As a prerequisite we have to make sure that Java is installed correctly and the class path is set. Then we can follow the following steps
1. Create a key store
You can create your own keystore by executing the following command.
keytool -genkey -alias democert -keyalg RSA -keystore demokeystore.jks -keysize 2048
You will be prompted to give below required information and a password for the keystore.
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: wso2
What is the name of your organization?
[Unknown]: wso2
What is the name of your City or Locality?
[Unknown]: colombo
What is the name of your State or Province?
[Unknown]: WP
What is the two-letter country code for this unit?
[Unknown]: LK
Is CN=localhost, OU=wso2, O=wso2, L=colombo, ST=WP, C=LK correct?
[no]: yes
Enter key password for <democert>
(RETURN if same as keystore password):
This generates a private key and the certificate with the alias specified in the command (ex: democert).
Once you executed the above command a new file with the name demokeystore.jks will be created at your the location you executed the command.
2. View the content in the created keystore.
You can execute the following command in order to view the content of the created keystore in step 1.
keytool -list -v -keystore demokeystore.jks -storepass password
You will receive an output similar to
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: democert
Creation date: Jul 21, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=wso2, O=wso2, L=colombo, ST=WP, C=LK
Issuer: CN=localhost, OU=wso2, O=wso2, L=colombo, ST=WP, C=LK
Serial number: 2ef9b438
Valid from: Tue Jul 21 18:46:12 IST 2015 until: Mon Oct 19 18:46:12 IST 2015
Certificate fingerprints:
MD5: 2F:1B:EF:8E:95:5D:0E:0F:81:34:FE:4A:27:A9:68:A8
SHA1: FD:9D:98:A1:FB:36:DD:6B:D7:1A:F6:E8:AC:98:35:3A:5E:3C:7F:9A
SHA256: CF:02:15:41:9E:CC:67:65:85:33:4A:E4:3D:B9:C4:C5:B2:04:CD:A8:FF:B6:63:D6:DB:DC:79:85:51:79:FA:1E
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9B D4 69 A2 D9 A8 E0 22 02 D6 4F 57 71 3B 27 F4 ..i...."..OWq;'.
0010: 18 8E 7F 4F ...O
]
]
*******************************************
*******************************************
3. Create CSR
The certificate in the create keystore is a self-signed certificate. But you need to get your certificate signed by a Certificate Authority(CA). For that a Certificate Signing Request (CSR) has to be generated. You can use the following command for that.
keytool -certreq -v -alias democert -file csr_request.pem -keypass password -storepass password -keystore demokeystore.jks
Then a csr_request.pem file is created in the location that you have executed this command.
4. Get the certificate signed by CA
In this blog post I'm going to use VeriSign free trail version to get the certificate signed. If you are using this trial version the certificate is valid for only 30 day. Follow the wizard in here. When you are asked to give the CSR, open the generated csr_request.pem in a text editor and copy the content and paste in the text area in the wizard. After you have completed the wizard you will be received an email from VeriSign with the signed certificate.
5. Import the root and intermediate certificates to the keystore
Before importing the signed certificate you have to import the root and intermediate certificates to the keystore. The root certificate for VeriSign trial version can be found from here. Copy the text in the root certificate to a new file and save it as verisign_root.pem file
Now you can import the root certificate to the keystore by executing the following command.
keytool -import -v -noprompt -trustcacerts -alias verisigndemoroot -file verisign_root.pem -keystore demokeystore.jks -storepass password
Now the root cert is imported. You can verify that by listing the content in the keystore. (step2)
The next step is to import the intermediate cert file. For the VeriSign trial version you can get the intermediate certificate from here. Copy the text and save that in a new file (verisign_intermediate.pem)
Import the intermediate certificate:
keytool -import -v -noprompt -trustcacerts -alias verisigndemoim -file verisign_intermediate.pem -keystore demokeystore.jks -storepass password
6. Import the CA signed certificate to keystore
Now we can import the signed certificate. You can find the certificate in the email you received from VeriSign. Copy the text file. For and example,
-----BEGIN CERTIFICATE-----
MIIEtTCCA52gAwIBAgIQG+
jTELMAkGA1UEBhMCVVMxHTAbBgNVBA
LgYDVQQLEydGb3IgVGVzdCBQdXJwb3
LTArBgNVBAMTJFN5bWFudGVjIFRyaW
Fw0xNTA3MjAwMDAwMDBaFw0xNTA4MT
CQYDVQQIEwJXUDEMMAoGA1UEBxQDQ0
FAR3c28yMRIwEAYDVQQDFAlsb2NhbG
DwAwggEKAoIBAQC8YacCtuAHjcUheG
LpCd1qfeDkqGVBnoizcCvuqmMy9a6j
igpvOnEAcoDJdmjSMQawSVIy5XO9aL
Vjp/cQQenljSgmw+
STb47324GmlT6PF5T0e0+
dVHqDa3E8YNJNPyqwApOUw5yFUxokA
DTALgglsb2NhbGhvc3QwCQYDVR0TBA
BCQwIjAgoB6gHIYaaHR0cDovL3JlLn
XDBaBgpghkgBhvhFAQcVMEwwIwYIKw
b20vY3BzMCUGCCsGAQUFBwICMBkMF2
A1UdJQQWMBQGCCsGAQUFBwMBBggrBg
iUDnFiFocUQ1XSrQvjA2BggrBgEFBQ
Ly9yZS5zeW1jYi5jb20vcmUuY3J0MA
ok8HP0QJTwRh2J5dwawQKPB9dauqcG
jhdMk51fRkaGtli6N84V5Db7bRYARn
rBtVv47PXIykgXEaGzECrIT/
sGp7lmGWjy01j1mYTfHzVWOKQmiheW
eSy7pIOcy4nvHh7h07UsjivGNIIfQ6
LZtGg2ZrFIsd
-----END CERTIFICATE-----
Create a new text file and past this content and save it as verisign_signed.pem
Import that with the following command
keytool -import -v -alias democert -file verisign_signed.pem -keystore demokeystore.jks -keypass password -storepass password
Now you have the CA signed certificate in your keystore. You can verify that by listing the certificate in the keystore as you did in the step2
No comments:
Post a Comment