www.bonsaiframework.com
Page tree

Versions Compared

Old Version 9

changes.mady.by.user Tin Pham

Saved on

compared with

New Version Current

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

In this example we are generating a key called <your_cert_alias> and storing it in a brand new keystore called mywebservices.bin.

Code Block
languagexmlbash
su - serveradmin
cd /opt/jre1.6.0_12/bin/
# Create a local Certificate
keytool -genkey -alias <your_cert_alias> -keyalg RSA -keystore mywebservices.bin

...

As a result, a brand new keystore file is generated. You can confirm this,

Code Block
languagexmlbash
keytool -keystore mywebservices.bin -list

Enter keystore password:  ******

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

mywebservices, Oct 8, 2009, keyEntry,
Certificate fingerprint (MD5): 02:70:28:DE:A6:BC:0B:5E:3C:FB:BF:B3:68:8F:0F:32

...

In this step we generate the request for the SSL certificate.

Code Block
languagexmlbash
# Generate the CSR (Certificate Service Request)
keytool -certreq -keyalg RSA -alias mywebservices -file mywebservices.csr -keystore mywebservices.bin
# It is important that the cert files be in the webapps directory
mv mywebservices.* /opt/apache-/tomcat-6.0.18/webapps/

Now submit your mywebservices.csr to the CA (Certificate Authority).

...

The key concept of the chain is that you must import all certs in the chain in order from top to bottom. You also should provide a unique alias per cert. This will allow you to update specific certs in the chain when they expire. Using the example of the Entrust CA we would need to import as follows.

Code Block
langhtmlbash
keytool -import -alias entrust-2048-root -keystore mywebservices.bin -trustcacerts -file <filename_of_the_chain_certificate>
Certificate was added to keystore # This is the expected response
keytool -import -alias entrust-L1B -keystore mywebservices.bin -trustcacerts -file <filename_of_the_chain_certificate>
Certificate was added to keystore

Take a look inside your keystore and you should see the newly added certs with their unique alias.



Code Block
languagebash
eytoolkeytool -keystore mywebservices.bin -list
entrust-l1b, Oct 9, 2009, trustedCertEntry,
Certificate fingerprint (MD5): C2:DF:86:BD:E4:8B:FF:26:4D:AE:6A:26:1D:7A:70:D9
entrust-2048-root, Oct 9, 2009, trustedCertEntry,
Certificate fingerprint (MD5): CC:23:87:09:9B:09:3A:6F:5E:62:EB:F4:73:54:E9:28
pkiwebservices, Oct 8, 2009, keyEntry,
Certificate fingerprint (MD5): 02:70:28:DE:A6:BC:0B:5E:3C:FB:BF:B3:68:8F:0F:32

...

Finally you can import your new Certificate making sure to use the same alias on the initial generation, pkiwebservices as you are replacing the self-signed cert already in the keystore.

Code Block
languagexmlbash
keytool -import -alias mywebservices -keystore mywebservices.bin -trustcacerts -file <filename_of_the_chain_certificate>
Certificate reply was installed in keystore # This is the expected response

...