First Data Latvia
CERTIFICATE MANAGEMENT
MERCHANT MANUAL
RIGA,
VERSION 1.0
2009
Change history
VERSION
DATE
AUTHOR
CHANGES
1.0
2009-10-13
Atis
Rusins
Initial version.
This document consists of three previous documents:
certificate_management.doc
Creating JKS keystore file for Java environment ECOMM
IMA agent.doc
Creating P12 and PEM keystore file for NET and PHP
environment ECOMM IMA agent.doc
Table of contents
1.
2.
The keystore file description .................................................................................. 4
Steps to do certificate renewal: ............................................................................... 5
2.1. Find valid keystore file for browser import .................................................... 5
2.2. Import valid keystore file into browser ........................................................... 5
2.3. Creating P12 and PEM keystore file for NET and PHP environment
ECOMM IMA agent .................................................................................................. 6
2.4. Creating JKS keystore file for Java environment ECOMM IMA agent ......... 7
1. The keystore file description
Keystore file is needed to make connection from merchant server to payment service
provider. Keystore file is protected with passphrase also known as keystore password. Each
keystore file contains of three entries:



Private key
Client certificate
CA certificate
Depending on system- merchant is using one of these keystore file types:



*.p12 – for MS Windows .NET systems and importing into WEB browser
*.pem – for PHP Curl systems
*.jks – for Java systems
If it is first time when production keystore file should be made- certificate request must be
sent to First Data system administrator. The first time Merchant cannot make production
certificate by himself because he has not access to renewal URL.
Keystore file is valid for one year. Keystore file must be renewed before it has been expired
to avoid downtimes on merchant payment system. Merchant can renew keystore file by
himself if he has a valid keystore file.
Merchant will receive notification email that keystore file will expire soon, minimum 4 weeks
before keystore file will expire. Messages are sent each Monday at 8:00 CET. Merchant
should renew his keystore file after receiving notification.
Merchant can submit several email addresses when signing request at specified URL and
system will use them when keystore expiration warning messages will be sent .Multiple
addresses must be separated with space symbol, example:
[email protected] [email protected] [email protected]
2. Steps to do certificate renewal:
2.1.
Find valid keystore file for browser import
Browsers accept *.p12 files for import. Merchant can use *.p12 file which was generated last
year or make *.p12 from existing keystore files used by payment system. Note, only valid
keystore file will give access to the specified URL. If keystore is expired, merchant must send
certificate request to First Data system administrator for signing. Commands for converting
existing keystore files:
Convert *.pem to *.p12:
openssl pkcs12 -export -in file.pem -out file.p12
Convert *.jks to *.p12:
keytool -importkeystore -srckeystore 1234567_imakstore.jks -destkeystore
1234567_imakstore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass
password -deststorepass password -srcalias ima -destalias ima -srckeypass
password -destkeypass password –noprompt
2.2.
Import valid keystore file into browser
*.p12 certificate install instructions on Mozilla Firefox 3.0.7:
Tools > Options > Advanced > Encryption > View Certificates > Import
*.p12 certificate install instructions on Internet Explorer 8:
Tools > Internet Options > Content > Certificates > Import
2.3. Creating P12 and PEM keystore file for NET and PHP
environment ECOMM IMA agent
1. Skip to section 4. if you already have OpenSSL installed on Unix or other system
2. Install openssl-0.9.7c-bin.exe from archive
3. Go to “Start > Run” and enter text “cmd” and press “OK”. Command Prompt will
open. Make sure you have drive “c:” is selected. If not, enter command “c:” Then
type "cd %ProgramFiles%\GnuWin32\bin" or wherever you installed software.
Sample:
S:\>c:
C:\>cd %ProgramFiles%\GnuWin32\bin
C:\Program Files\GnuWin32\bin
4. Run necessary commands:
! Note: Replace "1234567" to your merchant ID and "domain.com" to your merchant
domain name.
! Note: Add -config "c:/path/to/file/openssl.cnf" at the end of first command
if using openssl-0.9.7c-bin.exe, file "openssl.cnf" is located on archive.
openssl req -newkey rsa:1024 -keyout 1234567_key.pem -out
1234567_req.pem -subj "/C=lv/O=domain.com/CN=1234567" -outform
PEM
Request must be signed:
1) For test system at:
https://secureshop-test.firstdata.lv/report/keystore_.do
2) For Production system at:
https://secureshop.firstdata.lv:8443/certreq/req
Immediately after submission of request on signing, URL, merchant will receive certificate
reply to posted email address including two files:
1)
ECOMM.pem
2)
1234567.pem
openssl pkcs12 -export -in 1234567.pem
certfile ECOMM.pem -inkey 1234567_key.pem
-out
1234567.p12
openssl pkcs12 -in 1234567.p12 > 1234567keystore.pem
-
2.4. Creating JKS keystore file for Java environment ECOMM IMA
agent
1. Check if on your computer has Java Runtime Environment installed.It can be checked
here: http://www.java.com/en/download/help/testvm.xml
2. Go to “Start > Run” and enter text “cmd” and press “OK”. Command Prompt will
open. Make sure you have selected drive “c:”. If not, enter command “c:” , then go
to Java bin folder where file keytool.exe is located. By default it is “C:\Program
Files\Java\jre6\bin”.
Sample:
S:\>c:
C:\>cd Program Files\Java\jre6\bin
C:\Program Files\Java\jre6\bin>
3. Run necessary commands:
! Note: Replace "1234567" to your merchant ID and "domain.com" to your merchant
domain name.
keytool -genkey -keystore 1234567_keystore.jks -keyalg RSA dname "cn=1234567, o=domain.com, c=lv"
-alias ima -storetype
JKS
keytool
-certreq
-file
1234567_keystore.jks -alias ima
1234567_req.csr
–keystore
Request must be signed:
1) For test system at:
https://secureshop-test.firstdata.lv/report/keystore_.do
2) For Production system at:
https://secureshop.firstdata.lv:8443/certreq/req
Immediately after submission of request on signing, URL, merchant will receive certificate
reply to posted email address including two files:
1)
ECOMM.pem
2)
1234567.pem
keytool -import -v -noprompt -trustcacerts
ECOMM.pem -keystore 1234567_keystore.jks
-alias
root
-file
keytool -import -v -noprompt -alias ima -file 1234567.pem -keystore
1234567_keystore.jks