Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Generate After generating the key pair for server, the next step is to generate a key pair for the server/service.client.

  1. Run the following command: 

    Code Block
    $ keytool -genkey -alias client -keyalg RSA -keystore ./Client.jks -storetype PKCS12 

    alias = name of the

...

  1. key, for example, client 
    keystore = name of the keystore, for example, Client.jks


    Note
    titleNote!

    When prompted for first and last name the hostname where the certificate is valid should be entered

...

  1. , e.g. localhost. Other values can be anything

...

  1. .



  2. Generate a Certificate Signing Request (CSR) so that we can get

...

  1. client's certificate

...

  1. signed by a CA.

    Code Block
    keytool -certreq -alias client -keystore 

...

  1. Client.jks -file Client.csr


  2. Get the certificate signed by our the CA, Test CA in these example. See

...

  1. 9.82.2.41 Setting Up a Certificate Authority for instructions on how to set up a CA.

    Code Block
    $ openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in Client.csr -out Client.cer -days 365


    Note
    titleNote!

    CA, CAkey and CAserial are files generated when setting up the CA.


  2. Import the Test CA

...

  1. root self signed certificate in

...

  1. client key store as a trusted certificate.

    Code Block
    $ keytool -import -alias TestCA -file caroot.cer -keystore Client.jks


  2. Import

...

  1. client's certificate signed by Test CA in

...

  1. client key store with the same alias name that was used to generate the key pair during genkey.

    Code Block
    $ keytool -import -alias client -file Client.cer -keystore Client.jks



  2. We also need to import server's public key in the client key store, because

...

  1. client is the first one who need to initiate a conversation with server or the service. And it needs to encrypt the request

...

  1. message (some part of it) using sever's public key. Server does not need client's public in its keystore if

...

  1. the Binary Security Token is used, server is going to get the client public key in the SOAP message itself.

    Code Block
    $ keytool -import -alias server -file Server.cer -keystore Client.jks