To generate keystores: Getting server's self signed public key certificate and storing it in client's keystore and getting and storing client's self signed public key certificate in server's keystore: Import certificate files in the JKS files.
Generating a KeyStore and TrustStore
The following sections explain how to create both a KeyStoreand a TrustStore (or import a certificate into an existing TrustStoresuch as the default Logical Host TrustStore in the location:
where <c:JavaCAPS> isthe directory where Java CAPS is installed and <MyDomain> isthe name of your domain. The primary tool used is keytool, but openssl isalso used as a reference for generating pkcs12 KeyStores.
For more information on openssl andavailable downloads, visit the following web site:
http://www.openssl.org.
Creating a KeyStore in JKS Format
This section explains how to create a KeyStore using theJKS format as the database format for both the private key, and theassociated certificate or certificate chain. By default, as specifiedin the java.security file, keytool usesJKS as the format of the key and certificate databases (KeyStore andTrustStores). A CA must sign the certificate signing request (CSR).The CA is therefore trusted by the server-side application to whichthe Adapter is connected.
Note –
Itis recommended to use the default KeyStore
where <c:JavaCAPS> isthe directory where Java CAPS is installed and <MyDomain> isthe name of your domain.
To Generate a KeyStore
Creating a KeyStore in PKCS12 Format
This section explains how to create a PKCS12 KeyStoreto work with JSSE. In a real working environment, a customer couldalready have an existing private key and certificate (signed by aknown CA). In this case, JKS format cannot be used, because it doesnot allow the user to import/export the private key through keytool. It is necessary to generate a PKCS12database consisting of the private key and its certificate.
The generated PKCS12 database can then be used as the Adapter’sKeyStore. The keytool utility iscurrently lacking the ability to write to a PKCS12 database. However,it can read from a PKCS12 database.
Note –
There are additional third-party tools available for generatingPKCS12 certificates, if you want to use a different tool.
For the following example, openssl isused to generate the PKCS12 KeyStore:
The existing key is in the file mykey.pem.txt in PEM format. The certificate is in mycertificate.pem.txt, which is also in PEM format. A textfile must be created which contains the key followed by the certificateas follows:
Keytool Generate Keystore
This command prompts the user for a password. The password isrequired. The KeyStore fails to work with JSSE without a password.This password must also be supplied as the password for the Adapter’sKeyStore password.
This command also uses the openssl pkcs12 commandto generate a PKCS12 KeyStore with the private key and certificate.The generated KeyStore is mykeystore.pkcs12 withan entry specified by the myAlias alias.This entry contains the private key and the certificate provided bythe -in argument. The noiter and nomaciter optionsmust be specified to allow the generated KeyStore to be recognizedproperly by JSSE.
Creating a TrustStore
For demonstration purposes, suppose you have the followingCAs that you trust: firstCA.cert, secondCA.cert,thirdCA.cert, located in the directory C:cascerts. You can create a new TrustStore consistingof these three trusted certificates.
To Create a New TrustStore
Press RETURN when prompted for the key password (thisaction makes the key password the same as the KeyStore password).
This operation creates a KeyStore file clientkeystore in the current working directory. You must specify a fullyqualified domain for the “first and last name” question.The reason for this use is that some CAs such as VeriSign expect thisproperties to be a fully qualified domain name.
Thereare CAs that do not require the fully qualified domain, but it isrecommended to use the fully qualified domain name for the sake ofportability. All the other information given must be valid. If theinformation cannot be validated, a CA such as VeriSign does not signa generated CSR for this entry.
Generate Keystore Java
This KeyStore containsan entry with an alias of client.This entry consists of the generated private key and information neededfor generating a CSR as follows:
Openssl Generate Keystore And Truststore
This command generates a certificate signing request which canbe provided to a CA for a certificate request. The file client.csr contains the CSR in PEM format.
Generating Keystore From Key And Cer Function
Some CA (one trusted by the web server to which the adapteris connecting) must sign the CSR. The CA generates a certificate forthe corresponding CSR and signs the certificate with its private key.For more information, visit the following web sites:
or
Create Keystore From Cert
If the certificate is chained with the CA’scertificate, perform step 4; otherwise, perform step 5 in the followinglist: Website auto traffic generator ultimate v6 3 activation key.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |