...
In this example we are generating a key called <your_cert_alias> and storing it in a brand new keystore called mywebservices.bin.
Code Block | ||
---|---|---|
| ||
su - serveradmin cd /opt/jre1.6.0_12/bin/ # Create a local Certificate keytool -genkey -alias <your_cert_alias> -keyalg RSA -keystore mywebservices.bin |
...
As a result, a brand new keystore file is generated. You can confirm this,
Code Block | ||
---|---|---|
| ||
keytool -keystore mywebservices.bin -list Enter keystore password: ****** Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry mywebservices, Oct 8, 2009, keyEntry, Certificate fingerprint (MD5): 02:70:28:DE:A6:BC:0B:5E:3C:FB:BF:B3:68:8F:0F:32 |
...
In this step we generate the request for the SSL certificate.
Code Block | ||
---|---|---|
| ||
# Generate the CSR (Certificate Service Request) keytool -certreq -keyalg RSA -alias mywebservices -file mywebservices.csr -keystore mywebservices.bin # It is important that the cert files be in the webapps directory mv mywebservices.* /opt/apache-tomcat-6.0.18/webapps/ |
...
The key concept of the chain is that you must import all certs in the chain in order from top to bottom. You also should provide a unique alias per cert. This will allow you to update specific certs in the chain when they expire. Using the example of the Entrust CA we would need to import as follows.
Code Block | ||
---|---|---|
| ||
keytool -import -alias entrust-2048-root -keystore mywebservices.bin -trustcacerts -file <filename_of_the_chain_certificate> Certificate was added to keystore # This is the expected response keytool -import -alias entrust-L1B -keystore mywebservices.bin -trustcacerts -file <filename_of_the_chain_certificate> Certificate was added to keystore |
...
Finally you can import your new Certificate making sure to use the same alias on the initial generation, pkiwebservices as you are replacing the self-signed cert already in the keystore.
Code Block | ||
---|---|---|
| ||
keytool -import -alias mywebservices -keystore mywebservices.bin -trustcacerts -file <filename_of_the_chain_certificate> Certificate reply was installed in keystore # This is the expected response |
...