How to add a certificate to DESK Server TrustStore

There may be times when you need to manually add a certificate to the DESK Server TrustStore, for example if DESK Server refuses to accept a certificate when sending emails or WebHook notifications. This typically happens when a self-signed certificate is used.

How to know when DESK Server isn't accepting certificates

If DESK Server is having trouble sending notifications, look for any files in the log directory of your DESK Server installation that have the name pattern server.*.*.log.

If any files with this naming pattern exist in the log folder, search through those log files for the following entry:

sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException

Log entries such as the example above indicate that the certificate provided by the notification receiver wasn't accepted by DESK Server. The reason for this is usually that the certificate isn't trusted.

Add a custom certificate to the DESK Server TrustStore

You can use the Java KeyTool to enter commands to create the KeyStore. DESK redistributes Java Keytool as part of the JRE installed with DESK Server. By default, this tool is available in <desk-managed-installation-directory>/gateway/jre/bin or, depending on your deployment, in /opt/desk-managed/jre/bin.

Open a command prompt and switch to the directory where the Java KeyTool is located.

(optional) Create the KeyStore for the custom certificate.
See Generating a KeyStore and TrustStore for information on creating a Java KeyStore.

Export the custom certificate in CER format.
For example, to export a certificate that you want to name customcertificate.cer, specifying a password and the alias, enter a command similar to the following (Note: You must insert your organization's file paths, file names, and password into these commands in place of the included sample values).

keytool -export -storepass passwd -alias deskalias -keystore /usr/java/jre/lib/security/cacerts -file /tmp/customcertificate.cer

Import trusted certificate into DESK Managed keystore.

Create the import_trusted_certificate.sh script file:

import_trusted_certificate.sh

#!/bin/sh
# Importing trusted certificate into DESK Managed keystores

CERT_TO_IMPORT=$1
CERT_ALIAS=$2

if [ -z "$CERT_TO_IMPORT" ] || [ -z "$CERT_ALIAS" ]; then
    echo "Usage: $0 <certificate-path-to-import> <alias-for-certificate>"
    exit 1
fi

export PRODUCT_PATH=`grep -E "PRODUCT_PATH\s*=" /etc/desk.conf | sed -r "s/^[^=]+=\s*//"`
export JAVA_HOME=$PRODUCT_PATH/jre
export KEYTOOL=$JAVA_HOME/bin/keytool

importCert() {
    echo "Importing $CERT_TO_IMPORT into $2 at alias $CERT_ALIAS ..."
    cp -f $2 $2.bak
    if $KEYTOOL -importcert -trustcacerts -noprompt -keystore $2 -storepass $1 -alias $CERT_ALIAS -file $CERT_TO_IMPORT; then
        echo "Importing $CERT_TO_IMPORT into $2 at alias $CERT_ALIAS ... success"
        rm -f $2.bak
    else
        echo "Importing $CERT_TO_IMPORT into $2 at alias $CERT_ALIAS ... failed"
        mv -f $2.bak $2
        exit 1
    fi
}

importCert changeit $PRODUCT_PATH/jre/lib/security/cacerts
importCert changeit $PRODUCT_PATH/nodekeeper/jre/lib/security/cacerts

importCert trusted $PRODUCT_PATH/nodekeeper/conf/trusted.jks
importCert trusted $PRODUCT_PATH/server/conf/trusted.jks
importCert trusted $PRODUCT_PATH/security-Gateway/ssl/customkeys/trusted.jks

Make the import_trusted_certificate.sh script executable:

chmod +x import_trusted_certificate.sh

Run the import_trusted_certificate.sh script to import the certificate:

import_trusted_certificate.sh <full_path_to_cer_file> <alias_for_certificate>

Restart DESK Server.

/opt/desk-managed/launcher/desk.sh restart