Ad

Thursday, November 5, 2009

Java security - keystores for HTTPS

Here is a good article that explains creating a keystore and keystore password used for authenticating an HTTPS transport session.
http://docs.sun.com/app/docs/doc/819-1655/6n40fgu0d?a=viewA

How to Generate SSL Certificates

To enable the browser interface to use SSL, you must first generate an SSL Certificate. You create a keystore file and a keystore password while you generate an SSL Certificate.

Before You Begin

To create a keystore file and a keystore password you will use keytool. keytool is a security tool available with the JRE. If you do not have keytool installed, you must install keytool before you can configure the provisioning system to use HTTPS. The N1 Service Provisioning System installs the JRE. If you are configuring HTTPS after you have installed the provisioning system, keytool is installed on the system.

Steps

  1. Change to the directory in which you installed the JRE.


    % cd JAVA-HOME/bin

    JAVA-HOME is the directory where you installed the JRE. If you installed the JRE with the N1 Service Provisioning System 5.1, the JRE is installed in the N1SPS5.1-home/common/jre/bin directory.

  2. Generate the certificate.


    % keytool -genkey -alias tomcat -keyalg RSA -keystore /keystore-location
    -storepass password

    Set /keystore-location to the location and filename of the keystore file where you want to store the generated key.

    Set password to whatever password that you want to use as the keystore password.

  3. Follow the prompts to complete.

    Do not include any punctuation in the name of your organization, otherwise the Java Certificate tool fails when attempting to generate the request. The Common Name (CN) must be set to the fully qualified host name, including the domain name, component of the URI.

ProcedureHow to Obtain a Signature for an SSL Certificate

If you want to use a Certificate signed by a Certifying Authority, follow this procedure to submit the Certificate to the Certifying Authority to be signed.

Steps

  1. Generate the Certificate Request.


    % keytool -certreq -v -alias tomcat -keyalg RSA -keystore /keystore-location

    /keystore-location is the location and filename where you stored the generated key.

  2. Send the Certificate Request to the Certifying Authority.

    Follow the instructions provided by the Certifying Authority. The Certifying Authority returns a Certificate Reply.

  3. Save the Certificate Reply to a file.

  4. Verify the Certificate Reply.


    % keytool -printcert -file certificate-reply-file

    certificate-reply-file is the filename of the Certificate Reply that you received from the Certifying Authority.

  5. Import the Certificate Reply file to the keystore file.


    % keytool -v -import -trustcacerts -keystore /keystore-location
    -file certificate-reply-file -alias tomcat

    /keystore-location is the location and filename where you stored the generated key. certificate-reply-file is the filename of the Certificate Reply that you received from the Certifying Authority.

  6. Verify the imported Certificate Reply.


    % keytool -v -list -keystore /keystore-location

    /keystore-location is the location and filename where you stored the generated key.

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)