Skip Navigation

Import the CA certificate into the
Java
certificate store

You can use the following steps to import certificate authority certificates into the
Java
cacerts keystore as an alternative to uploading certificate authority certificates into the
BEMS
database using the Dashboard. Some
BEMS
features may not support verifying certificate trusts using certificates stored in the database (for example, the
Presence
service for on-premises
Skype for Business
using non-trusted application mode). If you use this method to import the CA certificate, you must complete the following steps on each
BEMS
instance in the cluster.
Save a copy of the exported certificate to a convenient location on the computer that hosts
BEMS
(for example, C:\bemscert). For instructions, see Export the BlackBerry Proxy CA certificate chain to your desktop.
  1. If necessary, verify the
    Java
    bin directory is correctly specified in your environment PATH.
    1. In a command prompt, type
      set | findstr "JAVA_HOME"
      .
    2. Press
      Enter
      .
    3. In the command prompt, type
      set | findstr "Path"
    4. Press
      Enter
      .
    Verify that the JAVA_HOME System variable is set to the correct
    Java
    directory and that the PATH System variable includes the path to the same
    Java
    directory. For instructions about setting the JAVA_HOME and PATH system variables, see 'Set an environment variable for the Java location' in the installation content.
  2. Obtain a copy of the non-public CA certificate and any necessary intermediate certificates from the server that
    BEMS
    must communicate with. For more information, contact your administrator of the servers that
    BEMS
    needs to have trusted SSL connections to.
  3. On the
    BEMS
    host, make a backup of the
    Java
    keystore file. The
    Java
    keystore file is located at
    %JAVA_HOME%\lib\security\cacerts
    , where JAVA_HOME is confirmed in Step 1.
  4. Copy the non-public CA certificate to a convenient location on the computer that hosts
    BEMS
    (for example, C:\bemscert).
  5. Open a command prompt and change directory to the
    Java
    _HOME folder (for example, type
    cd %JAVA_HOME%
    ).
  6. Import the root certificate. Consider the following guidelines:
    • The -alias value must be unique in the destination keystore. If it is duplicated, you might experience import errors. You can output the cacerts keystore to a text file to manually confirm the existing certificates using a text editor. Type
      keytool.exe -list -v -keystore lib\security\cacerts > c:\bemscert\cacertsoutput.txt
    • Where the -file value is the path and the file name of the non-public certificate. If this is the path to the file, add quotation marks (" ") around the full path, filename, and extension.
    • The following is an example of importing the certificate using keystore commands:
      keytool.exe -importcert -trustcacerts -file "c:\bemscert\cacert1.cer" -keystore lib\security\cacerts -alias myalias1 -storepass changeit
    • There are no spaces between the dash (-) and the parameter name.
    • You must specify the -keystore parameter correctly. If it is incorrect or it is omitted, the keytool creates a new keystore.
      BEMS
      services do not use the new keystore.
    For more information about keystore commands, see Keystore commands.
  7. Repeat step 6 for any additional certificates that you want to import into the
    Java
    keystore.
  8. If you have
    Connect
    installed and configured, and did not import the
    BlackBerry Proxy
    root certificate into the
    Windows
    keystore, import it now. For instructions, see Import the Good Proxy or BlackBerry Proxy CA certificate to the BEMS Windows keystore.
  9. In the
    Windows
    Service Manager, restart the
    Good Technology Common Services
    service.
Configure the Core
BEMS
service for communicating to
BlackBerry Dynamics
. For instructions, see Configure the BlackBerry Dynamics server in BEMS.