Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

After generating the CA, the next step is to generate a key pair for the server/service.

  1. Run the following command:

    Code Block
    $ keytool -genkey -alias server -keyalg RSA -keystore ./Server.jks -storetype PKCS12 

    alias = name of the key, for example, server 
    keystore = name of the keystore, for example, server.jks

    Note
    titleNote!

    When prompted for first and last name, the hostname where the certificate is valid should be entered, for example, localhost. Other values can be anything.


  2. Generate a Certificate Signing Request (CSR) so that we can get server's certificate signed using a CA.

    Code Block
    $ keytool -certreq -alias server -keystore Server.jks -file Server.csr


  3. Get the certificate signed by our the CA, Test CA in this example. See 9.8182.2.4.1 41 Setting Up a Certificate Authority on how to set up a CA.

    Code Block
    $ openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in Server.csr -out Server.cer -days 365


    Note
    titleNote!

    CA, CAkey and CAserial are files generated when setting up the CA.


  4. Import the Test CA root self signed certificate in server key store as a trusted certificate.

    Code Block
    $ keytool -import -alias TestCA -file caroot.cer -keystore Server.jks


  5. Import server's certificate signed by Test CA in server key store with the same alias name that was used to generate the key pair during genkey.

    Code Block
    $ keytool -import -alias server -file Server.cer -keystore Server.jks


...