Certificate
Get the Previous Certificate Common Name
If the org this certificate is being created for has never been connected to a portal environment, skip this step.
Follow these steps to replace an existing signing certificate and reuse the common name of the existing certificate for the new one. To use a different common name in the new certificate, the new issuer (iss JWT field value) must be provided to
so the portal environment configuration can be updated otherwise the JWT authentication will fail.- Log in to the where the certificate needs to be replaced.
- Go to Setup > Custom Metadata Types > Textkernel Portal Configuration.
- Click the Manage Textkernel Portal Configurations button.
- Open the Textkernel Portal Configuration record.
- Note the Signing Certificate Name field value.
- Go to Setup > Certificate and Key Management.
- Open the certificate where the Signing Certificate Name noted earlier matches the Unique Name field.
- Locate and copy the common name in the Certificate field:
Create a New Certificate
These steps assume the new signing certificate can be signed with the intermediate certificate. The process of signing a certificate is not covered in this document.
- Log in to the that needs a certificate created.
- Go to Setup > Certificate and Key Management.
- Click the Create CA-Signed Certificate button.
- Select the Exportable Private Key checkbox.
- Set the Key Size field to 2048.
- To replace the previous certificate, enter the common name of the previous certificate in the Common Name field. If the has never been connected to the portal, enter any value.
- Fill the remaining fields with any meaningful values. Values from the previous certificate can be used, if it exists.
- Click the Save button.
- Click the Download Certificate Signing Request button and save the CSR file to the computer.
- Sign the certificate with the intermediate certificate using the CSR file and save it to the computer. The process of signing a certificate is not covered in this document.
- Return to the and open the certificate that was just created.
- Click the Upload Signed Certificate button.
- Select the signed certificate in the file system and click the Save button.
Update the Signing Certificate in the Portal Configuration
These steps make the JWT portal authentication use the new signing certificate. If the
has never been connected to the portal, values for other fields (like Login URL and Account Name) will also need to be provided, which is not covered in this document.- Go to Setup > Custom Metadata Types > Textkernel Portal Configuration.
- Click the Manage Textkernel Portal Configurations button.
- Open an existing Configuration record by clicking the Edit button, otherwise click the New button.
- Enter the Unique Name value from the certificate into the Signing Certificate Name field. The Unique Name can be found by going to Setup > Certificate and Key Management.
- Enter the Common Names of the signing and intermediate certificates separated by a colon into the JWT Issuer field. For example, if the common name of the signing certificate is TextKernel A BH4SF partner. One of the Search and Match / Resume Parsin services providers integrated with BH4SF Portal Certificate and the intermediate certificate is BH4Force Partner Services Intermediate CA then TextKernel Portal Certificate:BH4Force Partner Services Intermediate CA would be entered in the JWT Issuer field.
If the new JWT Issuer value differs from the previous one, the new value must be provided to
so the portal account configuration can be updated. - If the signing certificate is not already downloaded to the computer, open it in the by going to Setup > Certificate and Key Management, then click the Download Certificate button to save it to the computer.
- Open the certificate using a text editor (ex: Notepad++). It will look like this:
- Copy and paste the text content of the certificate to another tab (or window) of the text editor.
- Remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
- Remove all line breaks to transform the text content into a single line. The result should look like this:
- Copy and paste the text content into the Signing Certificate of the Textkernel Portal Configuration record.
- If the has never been connected to the portal before, provide values for other fields.
- Click the Save button.
Share a Certificate with Other
sUse these steps if a signing certificate was created in another Update the Signing Certificate in the Portal Configuration section for instructions.
. The portal configuration in the will need to be updated after these steps, see theCreate a .jks File (Windows)
If a JKS file containing just the needed certificate already exists, skip this section.
- Log in to an that contains the certificate.
- Go to Setup > Certificate and Key Management.
- Open the certificate and note the Unique Name field value.
- Go back to the Certificate and Key Management page.
- Click the Export to Keystore button. This will create a JKS file containing all the certificates listed on the Certificate and Key Management page.
- Create a password for the new JKS file and click Save.
- Find the folder on the computer where the Java KeyTool (keytool.exe) is located. It’s provided as a part of the Java Development Kit (JDK). If keytool.exe isn’t on the computer, download and install the latest JDK version.
- Copy the JKS file into that folder.
- Run CMD as an administrator.
- Use the cd command to navigate to the keytool folder.
- Run the following command and replace keystore.jks with the name of the JKS file before running the command:
- keytool -list -keystore keystore.jks
- Enter the keystore password.
- Locate certificate aliases in the output. The aliases in the output are lowercase Unique Name field values of certificates in the org. All certificates except for the one being moved to a new
- Run the following command and replace keystore.jks with the name of the JKS file and selfsignedcert_28jan2021_153812 with the alias of the certificate to delete before running the command:
- keytool -delete -alias selfsignedcert_28jan2021_153812 -keystore keystore.jks
- Repeat the previous steps to delete extra certificates until only the correct certificate is left in the JKS file.
Import the Certificate into an Org
- Log in to the the certificate should be imported to.
- Go to Setup > Certificate and Key Management.
- Click the Import from Keystore button.
- Select the JKS file in the file system and enter the password.
- Click the Save button.
- The new certificate is now displayed on the Certificate and Key Management page. Follow the steps in the Update the Signing Certificate in the Portal Configuration section.
If this error is displayed in a developer or test
use these steps to resolve it.- Go to Setup > Identity Provider.
- Click the Enable Identity Provider button. If nothing happens, do it several times.
- Click the Save button. A new self-signed certificate will appear on the Certificate and Key Management page.
- Repeat steps 2-6 above to import the certificate.