Programmatic custom certificate creation in proxy

When an HTTPS connection is established with an HTTP/TCP proxy, the certificate that is presented to the client by the proxy is retrieved from an existing keypair that represent the intended endpoint or is generated as the default certificate by the proxy and is signed by the private key in the keystore that is configured in the registration.xml. Ordinarily, this mechanism is sufficient. If full control over the generation of certificates is required, an alternative advanced approach is available. The approach requires that custom code is written to generate and sign the required certificates.

About this task

From HCL Quality Server 9.2.1.1 onwards, you can programmatically create custom signed certificates that will be presented by the HTTP/TCP proxy. This feature is in addition to the existing features to add your own certificate and key to the proxy keystore, or to the existing proxy keystore, or to specify your own keystore. For more information, see HTTPS configuration settings.

Complete the following steps to programmatically create custom signed certificates and have them used in the proxy:

Procedure

  1. Write a custom code to implement the Java interface com.hcl.products.test.it.proxy.CertificateCreator that is provided in the jar certcreator.jar contained in the <proxy_install_dir>/ext/ directory. For details of the interface and its methods, see Interface CertificateCreator.
  2. Package the custom code into a jar. Along with the class files, the new jar must contain a file named META-INF/services/com.hcl.products.test.it.proxy.CertificateCreator. Ensure that the file contains a single line with the fully qualified class name of the implementation class of the code written in Step 1.
  3. Add the new jar and any dependent jars to the <proxy_install_dir>/ext/ directory alongside the certcreator jar file. Ensure that you do not remove the certcreator.jar file or alter its contents.
  4. Restart the HTTP/TCP proxy.

Results

You have created a custom certificate generation implementation and configured the HTTP/TCP proxy to use it for generating certificates.

What to do next

You can verify that the custom certificate creator class is being used by checking the log of the proxy. An information message will be included stating the name of the class in use.

For more information about how to check the logs, see HTTP/TCP proxy logs.