How to use KeyStore Explorer to create a new keystore and certificate for HA Cloud or Reflection ZFE

  • 7023489
  • 31-Oct-2018
  • 23-Oct-2020


Host Access for the Cloud 2.4
Reflection ZFE 2.3.1 through ZFE 2.3.5


How to use KeyStore Explorer to create a new servletcontainer.bcfks or keystore.bcfks keystore, key pair, and certificate signing request for the Host Access for the Cloud (Reflection ZFE) Session Server.


KeyStore Explorer is a GUI replacement for the Java Keytool command line utility. KeyStore Explorer ships with Reflection ZFE and Host Access for the Cloud (formerly called Reflection ZFE). It's located in the C:\Program Files\Micro Focus\ReflectionZFE\utilities directory for Reflection ZFE and in C:\Program Files\Micro Focus\HACloud\utilities directory for Host Access for the Cloud.
  1. To start KeyStore Explorer simply double click on the keystore-explorer.bat file in the \utilities directory.

  2. Once the main screen displays click on the Create a new KeyStore icon.

3. Select the BCFKS (Bouncy Castle FIPS Key Store) option for the keystore type and click OK.

4. Click on File and then Save to finish creating the new keystore. This is just creating the keystore itself, generating the key pair and certificate signing request will occur later on in the process.

5. When saving the keystore you will be prompted to enter a new keystore password.  The default keystore password for Host Access for the Cloud and Reflection ZFE is “changeit” without the quotes.

If you choose to use a different password see the Host Access for the Cloud or Reflection ZFE User Guide on “How to change the default Host Access for the Cloud (Reflection ZFE) Key Store Password.”

6. After entering in the new keystore password you will be then prompted to save the new keystore to a location and give it a name. For Reflection ZFE the file name should be servletcontainer.bcfks and for Host Access for the Cloud the file name is keystore.bcfks.

7. Once the new keystore is saved go to the menu bar click on Tools and select Generate Key Pair from the menu. Take the default settings for the Algorithm and Key Size. Click OK to proceed with creating the new Key Pair.

8. In the Generate Key Pair dialog click on the Edit Name button. See the screen shot below with the button circled in red.

9. In the Name dialog enter the following information.
  • The Common Name is most important as it should be the fully qualified name (FQDN) of the server.
  • The remaining options are just labels but it is best practice to enter the proper information.
Click OK when finished.

10. Back on the Generate Key Pair Certificate window click on the Add Extensions button on the lower right.

11. In the Add certificate Extensions click on the green plus button to add certificate extensions. See the screen shot below with the button circled in red.

12. Add the Extension Type of Key Usage and check the box for Critical Extension. Click the OK button to go to the Key Usage Extensions.

13. For the Key Usage Extension select Digital Signature and Key Encipherment and click OK.

14. Again click on the green plus button and select the extension type of Extended Key Usage from the Extension list. The Critical check box is not needed this time so it can be left unchecked. Click OK to continue.

15. Select the Extended Key Usage option of TLS Web Server Authentication and click OK.

16. Subject Alternative Names (SANs) are recommended. They can be very useful if you wish to use this same keystore and certificate on multiple servers, or for load balanced environments by including the load balanced name. You can also add IP Address as SANs but this could be a security risk publishing the actual IP Address of the server. While it is possible to simply use the Common Name in the subject field it is encouraged to use the Subject Alternative Name / DNS Name instead.

If the Common Name is used in the subject field it should also be added as Subject Alternative Name / DNS Name. If Subject Alternative Names exist in a certificate most browsers will not read the Common Name of the subject field and you could see hostname verification errors in the TLS handshake process.

Many Certificate Authorities can add SANs during the certificate signing process as well.

a. To Add Subject Alternative Names again click on the green plus button and select the extension type of Subject Alternative Name from the Extension list. Click OK to continue.

b. Enter the FQDN for the DNS Name and click OK