17. Creating Digital Certificates
●
Step 1: Creating the “publicprivate” keypair
keytool genkey keyalg RSA keysize 2048 keystore
crish_keystore.jks alias certificatekey
At this stage your certificate is owned and issued by you.
However, a certificate issued by you will not be trusted by
other organizations that does business with you electronically.
Therefore your certificate would need to be “signed” by a recognized
certification authority.
17
18. Creating SSL Digital Certificates
●
Step 2: Retrieve the contents of the keystore
keytool list v keystore crish_keystore.jks storepass password
crishantha@crishantha-laptop$ keytool -list -v -keystore crish_keystore.jks -storepass password
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: certificatekey
Creation date: Mar 10, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Crishantha Nanayakkara, OU=ICTA, O=ICTA, L=Colombo, ST=Western, C=SL
Issuer: CN=Crishantha Nanayakkara, OU=ICTA, O=ICTA, L=Colombo, ST=Western, C=SL
Serial number: 4f5b98a6
Valid from: Sat Mar 10 23:38:38 IST 2012 until: Fri Jun 08 23:38:38 IST 2012
Certificate fingerprints:
MD5: D0:56:A2:FE:EF:B0:CE:08:A6:28:FF:2C:2C:33:D7:4D
SHA1: 1D:77:C2:42:FD:AC:FA:32:7C:2B:D1:FF:70:95:0A:A2:66:4C:CE:27
Signature algorithm name: SHA1withRSA
Version: 3
18
19. Creating Digital Certificates
●
Step 3: Generating the Certification Service
Request (CSR)
keytool certreq alias certificatekey keystore crish_keystore.jks
file certificate_request.csr
crishantha@crishantha-laptop:~/test$ cat certificate_request.csr
-----BEGIN NEW CERTIFICATE REQUEST----MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCU0wxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0Nv
bG9tYm8xDTALBgNVBAoTBElDVEExDTALBgNVBAsTBElDVEExHzAdBgNVBAMTFkNyaXNoYW50aGEg
TmFuYXlha2thcmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChSHnDxgNLna8PBG6j
7c3+Id6q38BRmyGarLHtuvhTMxPV3r/ad49makBCPE9yeKrr1MiRMkuPYGasXunfo4Tqehcivc7n
ox0MjC5rqi1sVTrxtVlfRozSNa3bVp83b/Iz5f7A8QS0YaoZo+RAHSKi6V2gC/OLMHABe/WQ/6Dv
tmZ7ojY00H/nIPVZXUScNjwNGLLYohVYH9+Pd4NKG7GfqE4bnhnTVQfrpglsWcENioeSmlJ6pWLj
04PkpfqBN06YIvKZB5aZu+GsnmUHUI0po3vWBr+8JcLTAF3LBkFnTkzt2YWZZ17Tdybo7lHGLlzD
UR6rTmKSQ0qztTmIMIpzAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAlMP4SfcCasFktKDH+fLj
1F3xSfEUZIj1AvbVM1qHorTlBZPFPjpQkpZJtfSFnBdWScJoEH5RdqdROzXxgwcCLH10wRCAxARP
Eg7YEAegQXhquyqCMGQ5q8SvtV9WHI5GH/UgCOcRLxF07pxjEii3YT9GRYXZwNRGDfJAZjOkd+Hr
i9ywhFBzLy4D5x9kcW43WYCXnIXFcL0vDXMD/5qkdgXUdgXWzhl7r3F4B1l1HFcwzzgomeGAWGHu
plrPEpFMPm0bwbmpu2rEA3SoiSmOVKc8c5C8jPM2r/dpKMqpvx/focMoRLneJpCHfx0iVmlNKHuq
QNc1yis0rXRfMFCWeQ==
-----END NEW CERTIFICATE REQUEST-----
19
20. Creating Digital Certificates
●
●
Step 4: Send the generated CSR to the
Certification Authority (CA)
Step 5: CA will send you two things
–
CA root certificate
–
CA signed certificate
Both of these need to be imported to the keystore of
yours
20
21. Creating Digital Certificates
●
Step 6: Importing the CA root certificate
keytool import alias rootca v trustcacerts keystore
crish_keystore.jks file ca.der
●
Step 7: Importing the CA signed certificate
keytool import alias certificatekey file signed_ca.der keystore
crish_keystore.jks
●
Step 8: Retrieve the contents of the keystore
keytool list v keystore crish_keystore.jks storepass password
21