www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

This page is the form of quick notes and needs to be rewritten as an article.

Create Local Certificate

In this example we are generating a key called <your_cert_alias> and storing it in a brand new keystore called mywebservices.bin.

su - serveradmin
cd /opt/jre1.6.0_12/bin/
# Create a local Certificate
keytool -genkey -alias <your_cert_alias> -keyalg RSA -keystore mywebservices.bin

This information depends on your company. Note that when creating a cert for a website the first and last name will be the website url.

Enter keystore password:  mypassword
What is your first and last name?
  [Unknown]:  mywebservice.myapp.mycompany.com
What is the name of your organizational unit?
  [Unknown]:  My Unit
What is the name of your organization?
  [Unknown]:  My Organization
What is the name of your City or Locality?
  [Unknown]:  My City
What is the name of your State or Province?
  [Unknown]:  My State
What is the two-letter country code for this unit?
  [Unknown]:  CA

As a result, a brand new keystore file is generated. You can confirm this,

keytool -keystore mywebservices.bin -list

Enter keystore password:  ******

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

mywebservices, Oct 8, 2009, keyEntry,
Certificate fingerprint (MD5): 02:70:28:DE:A6:BC:0B:5E:3C:FB:BF:B3:68:8F:0F:32

The results show 1 entry with the alias name mywebservices which contains a single element, a self-signed certificate which is soley there to generate the CSR.

Generate the CSR (Certificate Service Request)

In this step we generate the request for the SSL certificate.

# Generate the CSR (Certificate Service Request)
keytool -certreq -keyalg RSA -alias mywebservices -file mywebservices.csr -keystore mywebservices.bin
# It is important that the cert files be in the webapps directory
mv mywebservices.* /opt/apache-tomcat-6.0.18/webapps/

Now submit your mywebservices.csr to the CA (Certificate Authority).

Note: There is usally a web form to fill out in this step as you upload the contents. One note here is that if you are creating a public website you should choose a cert type that supports an alias. As such your cert will then be able to support the base domain name and the base domain prefixed by www. For example, you generate the certificate with the name "mywebservice.myapp.mycompany.com" and as you fill in the form you should use "www.mywebservice.myapp.mycompany.com"

Your CA will return a certificate (your keystore file signed by the CA). Depending on the signer they may use different names so it can be confusing. For example the Entrust CA calls your certificate the "Webserver Certificate" even though in this example we are putting this on an application server. In our example we are provided the CA signed certificate as plain text which we then store in a text file calling it mywebservices-signe.cer. Here is what the contents of the plain text might look like,

  • No labels